An effective third-party risk management program includes more than just conducting regular internal control-based assessments of vendors and suppliers – it also must incorporate continuous risk insights
to fill gaps between those assessments and validate the presence and effectiveness of controls. Yet, for many organizations, third-party risk management (TPRM) is an either-or proposition.
In this post we examine:
As you consider integrating threat intelligence into your regular vendor security controls assessments, incorporate the following types.
Often the most common type of external vendor insights, cyber threat intelligence provides a view into a third party’s security performance, vulnerabilities, and breach history. These insights can help you understand whether the third party has adequate security controls in place.
Common sources for this data includes criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach history databases.
Business news, merger and acquisition (M&A) activity, management and leadership changes, competitive news, and new offerings can tell you if the third party is a well-run organization that has a viable long-term strategy.
You can gather information on these topics from public and private sources of operational information; news feeds; business news databases; and corporate websites.
Information on a vendor’s financial performance, turnover, profit and loss, shareholder funds, credit ratings, payment history, bankruptcies, and investments demonstrate that the third party is a going concern and is financially healthy and can meet its commitments. Poor financial results could signal budget cuts which can impact security operations.
Credit ratings agencies; financial reporting websites; and news outlets are common sources of this information – and much of it is free.
The old saying goes: You’re only as good as the company you keep. Reputational insights such as adverse media and negative news coverage; regulatory and legal sanctions; state-owned and government-linked enterprise dealings; and working with politically exposed persons can help your company get ahead of potentially damaging relationships.
Sources of reputational information is varied. You can gather it from news coverage; sanctions lists (for example U.S. Department of the Treasury Office of Foreign Assets Control (OFAC), the UK Sanctions List, the EU Consolidated List of Sanctions) and court filings; PEP databases (such as the FFIEC and LexisNexis), and many other outlets.
The downside to continuously monitoring for third-party risks is that there are no one-stop-shops for threat intelligence, so many companies are forced into a somewhat disjointed approach to gathering and analyzing this data.
Executive Brief: How to Get More from Third-Party Risk Scores
Discover how to build a more comprehensive, actionable and cost-effective vendor risk monitoring program.
There are four primary ways that external threat intelligence can help to mitigate third-party risk.
If a third-party vendor reported in their security assessment or provided evidence in a security certification (such as ISO or SOC 2) that they require a strong password, but external threat intelligence shows that vendor user IDs, passwords or admin credentials are for sale on the Dark Web, then you can reasonably surmise that the vendor’s password policies are not strong enough (or even, perhaps, that their phishing or security awareness programs need to be improved).
Threat intelligence can be used to get picture of the risks that a potential vendor introduces to your environment. For example, during the sourcing and selection phase of a third-party vendor or supplier relationship, getting intelligence on prior data breaches, security incidents, compliance problems, sanctions, etc. can inform supplier selection decisions. A vendor with a low security score might not match your organization’s risk tolerance.
If your organization performs an annual security assessment on its third parties, external threat intelligence can fill the gaps between those annual assessments, so you are not missing out on potentially critical threats as they emerge.
In most organizations, there are a subset of vendors considered critical, and your organization should complete regular comprehensive security assessments of those vendors. However, for vendors considered non-critical or lower tier, sometimes only the basics have to be performed. A profiling and tiering exercise will help you determine how to treat vendors based on whether they are critical to your company’s operations or handle sensitive customer data, for example.
A common approach is to look at all intel in silos, but doing so negates the benefits of gathering all that information. Instead, centralize all of these sources of threat intel in a single risk register to normalize and transform the data into meaningful results. This approach enables risk quantification and contextualization – such as mappings to various security frameworks and compliance controls – to be added to help prioritize risks and resulting remediation activities. This unified approach also enables correlation with assessment results. This will greatly streamline risk review, analysis, reporting and response initiatives.
As we learned in the 2023 Third-Party Risk Management Study, there is a significant gap between the number of companies tracking risks and remediating them. So the value of using risk intelligence in your TPRM program comes down to risk appetite and remediation. If a vendor’s threat to your organization results in a high risk score, then you have to recommend (or require) specific remediations to be implemented in order to continue doing business with them. Or, require specific compensating controls to be put in place. Regardless of the approach, a two-way dialogue is essential to risk reduction.
Third-party risk intelligence will become increasingly important in order to keep up with changing regulatory requirements and an evolving threat landscape. For more on how advanced analytics and machine learning can be applied to identify unforeseen risks currently lurking in your supply chains, request a demo today.