Knowing and understanding your third party ecosystem and the risk that ecosystem could present to your company should be a critical process in your risk management, if it is not already. An increase in breaches originating via third parties is becoming more impactful to corporate operations. In a recent study, The Ponemon Institute reported that 53% of organizations have experienced more data breaches caused by a third party, averaging a cost of $7.5 million for remediation. State government birth certificate applications for some 750,000 individuals were compromised, and later found to have been publicly accessible on a cloud with no security safeguards. Other examples of monumental breaches abound: https://www.normshield.com/major-third-party-data-breaches-revealed-in-january-2020/
Historically, the banking industry has been the leader in building management practices to respond to regulatory requirements around monitoring third parties. OCC Bulletin 2013-29 in particular states, in part, that:
- A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
- A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
Other financial regulations with similar language or intent include:
- OCC Advisory Letter 2000-9; February 2015; Third-Party Relationships: Risk Management GuidanceFFIEC Business Continuity Planning Booklet, Appendix J, Strengthening the Resilience of Outsourced Technology Services
- New York State Department of Financial Services cybersecurity regulation 23 NY CRR500.
Financial regulatory requirements in the US are not solely driving the need for risk-based third party management and continuous monitoring. Throughout the world, regulations are addressing the issue, such as:
- UK Bribery Act 2010
- Compliance Programs – Guidelines for Private Companies (Programa de Integridade: Diretrizes para Empresas Privadas)Germany’s Act on Combating International Bribery (IntBestG)
- AT 9 Outsourcing. August 15, 2013. Germany’s Federal Financial Supervisory Authority (BaFin)
- Outsourcing Risk Management. Monetary Authority of Singapore (MAS)
- United Kingdom’s Financial Conduct Authority (FCA), SYSC 8.1. General Outsourcing Requirements
More recently, privacy regulations are also addressing this need, including:
- European Union (EU) Regulation 2016/679, better known as the General Data Protection Regulation (GDPR).
- California Consumer Privacy Act (CCPA)
Given the ever widening regulatory landscape and their relationship to the growing trend of outsourcing critical functions, the workload for third party risk management teams continues to pile up to complete the requisite due diligence, including assessment and monitoring. Outsourcing is also multiplying to meet greater demands for lean organizations. In 2020, outsourcing is projected to be more than a $100 billion dollar industry in just the top three regions (superstaff.com, 2020). While there has been constant growth in this sector for several decades, outsourcing trends continue to boom, becoming more important for operation resilience (US Bureau of Labor Statistics, 2020; outsource2india.com, 2018).
In many instances, the inability to complete the perceived workload is blamed on the immaturity of TPRM programs, including the lack of adherence to industry standard best practices. High power consultants are available to review your program and identify an abundance of tools to increase your maturity. In Douglas W. Hubbards, The Failure of Risk Management (Second Edition), page 100, Hubbard refers to it as “Analysis Placebos” and often amounts to, as Hubbard calls it, snake oil.
TPRM maturity models, such as Shared Assessments VRMMM, provide checklists and other tools for guidance on next steps. In Jack Freund’s article on third party risk management https://www.fairinstitute.org/ , Freund outlines the process for putting a mature program into place. His statement on page 15 particularly hits the heart of the matter, “An advanced approach to third-party risk rating will reflect the economic impact of any third-party data compromise or interruption of service on enterprise business objectives. Fundamentally, the ideal methodology connects cybersecurity consequences to business goals.”
This brings me to the question I posed in the title of the article, “What is your “Risk-Based” approach to TPRM?” I attended a Third Party Cyber Security Risk Management conference recently and led a round table discussion about using a quantitative methodology in third party cyber risk. I kicked off the discussion by asking the participants how they ranked the risk of their third parties. Invariably, everyone gave examples more aligned with what Freund outlines in his paper as “classification.” An example of classification is the determination that a third party, which has access to data that contains personally identifiable information, falls under high risk based on the organization’s classification system. This criteria can be met and classification assigned without any underlying advanced analysis, showing the true economic impact of a cyber event at that third party. This is what I call a “classification-based” approach to risk management, not a true risk based approach.
In a classification-based approach, all assessment processes are conducted based on a given class, which may include factors such as voluminous control questionnaires, extensive contract language, policy reviews, on-site visits and a number of other processes that should be in place in a mature TPRM program. All of these processes can be complex, time consuming and expensive to both your organization and your third party. When you add the requirements some regulations impose for third party continuous monitoring, your team can become overloaded, miss important issues, and lose sight of the goal of reducing the uncertainty around your third party risk in the process grind.
Many organizations use this type of classification-based approach to implement the monitoring of internet facing controls of third parties, vendors Gartner refers to as security rating services. Many of these vendors market their ratings as actionable intelligence, however consumers using these ratings alone to take action on vendors will find that these ratings are not an actionable risk indicator. Rather, these ratings are just one more source of information that must be analyzed within appropriate context in order to understand the true risk posed by a specific third party. Furthermore, when you use information garnered from a classification-based approach to risk analysis, the amount of time and effort you will spend chasing fixes to failed control items can be extensive for both you and your third parties.
So, how can we move from a classification-based approach to a true risk-based approach? First, start with Jack Freund’s recommendation about understanding the true economic impact of engaging a third party.
To dig deeper, it’s important to establish a common definition for the term “risk.” In my recent blog, What exactly does the term RISK mean to you?, I use the definition from the FAIR© framework, ”the probable frequency and probable magnitude of future loss associated with a specific event,” or the “economic impact” as Freund describes it. Having agreed on this definition of risk, it is very easy to get started on understanding the economic impacts of your third parties, based on your existing work in classification.
