What Do Boards Need to Know About Third Party Risk?

ISACA and the Institute of Internal Auditors (IIA) recently released a report emphasizing the board’s role in overseeing security risk management. In particular, the report mentioned management of third party risk, arguing that boards should ask tougher questions about third party security. According to an IIA survey, only 14 percent of board members said they were actively involved in cyber security oversight. Even though the SEC has asked board members to get involved, 58 percent of board members admit that they should be doing more. If you’ve struggled to get your board to become engaged in your security risk management efforts, particularly related to third party risk, now is the right time to make them aware.

Third-party breaches trigger steep regulatory fines from agencies like the SEC and the Department of Health and Human Services. Data breaches can also shake shareholder confidence, and they can have devastating consequences for customers whose identities are stolen. The people at the top of the company often pay the price for data breach aftermath. Target’s massive 2013 data breach, which resulted from a third-party vulnerability, cost CEO Gregg Steinhafel his job. In addition, ISS advised Target shareholders to overhaul the board, charging board members with poor risk oversight.

How Boards Can Protect Themselves and Their Organizations

The ISACA and IIA report outlines the major risks that third party vulnerabilities can pose to an organization. To help board members effectively tackle this problem, BitSight offers three tips to help organizations proactively address cyber security risks stemming from these business relationships:

1. Understand what threats face your third parties. Board members should not only be educated on what entities are in control of sensitive company data, but also be aware of the top risks facing these companies, and the industries they operate in.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

2. Empower your team to effectively manage third party cyber risks. Cyber threats facing your organization are constantly changing. This also holds true for your vendors, suppliers and business partners, highlighting the fact that annual assessments alone are simply not enough to adequately identify and manage emerging risks. Ensure that your teams have the right tools to continuously monitor and address cyber risk throughout your business ecosystem.

3. Bring cyber security into business negotiations. Third party risks don’t disappear after the ink has dried on a contract. This means boards should communicate clear cyber security standards to executives who negotiate business and supplier partnerships. Standard metrics, such as Security Ratings, can help companies keep a minimum standard of cyber security for third party suppliers, vendors and partners.

Recently, regulators, government officials and industry groups have been calling for increased board oversight of cyber security. While scrutiny from other groups should prompt board members to take notice of this issue, the financial impact of data loss and information security issues should be even more alarming. By taking steps to address third party risks, board members can lower the risk of doing business in our hyperconnected world. By ensuring that an organization is consistently and continuously monitoring the changing threat landscape across a company’s network ecosystem, boards can be a catalyst for changes that help their company better avoid financial and reputational losses stemming from major security events.