Let's Talk About Third-Party Risk

January 6, 2020 | 4 min read


Large companies have relied on third parties for decades. From partnerships with suppliers, to the outsourcing of specific tasks - the dependence on third parties has increased in frequency and scale to meet the demands of customer expectations and stay focused on specific areas of expertise.

Enterprise organizations are essentially a large network of interconnected business partners, any one of whom could serve as a vector for a cyberattack. Managing that risk is an important facet of overall security infrastructure. Don’t let third parties become the weakest link in your cybersecurity program.

In 2018 a hacker was able to exploit a configuration vulnerability in the servers of one of Capitol One’s cloud partners, exposing 106 million customer records.

The 2018 theft of 11.9 million records from Quest Diagnostics and 7.7 million records from LabCorp were both traced to the American Medical Collection Agency (AMCA) system.

In 2017, the Wall Street Journal reported that a dozen or more cloud providers were hit by Cloud Hopper attacks on third parties - MSPs with client lists that include Rio Tinto, Philips, American Airlines, Deutsche Bank, Allianz and GlaxoSmithKline were affected. The compromise of MSP networks provided unprecedented access to MSP customer networks, but MSPs were understandably reluctant to admit it.

In 2013, 70 million individuals had their personal information stolen by cybercriminals when Target was breached. The hackers gained access via the network of a small heating and air conditioning business that Target used.

"The Economic Impact of Third-Party Risk Management in Healthcare Report," a survey of 554 healthcare IT and security professionals, determined that the annual hidden costs of managing vendor risk is around $3.8 million per healthcare provider. On average, healthcare providers have 1,320 vendors - each - under contract, yet only 27% said they assess all of their vendors annually.

According to an Opus and Ponemon study, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent -- up 5 percent over last year’s study and a 12 percent increase since 2016. What’s more, many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months. Overall, more than three-quarters of organizations believe that third-party cybersecurity incidents are increasing.

Some, but not all businesses incorporate a process for assessing third-party risk that is developed by outside cybersecurity consultants. The process generally includes a questionnaire that scores potential risks based on your vendors’ responses. In analyzing those responses, the business looks to define a process for quashing gaps and reducing the identified risks.

The steps taken include:

  • Vulnerability remediation
  • Incident identification and classification of risk
  • Role assignments and ownership of risks identified

What is Third-Party Risk Management?

The process of analyzing and controlling all risks that vendors, partners, and others present to your enterprise.

What are Third-Party Risk Assessments?

Third-party risk assessments evaluate whether or not the third parties that you work with exposes your business to any risk factors. These assessments can identify outdated technologies or other gaps in the third party’s security that could lead to potential business operations disruptions or losses for your enterprise.

There are many types of risk you face when you engage a third party:

Operational Risk:The risk of loss resulting from human error, inadequate processes or systems, and external events. Third-party relationships often increase operational complexity and open the enterprise and its network up to increased risk factors. Transactional Risk:Includes the risk arising from problems with service or product delivery. A third party’s failure to perform as expected due to technological failure, human error, or even fraud. The lack of contingency plans increase transaction risk. Strategic Risk:The risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals. The use of a third party to perform basic functions or to offer products or services that do not help the enterprise achieve corporate strategic goals and provide an adequate return on investment exposes the enterprise to strategic risk. Compliance Risk:The risk arising from violations of laws, rules, or regulations, or noncompliance with the policies and procedures of the business’ standards. When third parties experience security breaches involving customer information in violation of the safeguarding of customer information standards, it puts your business at risk. Reputational Risk:The risk arising from negative consumer opinion. Business partnerships that result in security breaches resulting in the disclosure of customer information or violations of laws and regulations could do lasting harm to the reputation of the business. Often, negative publicity involving the third party could result in reputation risk to any enterprise that partners with it.Credit Risk:The risk that a third party is unable to meet contractual terms or to financially perform as agreed. The financial stability of the third party is a factor in assessing credit risk. Appropriate monitoring of third party activity is necessary to ensure that credit risk is understood and remains acceptable limits.Other Risks:One of the benefits of engaging outside cybersecurity professionals to assess your third-party risk is that they are able to identify other types of risk introduced by the decision to use a third party. Cybersecurity professionals will provide you with a comprehensive list of potential risks that could be associated with a third-party relationship.

A comprehensive third-party risk assessment will ensure that you fully understand the risk your partners, suppliers, and vendors pose to your enterprise and to your network. Proactively assessing risk on an ongoing and regular basis will ensure that you remain secure as new third parties are on boarded and gain access to your systems. Engaging cybersecurity professionals can help you determine your exposure to risk, and create a plan to manage that risk.