State of Third Party Risk Management in Namibia
By Job Angula
According to OneTrust, third-party risk management (TPRM) is a type of risk management that focuses on identifying and mitigating risks associated with the use of third-party vendors (sometimes referred to as vendors, suppliers, partners, contractors or service providers). Changing business requirements, adopting complex technology, and the lack of internal skills make businesses contract third-party service providers. The usage of third-party service providers could introduce new attack vectors, exposing the company to new threats and vulnerabilities. This article highlights the importance of third-party risk management, the impact of cyberattacks and the need for cybersecurity regulations.
Namibia has no law mandating publicly traded firms and critical state-owned enterprises to have a third-party risk management framework. As a result, it is not common practice to request third-party assurance reports from service providers. In addition, service level agreements typically lack the right to audit clauses. How many foreign service providers does the government/private sector conduct business with? Think about critical infrastructure such as telecommunications; how do we know that foreign service providers are not installing backdoors and listening to conversations, internet traffic, or other nefarious activities? Implementing regulation to ensure that third-party service providers issue third-party assurance reports prepared under international standards such as the International Standards on Assurance Engagements (ISAE) could address the questions above.
Management should ensure that any prospective service provider has adequate controls to protect the confidentiality, integrity, and availability of their data and services provided by the service organisation. A third-party assurance report prepared per international standards, such as a SOC 1/2 or ISAE 3402 I/II report, should be requested by management. A third party assurance report spans from an audit performed by a reputable and independent audit firm. The purpose of the report is to provide assurance and comfort to the customers of the third party service organisation that the service provider has adequate internal controls in place to safeguard the confidentiality, integrity, and availability of the customers' data. These reports include independent auditors' opinion on the effectiveness of the service organisation's internal control environment. Management should ensure that the report covers the services they receive from the service organisation and that key control objectives such as logical access, physical access, and change management controls are present and effective. Businesses that provide outsourced services should begin preparing third-party assurance reports to reassure their customers that they have adequate controls in place. The preparation of a third party assurance report demonstrates the maturity of your organisation and provides you with a competitive advantage.
Third-party risk management should be a vital component of an organisation's information security program. Management should conduct thorough risk and business impact assessments to understand the risk posed by the third-party service providers the organisation has relationships with and implement adequate measures to mitigate such risks.
Advanced persistent threats (APT - an unauthorised user gaining access to a system, remaining undetected for a prolonged period and mining sensitive data) attacks are drawing ever closer to home, as seen in South Africa, for example. According to News24, a recent major cyberattack at Transnet brought port operations to a halt in South Africa. How can we quantify the monetary impact of such an attack? What would happen to our economy if critical infrastructure such as telecommunications, financial institutions (particularly local institutions), and power providers were compromised and brought to a halt for several days? I recognise that NamCode (Namibia's corporate governance code) emphasises the importance of information technology governance;however, as a nation, we must prioritise cybersecurity as the dependence on information technology grows. Furthermore, we need to invest and develop the skill sets required for us to manage cyber risks effectively.
Let us not mistake the lack of reported attacks for solid security measures. According to WeeTracker, Namibia is the African country with the highest number of cybercrime attacks. Unfortunately, we will never know the exact number of cyber-attacks committed in Namibia because organisations have no requirements to report cyber-attacks. How much money is lost as a result of cybercrime each year? One can only speculate. We cannot prevent attacks from occurring, but we can put appropriate safeguards in place and respond quickly when such attacks occur.
