What are the gaps in your third-party risk management program?

Most businesses rely on vendors and suppliers to help them operate efficiently, reduce costs and these vendors are an integral part of a company’s ecosystem. The company provides these vendors varying degrees of access to a company's network and/or share sensitive data with them. This exposes the business to third-party and fourth-party cyber security risks as any negligence on the part of the vendors can expose the company’s data and its operations.


Morgan Stanley’s 2016 data security incident is one such case that establishes the need for an effective third-party risk management process. What seemed like a typical IT asset disposition (ITAD) contract turned out to be a costly deal for the financial giant due to data mismanagement by one of its vendors. As per Morgan Stanley’s recent disclosures, its data center decommissioning project was outsourced to Triple Crown, who ended up selling the devices to an ITAD company called AnythingIT. Unexpectedly, the retired devices were instead sold to a used device marketplace and resold to consumers online. As a result, Morgan Stanley’s data was still present on the storage drives of these devices. This led to the company not only inviting a $60 million data mismanagement fine from the U.S. Treasury Department but also suffering serious reputational damage.


Oftentimes, we direct all our resources and expertise on building an effective security system within the organization and overlook outside threats like the ones coming from third-party vendors. A Soha Systems survey found that 63% of all data breaches are a direct or indirect result of third-party failures. And on top of that, recent supply chain attacks like the SolarWinds hack and the Kaseya ransomware attack have exposed security vulnerabilities in third-party services. It is important to remember that vendors are given access to secure systems and sensitive information, and this makes the vendor services an extension of your company.


When dealing with sensitive data under the GDPR, the data controller is responsible for its compliance and the compliance of its data processor. So, if your third party is not compliant with the GDPR guidelines, you may end up in regulatory and legal trouble due to their negligence.


As an organization that is part of the wider supply chain network, you are only as strong as your weakest link. In this case, Morgan Stanley had contractually obligated the third-party vendor to follow its policies. However, once the contractual terms are established, it is necessary to verify whether the vendor is adhering to security best practices and is consistent with the regional regulations.