Learn how to adapt to the continuously changing risk environment with an efficient, continuous risk monitoring strategy.
Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.
In this cyber risk landscape, any company with sensitive data and third-party connections should build, grow, and maintain a robust third-party risk management (TPRM) program.
Some industries (e.g. healthcare, financial services, utilities) are subject to strict TPRM regulations that vary by region. However, both regulated and unregulated businesses should strive for TPRM maturity in order to protect sensitive data and systems and prevent costly attacks.
In this post, we’ll go over best practices for TPRM at the enterprise level.
What is third-party risk management?
Third-party risk management is the process of monitoring relationships with vendors and partners in order to assess and mitigate cybersecurity risk.
TPRM programs involve a number of tools and approaches, and best practices will vary depending on the size of your business and the nature of your industry. However, there are key components of TPRM that every business should follow.
A great place to look for third-party risk management best practices is the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity,” commonly known as the NIST framework.
The NIST framework outlines voluntary standards and best practices for managing cyber risk. This framework is the foundation for most emerging cybersecurity regulations.
NIST TPRM Best Practices Explained
The NIST framework refers to third-party risk management as supply chain risk management (SCRM), and identifies five subcategories of SCRM best practices. Here are the five subcategories, and what they mean in practice:
1. “Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.”
This guideline concerns internal buy-in for TPRM.
In order to build a successful TPRM program, Board members and executives need to be educated on the basics of TPRM so they understand the gravity of third-party risk and can make informed decisions concerning supply chain security.
Additionally, there must be documented strategies for TPRM that apply to all relevant third parties and all departments. Cybersecurity is not solely an IT issue, and the entire organization contributes to a culture of cybersecurity.
2. “Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.”
In order to perform accurate risk assessments and establish objectives, you need to have an in-depth understanding of the cybersecurity performance of your vendors and partners. This guideline can be broken down into three steps: identify, prioritize, and assess.
Identify — First you have to understand who your third parties are. Don’t rely on any pre-built list; you might have had suppliers come in through “Shadow IT” or other undocumented mechanisms. Create an exhaustive list of every third-party connection to your business.
Prioritize — Once you’ve compiled a list of your third parties, you’ll need to document what data they have access to, the sensitivity of that data, and the level of access they have. This information will help you decide how to prioritize your TPRM resources, with the riskiest vendors getting the most attention.
Assess — Determine your third parties’ cybersecurity performance using a combination of questionnaires, penetration tests, on-site visits, and cyber risk ratings. BitSight Security Ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance (like credit ratings for cybersecurity) that are quickly becoming part of standard TPRM procedure.
3. “Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program.”
TPRM is not an after-the-fact exercise. Procurement should rely on the organization’s established cybersecurity objectives when onboarding new suppliers. If a prospective vendor cannot meet minimum security requirements, they pose too much risk and are not a good fit.
Furthermore, third-party security should be a contractual obligation. When onboarding a vendor, use quantifiable measurements like security ratings to create an enforceable standard of cybersecurity performance.
4. “Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.”
We’ve already discussed assessments, but the operational word in this best practice is routinely. An initial assessment is not enough to prove that a vendor is secure, so third parties need to undergo frequent evaluation.
Traditionally, companies have used some form of a cyber security risk assessment questionnaire to perform these routine checkups, but these can only provide point-in-time snapshots of cyber risk. As new threats emerge and third-party security performance changes, you need additional assessments to fill in the gaps. Continuous security monitoring technology like security ratings can help you ensure that these obligations are being met.
5. “Response and recovery planning and testing are conducted with suppliers and third-party providers.”
Third-party risk can’t be resolved by the enterprise alone — suppliers have their role to play as well. TPRM should be a collaborative effort, and enterprises and third parties must work together to optimize security and prepare for recovery in the event of a breach.
Improving cybersecurity is a gradual process, and it takes time, effort, and planning. TPRM in particular is not all-or-nothing — it’s incremental. If you use these best practices as a goal and work toward them, you can mitigate risk and improve your organization’s overall security posture over time.