As an executive manager or member of your company’s board of directors, third-party risk management should be top of mind.
Here are five things you need to know:
1. Contracts are no longer enough to protect the business.
Contracts are incredibly important, however, they do not provide the visibility you need to reduce the risks associated with data breaches. Achieving proper visibility and monitoring your third-party vendor’s compliance with cyber security regulations and best practices is now a requirement of many regulatory and security guidelines, including PCI 3.0, OCC, HIPAA Omnibus, and the SEC.
It is important to note that in order to meet these regulatory and data security requirements, your third-party vendor contracts should include language that expressly grants you the right to perform an assessment, as well as the authority to monitor your third-party vendors on an ongoing basis.
2. A breach of your client’s or patient’s data at a third party is YOUR responsibility.
The concept that outsourcing a business function effectively eliminates your responsibility for the security of your customer’s data is no longer an acceptable business practice. Due diligence with third-party vendors that have access to sensitive data is often seen as the only way to reduce your risk, understand areas for improvement, and show due care. Certain regulatory bodies automatically associate the lack of due care and due diligence with increased liability (and costs).
3. Single, point-in-time assessment is no longer sufficient.
Most third-party risk management programs begin as a compliance effort, with point-in-time assessments completed during or immediately after the contracting process. In many cases, this was the one and only time an assessment was performed. The pace of technological innovation is staggering. Organizations of all sizes are moving more data to the cloud and mobile applications. While this may increase efficiency and reduce costs, wouldn’t you want to know this happened at a service provider, prior to a breach notification? Performing on-going assessments and threat monitoring exercises is now required to better understand the constantly evolving risks posed to your data by third-party vendors.
4. Third-party risk should be part of your cybersecurity plan.
Third-party risk management is a security function as well as a compliance requirement. When you have a cybersecurity plan that only focuses on internal security, you risk missing 50% of the problem. Numerous studies have shown that third parties represent between 40% to 80% of the risks associated with data breaches. Ensuring broad cybersecurity coverage means understanding the risks posed by both your third-party providers and their providers (fourth parties).
It is important to also note that understanding where your data is, both internally and externally, helps you to better isolate your risks and understand where you must focus your efforts.
5. Your CISO (or equivalent) should report these risks directly to the board.
You must take steps to ensure that you, your management team, and your board of directors are getting the information that is needed to make timely decisions, reduce the risk of a data breach, and protect your brand. One of the ways to achieve this is by aligning spending against security priorities that often take a back seat to other technology initiatives. This will also help to reduce the friction that exists between your executives when it comes to spending priorities.
The reality is that a successful CISO who has reduced the security risks of a business may not look efficient on the surface. But dig deeper and you will see that they are helping save the company tens to hundreds of millions of dollars in lost revenue, fines and damage to your brand through the prevention of third-party data breaches. Speaking directly to your CISO will help you better understand the risks in order to make decisions and align spending.
Remember that crisis situations often lead to snap decisions that can create more problems in the long run. Decide now, and prepare a plan for what you, your management team, and your board of directors will do to protect your business and reputation, should your business be hit with the unthinkable.
"As a CEO or board member, if you are not considering the security risks at your vendors, you should be dusting off your resume." Jonathan Dambrot, CEO and Co-Founder of Prevalent, Inc.