Facebook suffered two separate data breaches in 2019 that were traced to third-party companies that lacked sufficient controls to protect authentication credentials, Wired reports. One third party left 540 million access credentials exposed on a publicly accessible server, and a second company did not protect 22,000 user IDs and passwords.
These two incidents illustrate why organizations should be concerned about vetting the cybersecurity posture of their third-party suppliers and partners. Third-party data breaches accounted for 32% of the information disclosure incidents in 2019, exposing more than 4.8 billion records, notes Risk Based Security, a threat intelligence firm in Richmond, Va. Also, the costs from the average third-party breach are twice what a normal breach costs because of the impact to a company's brand, loss of business, and possible stock price devaluation, according to New York-based cybersecurity risk-rating firm Security Scorecard. Overall costs of failing to effectively vet and evaluate third parties can be well over $1 million.
To avoid such incidents, organizations need a methodology to assess third parties' technological risks and determine what controls are required to reduce the likelihood of a security breach. Internal auditors should pay special attention to such a methodology and work with vendor management and information security to scrutinize compliance with such controls to help harden the process and reduce the likelihood of a third-party data breach.
Managing Third Parties
To effectively assess a third party's technical risks, the organization first should determine the level and volume of third-party involvement it will depend on to deliver business functionality. These decisions from senior executives and the board are necessary to ensure the organization is not saddled with subpar vendors. Otherwise, sourcing, procurement, information security, IT, and other dependent departments could constantly struggle to achieve satisfactory results.
Next, the organization can set up the departments needed to begin the transformation to work with third parties. At this stage, the organization should establish a sufficiently staffed and experienced third-party management team to evaluate every facet of potential vendors' capabilities to ensure the overall risk is acceptable. This team should establish a review process including the overall approach, standards, guidelines, process, and procedures it will use to categorize and rate each vendor's technology risk profile. Internal audit should review the process, controls, and assurance requirements to strengthen the security of the third-party management operation.
Establish a Third-party Rating System and Procedure The approach to developing a third-party rating system should be comprehensive and based on risk, starting with the most critical systems affecting business continuity. The rating system should define what it means to be 1–IT business critical, 2–IT supporting, 3–IT ancillary, or 4–non-IT related.
The next task is to gather a list of all third parties the company is doing business with or plans to do business with, which can be obtained from the legal and procurement functions, contracts, or other sources. Finally, the team should establish a vetting process in which key IT and business leaders rank and categorize the list of third parties. This vetting can help determine what a company should focus on first, second, and third — and which third parties do not require attention.
Establish Assessment Criteria In parallel to creating the rating system, the third-party management team should establish a procedure and assessment criteria to vet third parties' capabilities and establish a security boundary. These criteria should provide an overview of each third party before assessing its cybersecurity controls, which will flush out its technology risks.
Establish a Document Collection Procedure The team should determine what base and industry documents are required to verify the IT risks of any third party. These documents help reviewers confirm the appropriate controls exist based on a third-party rating. Organizations should work with their legal, information security, internal audit, and IT functions, as well as business units, to ensure they have a comprehensive set of documents to accurately evaluate each third party.
The documents needed are based on the third party's rating. For example, if the firm is rated as 1–IT business critical, then the team should consider appropriate artifacts for review and approval before beginning or continuing to conduct business with the company. Such documents include IT and information security policies, System and Organization Controls I and II reports, business continuity and disaster recovery plans, a physical access report, a penetration test result, and a cloud management report. If the third party is rated 2–IT supporting or 3–IT ancillary, it may not require all of those documents because the information or hardware shared is less sensitive.
Develop Cybersecurity Controls Assessment Criteria and Procedure The team should assess the cybersecurity controls effectiveness of each document and whether there are any deficiencies that would prevent the organization from establishing a business relationship, require an exception, or need a remediation plan. Using a set of questions and answers, the team should verify whether each document meets its evaluation criteria. At the end of the assessment, there should be a synopsis rating for each section in the third-party risk report.
An example of applying a set of criteria to evaluate a base foundational document would be a company that is seeking to verify that a third party has a security policy to protect people and technology assets from harm. For example, does the policy:
- Cover all the third party's business functions?
- Identify consequences for noncompliance?
- Address how the third party handles internal and external threats?
- Identify the standards and guidelines to comprehensively and holistically secure the third party's IT systems?
Answers to each question should either be "acceptable," "unacceptable," or "unacceptable — requiring remediation." Also, each question must have an associated cybersecurity standard or guideline to aid the evaluation process. The self-assessment of the third party's security policy and its ability to answer these questions accurately is critical to determining whether an organization proceeds to contractual negotiations or deems the company is too risky. The organization should have a similar set of evaluation criteria for each document.
Develop a Risk Report To achieve the best compliance results, the team should generate a third-party risk report for each vendor and review it during a regularly scheduled meeting. This review meeting will allow leadership to provide feedback for each risk report before approving the vendor to move to the next step of the onboarding process, deny with remediation steps required, or deny it outright. Internal auditors should use these reports to verify that the organization is following this process and to determine where improvements can be made to continually mature the process.
Prioritizing Process Reviews
A robust third-party IT risk management process can reduce the likelihood that the organization will experience brand damage, legal issues, business and revenue loss, and cost implications while conducting business with vendors. Organizations should act now because the increased dependencies and complexities of working with outside firms may bring new opportunities and risks. For internal audit, reviewing third-party management processes should become a priority.