This economic impact model is also built from classifications; however, it is more sophisticated due to its quantitative relationship to risks. Initially, vendors are classified by a number of key factors and, for the purposes of this paper, the risk focus surrounds cyber events.
First, identify every vendor you share or grant access to confidential data (this can be PII, payment transactions, etc. – you can add as many classifications as fit your business model). The next classification is for the type of network access, i.e., does the third party have persistent access to your network? Continue with, are vendors you have deemed business critical with a regulatory requirement demanding a specific action such as continuous monitoring? These vendors are probably the same group of third parties you are conducting extensive assessments on currently.
The next step is to conduct a qualitative risk assessment on this pool of vendors. If you choose a manual process (such as the one outlined in Hubbard’s “How to Measure Anything In Cyber Security Risk”), then start with your existing classification of High or Tier 1. If your organization’s enterprise risk management team has quantitative analysis experience, you may want to engage that team as they may have automated tools.
Another option is to use NormShield’s 3D Vendor [email protected]℠ platform, which automates the collection and calibration of breach, threat, vulnerability and numerous other data points used in the quantitative process. This will bring you closer to the goal of gaining an understanding of the potential economic impact of events occurring with your third parties. The information garnered from this platform provides the output required to make risk-based (economic impact) decisions on which third party risk management activities should be applied to a particular third party.
This level of effort allows you to move to a true risk-based impact view versus a classification-based approach to risk management. With this information in hand, we can now further improve our understanding of third party risk by aligning a given third party engagement to the corporate risk appetite/tolerance levels. Because every business will have a different view on what risk they are willing to take in order to conduct business, this step is essential to completing the process. When you understand the organization’s risk appetite, or the extent beyond the appetite the business is willing to tolerate, you can make more informed decisions on where to best expend precious TPRM resources and better reduce the uncertainty of your risk exposure.
We will not go into the process of determining risk appetite in this paper, as there are numerous excellent resources already available. Douglas Hubbard’s “The Failure of Risk Management – Why It’s Broken and How to Fix It,” is one of the best pieces on the subject and details defining risk appetite, the value it presents in analysis and how to effectively discover the information in your organization.
In a perfect world, every third party’s risk would fall at or below your organization’s risk tolerance, a necessary goal for your program. In reality, a classification-based risk program doesn’t connect with or reflect your business goals; rather a classification-based risk program is a qualitative attempt to show some type of risk metrics. By establishing a connection to corporate risk appetite, you can make decisions that meet business needs. If your program has not yet matured to this stage, there are things you can do to still connect to your business criteria and overarching goals.
Corporate risk appetite combined with building a process flow based on impact level can be ranked on a scale at or below risk appetite, within risk tolerance, or over risk tolerance. When the economic impact is expressed as falling within one of these three distinctions, a specific workflow can be followed to better quantify potential impact.
For example, if the impact is at or below risk tolerance, then follow a specific set of actions, such as:
- Monitor for events that would raise economic impact levels beyond tolerance.
- Perform a specific periodic review (such as an annual questionnaire or artifact collection.
- Acquire cyber insurance to cover the potential impact.
- Execute other actions that may be classification specific.
In the event a third party is above risk tolerance then another set of actions would be triggered, for example:
- Conduct a more thorough assessment that may include an onsite visit, penetration test, third party certification, etc.
- Conduct internal reviews on the engagement model for remediation
(e.g., Lower number of records shown, disallow network connection. etc.).
- Review cyber hygiene of the third party to identify items that if remediated would reduce economic impact.
- Undertake other actions that may be classification specific.
A process for those third parties that are above risk appetite but within risk tolerance could also trigger a set of predetermined actions, such as:
- Collect control questions to enhance the accuracy of the impact assessment to determine if impact raises or lowers.
- Continuously monitor the third party for changes to posture.
- Acquire cyber insurance to cover the potential impact.
These actions are suggestions only, and your process should be determined by your business requirements including internal policy, regulatory requirements, and corporate culture. If you are unsure of what best practices to follow there are a number of resources you can reference. I highly recommend visiting https://sharedassessments.org/ where you will find a wealth of studies, white papers, industry knowledge and tools. One tool you should be using is the Vendor Risk Management Maturity Model Tools (free at the site).
If you are still in the process of learning your corporate risk appetites, other sources of information are available in the meantime. Third party engagements that meet the classifications we have outlined above will most likely have information obtained in the procurement process, which can be used until risk appetite becomes part of the process. Oftentimes, a business impact analysis may have been conducted, or a cost-benefit analysis is available. This information can help you reduce the uncertainty surrounding the risk profile of a particular third party.
Let’s take a vendor, whose cost-benefit analysis reveals the value of the engagement is far less than the economic impact your analysis indicates. Clearly, you would want to engage the business in a discussion, the starting point for understanding what the acceptable loss might be in this instance.
Using a true risk-based approach, one which moves beyond classification and provides an economic impact perspective of profit and loss for each unique vendor or vendor type, puts you on the same page as the business. If you use terms like “high cyber risk” or “insufficient technical scores” when bringing a problematic third party to the business, it creates churn and resistance. After all, while your focus is risk management, their focus is the business of conducting business, boiling down to profit and loss. Those colleagues who are responsible for cost-benefit analyses will be very open to this approach when you propose requests for support, as opposed to the security department knee jerk response that is often received when requesting resources – an emphatic “NO.”
Once you build a mature third party risk management program based on risk, you will have a program understood by the board, in line with business goals, and defensible to any auditor or regulator.