As the rapidly changing risk and regulatory environment continues to challenge risk management capabilities, cybersecurity is emerging as a key issue for governing boards to consider. Much of the cybersecurity conversation, however, has been focused on internal risks. A significant governance gap remains when it comes to vendor cybersecurity, and boards need to broaden their thinking in this area.
The latest Vendor Risk Management Benchmark Study from the Shared Assessments Program and Protiviti found high board engagement and understanding of cybersecurity risks relating to business and internal operations at 42 percent of companies surveyed, up from 39 percent a year ago. However, only 29 percent of respondents could say the same when it came to their board’s understanding of vendors, compared to 26 percent reported in 2016.
This is a significant gap as more companies turn to external partners — for innovation, automation and business process outsourcing. Businesses rely on these partnerships to stay competitive. The problem is that many of these innovative vendors are less mature in their cybersecurity capabilities, and their vulnerability can present significant risks to the businesses they partner with.
There has been an increasing regulatory focus over the past few years on so-called “third party” risks. But “third-party” these days is a misnomer. As shared applications connect to networks on shared platforms and shared infrastructure and are accessed by innumerable users and devices, the sphere of vendor risk expands outward to fourth, fifth, sixth, and so on, parties.
The very real implications of these dependencies played out earlier this year with the WannaCry ransomware attack, which locked down 230,000 computers in more than 150 countries within 24 hours, wreaking global havoc. This raised enough concern among some companies — especially in healthcare, where human life was at risk — to consider eliminating third parties outright — a new “de-risking” trend reflected in the survey results. More than half of survey respondents said they are extremely likely or somewhat likely to exit their third-party relationships, for reasons ranging from the need to assess third-party subcontractors to cited lack of skills or resources to perform vendor assessments to ensure the risks are at an acceptable level. This trend is most pronounced in the healthcare industry — both payers and providers.
While attempting to limit cyber risk is understandable, companies that bring operations in-house can potentially face other significant risks — such as the risk of falling behind the innovation curve and not taking advantage of new technologies or efficiencies third parties provide. At the same time, a wait-and-see approach is equally misguided, exposing organizations to potential third-party cybersecurity risks while they weigh the pros and cons of their next steps.
A more rational and sustainable response is to increase board engagement but also take a more nuanced look at risk mitigation. Assessing each third party in the context of the business process(es) they support and focusing on a risk-based approach to cybersecurity should not be news to anybody, but it bears repeating. Since data security is the primary driver of de-risking for many organizations, the effort should be focused on developing a sound risk management framework, classifying the “crown jewels,” and identifying the threat actors and inherent/ residual risks that needs to be revisited frequently, rather than wholesale elimination of vendors altogether — which for many companies today could be a strategic business risk in itself. In today’s connected society, sensitive data is going to flow, with increasing regularity, through third-, fourth-, and even fifth-party vendors. Good data governance, including strong vendor risk management, will be the table stakes to remain competitive in the marketplace of the future.
One example of reducing third-party risk without yanking the plug off the vendor comes from the heavily regulated financial services industry (FSI), where traditional banks increasingly are partnering with newer fintech companies to drive innovation. FSI regulators are encouraging “responsible innovation” through the creation of “sand boxes” — innovation test beds using test data to advance technology through simulations that don’t place customer data at risk.
Other companies are partnering with outside consultants to assess, prioritize and remediate third-party cybersecurity risks.
At the end, a good vendor cybersecurity risk management program is one that is fit for purpose, focused on crown jewels, and tailored to the organization’s maturity level and risk appetite. It considers the reputational and financial risks of a third-party breach and includes a tested incident response plan, including a communications component for customers, the media and the shareholders, in case of a vendor breach.
With more technologies and companies moving to the cloud and the interdependencies of vendors and sub-vendors, third- (and fourth- and fifth-) party cybersecurity is only going to grow more complex. Relationships are going to become more entwined. Data is going to be out there, and in control of someone under contract. The best that companies can do over the long term is to develop their risk management frameworks and get their boards “on board,” thinking and asking hard questions about these relationships and what the organizations are doing to classify, govern and protect their sensitive data, wherever it may reside and roam.