In an effort to reduce costs, increase efficiencies and build strategic advantage, Financial Services organisations are expanding their use of outsourcing and are relying extensively on third parties for critical business and IT processes. While third parties bring multiple benefits to business, there is a corresponding increase in cyber risk exposure as third parties access critical systems, sensitive information, and potentially engage sub-contractors. Beyond cyber, there are further third party risks such as the risk of lock-in, regulatory compliance, and others, but these will not be considered in this blog post.
Despite a high dependency on third-parties, organisations are not yet managing the risks in a holistic and coordinated manner. Additionally, heavily regulated industries, such as the Banking and Financial Services Industry, are required to strategically think about third party cyber risk management. Potential penalties for managing third party cyber risk insufficiently range from regulatory fines to losing the license to operate. With more and more European regulators preparing to adopt requirements as stringent as outlined in the new cyber regulations by the New York State Department of Financial Services (NYDFS), Swiss Financial Services organisations are required to take proactive measures to manage this risk.
Third party cyber risk management
Third party cyber risk management (TPCRM) is the process of identifying, evaluating, and preventing or reducing cyber risks associated with third parties to an acceptable level. Determining that level depends on the organisation, the value of the assets, the threat level, and the size of its budget. A holistic TPCRM framework requires a multi-layered approach covering compliance requirements (e.g. breach notification, support for e-discovery, data location requirements, etc.), security requirements (e.g. multifactor authentication for remote access, encryption, disaster recovery, etc.), and legal requirements (e.g. right to audit, data ownership, sub-contracting, NDAs, etc.).
Steps to consider for the implementation of an effective TPCRM
To implement an effective, value-adding TPCRM, the programme must be embedded in your company’s vendor lifecycle management, starting from the due diligence process to the on-boarding and contracting, to the continuous monitoring and, finally, to the off-boarding and termination.
The core of each TPCRM framework is the approach to assessing third party cyber risk, where a two-tier approach is considered best practice. First, an inherent risk assessment will be used to categorise the third party into low, medium or high inherent risk vendors based on the nature of its services and without accounting for its controls. Secondly, based on the inherent risk rating, you need to assess if the vendor has sound security controls in place that meet your organisation’s risk appetite. Conduct the ‘tell me’ exercise via questionnaires to get insights on the current level of security risks among your critical supplier base. Finally, use these insights to plan and undertake on-site reviews or remote assessments adopting a ‘show me’ approach to controls testing.
In some organisations, the number of vendors is equal to, or higher than the number of employees. To manage third party cyber risk on scale, your organisation needs to think about staffing and an agile, scalable execution model. Using a managed service is increasingly common for a number of reasons:
- It allows organisations to benefit from economies of scale and associated cost benefits.
- It provides the ability to quickly scale up and down depending on demand.
- An external assessor is often preferred by regulators and usually comes with a high level of trust.
- The concern of finding skilled security professionals with an audit mind-set can be reduced that way.
With the rapid adoption of cloud computing solutions and outsourcing of business processes, the dependency of businesses on third parties will further increase. Based on our experience, organizations are encouraged to consider:
- Defining a TPCRM programme that improves security and provides value to the business who owns the risk, and not just addresses compliance.
- Implementing third party risk management solutions fully integrated in the vendor life cycle to be least disruptive for business.
- Executing third party risk assessments in a scalable manner to ensure a high degree of consistency and standardization of the assessments.
- Getting a complete picture of the cyber risks associated with third parties by also looking into the effectiveness of your company’s internal control framework (e.g. access recertification, data protection measures, patch management, etc.).
- Including third party cyber risk management into your company-wide risk and security awareness as well as training programmes.
Source: Deloitte Third party governance risk management (TPGRM) Extended enterprise risk management global survey 2017