What Do Boards Need to Know About Third Party Risk?

Ben Fagan | September 4, 2014 | tag: Security in the Boardroom

ISACA and the Institute of Internal Auditors (IIA) recently released a report emphasizing the board’s role in overseeing security risk management. In particular, the report mentioned management of third party risk, arguing that boards should ask tougher questions about third party security. According to an IIA survey, only 14 percent of board members said they were actively involved in cyber security oversight. Even though the SEC has asked board members to get involved, 58 percent of board members admit that they should be doing more. If you’ve struggled to get your board to become engaged in your security risk management efforts, particularly related to third party risk, now is the right time to make them aware.

Third-party breaches trigger steep regulatory fines from agencies like the SEC and the Department of Health and Human Services. Data breaches can also shake shareholder confidence, and they can have devastating consequences for customers whose identities are stolen. The people at the top of the company often pay the price for data breach aftermath. Target’s massive 2013 data breach, which resulted from a third-party vulnerability, cost CEO Gregg Steinhafel his job. In addition, ISS advised Target shareholders to overhaul the board, charging board members with poor risk oversight.  

How Boards Can Protect Themselves and Their Organizations

The ISACA and IIA report outlines the major risks that third party vulnerabilities can pose to an organization. To help board members effectively tackle this problem, BitSight offers three tips to help organizations proactively address cyber security risks stemming from these business relationships:

1. Understand what threats face your third parties. Board members should not only be educated on what entities are in control of sensitive company data, but also be aware of the top risks facing these companies, and the industries they operate in.

2. Empower your team to effectively manage third party cyber risks. Cyber threats facing your organization are constantly changing. This also holds true for your vendors, suppliers and business partners, highlighting the fact that annual assessments alone are simply not enough to adequately identify and manage emerging risks.  Ensure that your teams have the right tools to continuously monitor and address cyber risk throughout your business ecosystem.  

3. Bring cyber security into business negotiations. Third party risks don’t disappear after the ink has dried on a contract. This means boards should communicate clear cyber security standards to executives who negotiate business and supplier partnerships. Standard metrics, such as Security Ratings, can help companies keep a minimum standard of cyber security for third party suppliers, vendors and partners.

Recently, regulators, government officials and industry groups have been calling for increased board oversight of cyber security. While scrutiny from other groups should prompt board members to take notice of this issue, the financial impact of data loss and information security issues should be even more alarming. By taking steps to address third party risks, board members can lower the risk of doing business in our hyperconnected world. By ensuring that an organization is consistently and continuously monitoring the changing threat landscape across a company’s network ecosystem, boards can be a catalyst for changes that help their company better avoid financial and reputational losses stemming from major security events. 

Suggested Posts

3 Ways CISOs Can Brief Executives and Board Members on Cybersecurity IT Governance

Cybersecurity incidents are on the rise, and the monetary setbacks for victims are considerable. The average cost of a data breach in the U.S. has soared to nearly $8.6 million, and these costs are expected to grow by 15% over the next...


5 Shocking IT & Cybersecurity Burnout Statistics

No one should be surprised to learn that IT and cybersecurity jobs can be extremely stressful. Now, a convergence of trends has, in many cases, brought this stress to a breaking point.


Most Urgent CISO Skills 2020: Reporting, Avoiding Burnout, More

Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in...


Get the Weekly Cybersecurity Newsletter.