What are the gaps in your third-party risk management program?
Most businesses rely on vendors and suppliers to help them operate efficiently, reduce costs and these vendors are an integral part of a company’s ecosystem. The company provides these vendors varying degrees of access to a company's network and/or share sensitive data with them. This exposes the business to third-party and fourth-party cyber security risks as any negligence on the part of the vendors can expose the company’s data and its operations.
Morgan Stanley’s 2016 data security incident is one such case that establishes the need for an effective third-party risk management process. What seemed like a typical IT asset disposition (ITAD) contract turned out to be a costly deal for the financial giant due to data mismanagement by one of its vendors. As per Morgan Stanley’s recent disclosures, its data center decommissioning project was outsourced to Triple Crown, who ended up selling the devices to an ITAD company called AnythingIT. Unexpectedly, the retired devices were instead sold to a used device marketplace and resold to consumers online. As a result, Morgan Stanley’s data was still present on the storage drives of these devices. This led to the company not only inviting a $60 million data mismanagement fine from the U.S. Treasury Department but also suffering serious reputational damage.
Oftentimes, we direct all our resources and expertise on building an effective security system within the organization and overlook outside threats like the ones coming from third-party vendors. A Soha Systems survey found that 63% of all data breaches are a direct or indirect result of third-party failures. And on top of that, recent supply chain attacks like the SolarWinds hack and the Kaseya ransomware attack have exposed security vulnerabilities in third-party services. It is important to remember that vendors are given access to secure systems and sensitive information, and this makes the vendor services an extension of your company.
When dealing with sensitive data under the GDPR, the data controller is responsible for its compliance and the compliance of its data processor. So, if your third party is not compliant with the GDPR guidelines, you may end up in regulatory and legal trouble due to their negligence.
As an organization that is part of the wider supply chain network, you are only as strong as your weakest link. In this case, Morgan Stanley had contractually obligated the third-party vendor to follow its policies. However, once the contractual terms are established, it is necessary to verify whether the vendor is adhering to security best practices and is consistent with the regional regulations.
To evaluate the vendors, you need to bring assurance into practice. Contracts outlining the business relationship between the organization and the business may require consistent monitoring of vendor performance to ensure that contract stipulations are met. An evaluation of the vendor’s privacy and security programs will give you the assurance needed to protect your systems from back-door attacks. Though contracts and agreements look good on paper, that’s hardly the case in practice. Assurance can discover anomalies in the contract and identify gaps.
Even large vendors with large ecosystems are prone to hacks and breaches, it is important to ensure that the vendor meets your requirements irrespective of their size and reputation. For instance, the SolarWinds breach highlights “the challenge of ensuring the security of outside providers and the risk of extensive dependence on products from a single company.”
A well-thought-out risk management program is much more than just a set of technical requirements for security. Defending a business from third-party risk is different from protecting servers, it's important to ensure that you have an accurate understanding of your risk from these vendors, your vendor meets your requirements, and you have adequate controls and contingency plans to protect against critical risks. Companies tend to focus on just the technical requirements and underinvest in complexity reduction across their whole value chain. The result is an inefficient system.