Third Party Risk: Your Hidden Security Blindspot
By Thomas Hamata and Job Angula
In December 2022, Uber, the global ride-sharing titan, disclosed a third-party data breach after cyber attackers leaked email addresses of Uber employees, along with details on IT assets and corporate reports, through an online post. The attackers executed the breach via an intrusion into one of Uber’s vendor Teqtivity, an IT and technology asset management solution provider. The breach exposed sensitive information that could potentially enable targeted phishing campaigns against Uber's staff.
Yet, this incident was far from unique. It joined a chorus of similar high-profile tales of third party breaches affecting enterprises such as SolarWinds, Microsoft and Okta, highlighting the need for rigorous third-party risk management (TPRM) in dealing with third-party services. Awareness around third-party risk is however growing: a 2023 survey by EY reveals that 90% of over 500 participants are actively enhancing the efficiency of their TPRM programs. This article explores the evolving realm of third-party risk management, offering key strategies for businesses to manage their external partnerships effectively throughout the entire relationship lifecycle
Evolving business models and emerging risks
Third-party risk involves the potential for adverse events a company might face due to its reliance on external entities within its supply chain or ecosystem. With the evolution from self-sufficient corporations to businesses increasingly outsourcing non-core functions to third-parties, the reliance on external partners like software vendors, IT service providers, and staffing agencies has increased significantly. This reliance extends and co-mingles a company’s risk profile to the risks of its third-party partners, potentially leading to operational disruptions, financial losses, damage to reputation, and regulatory consequences, especially if a critical service provider is compromised.
While third-party relationships have always posed some level of risk to businesses, the likelihood and potential impact of these risks have significantly grown. This escalation is due to the expanded reliance on third parties, the growing complexity of supply chains, and the advancements in cyber attack methodologies. Consequently, any materialised risk at the vendor level can significantly impact the host company, leading to a reevaluation of the relationship from a risk management perspective and emphasising the importance of TPRM programmes.
Common pitfalls and best practices
A common approach to managing third party risk is to request vendors to fill in a security questionnaire as a means to assess said vendor’s security posture. This often proves ineffective because the questions can be overly broad or overly detailed, not necessarily reflecting the specific risks relevant to the business relationship. Additionally, responses may not always be provided by individuals with the right expertise, risking inaccurate portrayals of the vendor's security posture.
Ultimately, the exercise tends to overburden both suppliers and customers, turning the process into a mere formality rather than a genuine, fit-for-purpose risk management exercise. Appropriately managing third party risk therefore rests on five key tenants:
Due diligence - Before engaging a third party, rigorously evaluate their security practices and risk profiles to ensure alignment with your organisation's requirements and to proactively mitigate identified risks. This implies that you mature and set a baseline of your own security capabilities and requirements - asking a vendor to fill out an elaborate questionnaire when one’s own capabilities and risk practices are limited is counterproductive.
Clear contracts - Incorporate specific security and compliance expectations into contracts, including breach notification protocols and audit rights, to legally enforce adherence to set standards. Bear in mind that security is a mutual obligation; expectations regarding security in contracts should be enforced on both sides. This process must also include relevant business players like procurement and legal.
Continuous monitoring - Engagements with third parties do not end with an initial risk assessment - both the risks identified at the onset and those that may emerge later on must be monitored throughout the business relationship. Leveraging real-time monitoring tools to observe changes in third-party compliance and security, along with examining any available assurance reports from third parties, facilitates the quick detection and resolution of potential risks.
Open communication - Maintain open, regular communication with third parties to discuss security concerns, updates, and improvements, ensuring both parties are aligned on risk management practices. This is particularly important for key vendors and is best accomplished by contractually mandated scheduled performance review meetings and security updates.
Structured offboarding - The conclusion of a third-party contract marks the beginning of a critical offboarding phase, not its end. Establish a defined process and offboarding checklist for securely ending third-party relationships, to ensure that sensitive data is returned or destroyed, and access rights are revoked to protect against post-relationship vulnerabilities.
It's clear that as businesses evolve and expand their operational and digital footprints, reliance on third parties becomes inevitable, and the potential for and impact of third-party vulnerabilities will only continue to escalate. Effective third party risk management requires more than just fleeting security questionnaires. It hinges on thorough vetting, definite agreements, consistent oversight, effective communication, and organised offboarding protocols. These practices ensure that third-party engagements do not become hidden liabilities but are instead harnessed productively while being managed proactively to safeguard against emerging threats and ensure compliance.
