Skip to main content

Growing Importance of Third Party Risk Management for managing Cyber Risk

Organizations today are not closed off, independent entities. They are hyper-connected parts of bigger collaborative ecosystems. While these open ecosystems may feel risky or complex to manage, the greatest risk organizations face is not leveraging the opportunities they present.

Risks associated with third-party service providers can pose significant threats to your business operations, your sensitive data, and your overall cyber resilience.  A strong Third Party Risk Management (TPRM) capability allows your organization to understand and manage those risks. 

Regulatory landscape

The European Commission recently enacted several laws and regulations to set a security baseline for outsourcing services to  third parties:

  1. The Network and Information Security II Directive (NIS-II), that requires organizations, in several sectors, to proactively manage third-party risks.
  2. Digital Operational Resilience Act (DORA), sets rules for ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk management, covering:
    • Criteria for the identification of critical or important functions (CIF) to financial institution customers;
    • Requirements for the financial institutions to ensure that, where contractual arrangements concern critical or important functions, they only enter into these agreements with ICT third-party service providers that comply, prior to concluding the arrangements, with the most up-to-date and highest information security standards.
    • Requirements for the financial institutions to connect the CIF with the service supply chain and perform risk assessment and resilience testing on the connected providers ICT environment; and
    • Exit strategies from the service supply chain.
  3. Guidelines of the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), on IT outsourcing, covering: 
    • Which arrangements can be outsourced to third parties;
    • Criteria for setting service level agreements; and
    • The rights to audit of the third-party provider.
  4. National Bank of Belgium’s (NBB) outsourcing regulatory framework that is mandating third parties to implement procedures which are:  
    • Specific to the banking and insurance companies; and
    • Performed on a recurring or continual basis. 

Common challenges

As organizations increasingly rely on third-parties, understanding and managing security risks posedby those third parties is becoming increasingly complex. Some common challenges are:

  1. To determine from the list of critical and important functions which are outsourced to which third-party, to identify the nature of the service outsourced within each function, and to continuously update this information across the organization, at group and at entity level.
  2. To determine which of the outsourced functions involve interchanging sensitive data with the third-party service providers.
  3. To identify who at the organization owns the relationship with the third party service provider, and how to interact with the third party to assess cyber risk.
  1. To secure a budget for conducting third-party assessments and identify the responsible owners among cyber security, procurement, vendor management, and business users of the related outsourced functions.
  2. To define the adequate questions and security domains to include in the third-party assessment questionnaire, and the different standards to follow, that give the organization the right level of assurance in an efficient and effective way.
  3. To minimize delay in third-party responses to the assessment, and identify the adequate escalation channels within the organization.
  4. To ensure receipt of adequate evidence that allows your assessment team to make an adequate judgement on the cyber security posture.
  5. To decide how to manage risks related to third parties that outsource further to fourth-party providers.
  6. To define a scoring mechanism that allows assigning different weights to the in-scope domains and questions depending on the criticality of the outsourced service.
  1. To enforce the third-party provider remediating the discovered security risks and control deficiencies, to track the remediation action plan, and to advise a model to decide which third-party providers require a more in-depth assessment and which domain should be assessed further.
  2. To advise an approach to report the root cause to the regulators of a cyber incident that interrupted the provision of your organization critical services, where the incident emanated from the third-party.
  3. To address non-compliance to pre-agreed security controls by the third-party provider and to adequately conclude on either maintaining the relationship based on the cyber posture of the 3rd party, or identifying alternative providers that maintains continuity of business operations.

How can we help

We advise our clients on TPRM and can also help them to implement and operate the TPRM capability to increase cyber resilience.

Define the foundations for an effective TPRM capability including the business case, strategy and operating model as well as the processes, roles and responsibilities necessary to operationalize them.

Deliver process and technology needed to run the TPRM capability including training for TPRM resources  as well as the evaluation, selection and implementation of specialized TPRM tools.

 

Outsource all or part of the TPRM function by leveraging our global
network of experienced professionals and delivery centers to perform managed
assessments and establish a mature TPRM function.

Case Study:

Advise:

Creating a third-party questionnaire with the right number of questions
to cover the domains of information security, data privacy, and business
continuity, and get responded to by providers in a timely manner. Additionally,
setting up an approach for the TPRM assessment team to review and score the
vendor assessments, place reliance on certifications (ISO 27001, SOC-II, CSA,
PCI-DSS, & HIPAA), and track and follow-up on the progress of remediation
by the providers.

 

Case Study:

Implement:

Providing training for IT and business assessors, and testing and installing a specialized TPRM tool to speed up the response time, increase the response rate, generate customized reports with remediation plan, and track the remediation actions of the providers.

 

Case Study:

Operate:

Assessing a large number of existing third-parties (post-contract through a managed assessment service to deliver an assessment capability in compliance with relevant standards and regulations: (ISO 27001, SOC-II, CSA, PCI-DSS, and HIPAA).Reviewing vendor self-assessments to identify potential vulnerabilities within the third-party ecosystem. By evaluating the providers security controls, policies, practices, and independent audit certifications, the client obtained an overall security, data privacy, and business continuity posture by provider, and was able to segment its outsourcing portfolio by brackets. This output has allowed the client to advise a customized follow-up plan by provider, spanning from in-depth audit, penetration testing, and activation of exit strategies for the non-performers, to negotiation of a remediation strategy with the medium performers, and a regular security assessment update with the good performers.

Useful links: