The U.S. Securities and Exchange Commission (SEC) recently introduced new requirements for publicly traded companies to notify the government when they are hacked. These reporting updates are designed to better inform investors about cybersecurity governance and practices at the companies in their portfolios.
Notably for third-party risk management programs, the new governance disclosures will require updates on risk assessments, with an emphasis on risks that the company may take on by using outside or third-party services. According to the proposed regulation, companies will also be asked about security audits, business continuity plans, and how cybersecurity fits into their broader business strategy.
For public companies that lack a formalized third-party risk management program, now is the time to add some structure to your processes. Here are 6 steps to take.
Start by determining how mature your existing third-party risk management (TPRM) processes are. We recommend leveraging the Capability Maturity Model to gain a snapshot of current processes. This maturity model evaluates five aspects of your TRPM program:
Grade each of the above areas on a scale of 1 (initial) to 5 (optimizing) to identify which need the most attention. Prevalent offers a complimentary TPRM maturity assessment service to guide you through this process.
Free TPRM Maturity Assessment
Work with Prevalent experts to get in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.
You can’t manage what you can’t measure. Therefore, ditch the spreadsheets and inventory your vendors with a centralized platform. This will ensure that multiple internal teams can participate in vendor management and that processes can be automated for everyone’s benefit. You can either upload your existing vendor spreadsheets into a central platform, use an API to procurement systems or other systems of record, or have internal stakeholders complete a vendor onboarding form.
Once your vendors are centrally managed, conduct inherent risk scoring to build more comprehensive vendor profiles and to determine the appropriate frequency and scope of future assessments. As you profile and tier your third parties, consider attributes such as:
Once you’ve onboarded your vendors and scored their inherent risk, the next step is to conduct due diligence assessments. These assessments can vary according to the controls standards and compliance requirements important to your organization.
Here are some important things to consider when planning assessments:
Answering these questions will help you determine which collection method to use. For example, managing the collection yourself, taking advantage of repositories of pre-completed questionnaires, outsourcing collection to a partner, or some combination of each. Your organization’s level of resources and expertise will likely guide this decision.
Regardless of the collection method, take advantage of built-in recommendations to remediate risks down to a level that is tolerable to the business.
Periodic, questionnaire-based assessments are great, but they still leave gaps in visibility. You can cover these gaps by conducting continuous cyber monitoring of your vendors and suppliers. Typical sources of third-party cyber intelligence include criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; and vulnerability and hack/breach databases.
However, not all attacks are signaled through the sources listed above. Changes in a company’s business behavior or financial performance can signal a strategy shift or lack of funding for cyber defenses. Accordingly, extend your monitoring to include public and private sources of reputational, sanctions and financial information such as:
You can monitor these sources separately or use a vendor risk monitoring solution to centralize unify these insights into your third-party risk program.
Since third-party risk management will be a key control focus in the new SEC requirements, it’s important to show progress toward achieving compliance with those requirements – for auditors both outside and inside your organization. Compliance reporting can be complex and time-consuming, so built-in reporting for common regulations and industry frameworks can speed and simplify the process.
Gaining visibility into each vendor’s level of compliance can make your reporting easier. Start by establishing a compliance “pass” percentage threshold against a risk category (e.g., X% compliant against a particular framework or guideline). All reporting will tie back to that percent-compliant rating, and your team can focus on subareas where compliance pass rates are low. Be sure to also conduct compliance assessments at a macro level across all vendors; not just at the vendor-level. Macro-level reporting will be important for your board as they seek to determine how compliant your organization is against the “flavor of the month” regulation.
Navigating the Vendor Risk Lifecycle: Keys to Success
This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.
At the end of the day, having centralized vendor risk assessment data for all vendors in a single platform will:
Prevalent can help. Download Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage for more prescriptive steps and guidance, or request a demo
to discuss your needs today.