5 Things to Prepare for in Third-Party Risk Management 2018

by Liesl Geier

In 2017, we saw an increase in third-party related data breaches bring a renewed focus to third-party risk management. But with this renewed focus, comes new challenges. From increased regulations and more involvement from the boardroom to greater financial implications, third-party risk management has the potential to get even more interesting in 2018.

Here are a few trends we expect to see this year:

1. Continued reliance on third-parties & evolving ecosystems

Leveraging an ecosystem of third parties to conduct business is not a new phenomenon, but the nature and security of those relationships are evolving.  We all know that we are only as secure as our weakest link. So as we continue to share our sensitive data with our contractors, vendors, and suppliers, it is critical that we do so with a clear understanding of our risk.  According to Ponemon’s 2017 study of Third Party Risk,  organizations saw a 7% increase in third-party related breaches from 2016 to 2017. And those breaches cost the average organization over $7,350,000.

But the news isn’t all bleak, because thankfully new solutions and delivery models make sharing of third-party risk data easier than ever before.

2. Increased regulatory scrutiny around third-party relationships

The European General Data Protection Regulation (GDPR) takes effect on May 25 and carries steep penalties for non-compliance. It’s critical to remember that under GDPR you remain responsible for the security of EU citizen data, even if you outsource it to third parties. But while GDPR may be taking the spotlight today, GDPR is only one regulation of many.   Sidley law firm reminds organizations of an upcoming deadline for NYDFS (New York State Department of Financial Services):  “By February 15, 2018, Covered Entities must comply with additional obligations under the NY Cybersecurity Regulation including: implementation of a formal, written Cybersecurity Program and Cybersecurity Policy, limitations/restrictions on access privileges to information systems that provide access to nonpublic information, utilization of qualified cybersecurity personnel (internally or through qualified third-party providers), designation of a new chief information security officer and development of a written Incident Response Plan.  By February 15, 2018, Covered Entities must file their first annual certification of compliance with the Cybersecurity Regulations.”

Related: 6 Security Controls You Need For General Data Protectino Regulation (GDPR)

3. Increased collaboration across the industry

The increase in third-party related breaches and regulations does have a silver lining, and that is more industry collaboration and engagement. Board rooms are taking notice, and hopefully, that will make third-party risk management a resource priority in security discussions, not a conflict.

In fact, Ponemon’s study found that between 2016 – 2017, boardroom involvement in third-party security increased by 15%. And we see an increase in collaboration throughout the industry as new third-party risk management events and consortiums arise. Because let’s face it – third-party risk management is a cross-industry challenge, for both upstream enterprises and their downstream partners and vendors.

More collaboration between and among enterprises and third parties and more engagement from boardrooms and executive teams will help elevate the conversation and hopefully drive more innovation.

Ponemon Institute Report: The Cost of Third-Party Cyber Risk Management

4. Demand for more effective & accurate assessments

Perhaps the most disconcerting results from recent industry reports are the lack of confidence organizations have in their own third-party programs and the lack of visibility they feel they have into their third parties security practices. Deloitte’s 2016 Third-party Governance and Risk Management Survey found that a staggering 94.3% of respondents had only low to moderate confidence in how they managed third-party risk. Ponemon’s 2017 study found 57% of organizations don’t even have a complete inventory of the third parties they share sensitive data with.

These statements are frightening, particularly given the increase in third-party related breaches and the increase in regulatory scrutiny. But achieving visibility and confidence is not hard. Data has been coined the natural resource of our time, and it is readily available to inform third-party risk management today. If we simply move to a new delivery model where we have access to dynamic data, as opposed to static spreadsheets, we will have much greater visibility into our ecosystems. And with visibility, comes confidence.

5. Requirement for scalability

Given all of the above scalability is a required ingredient if we want to stay ahead of the constantly evolving threatscape. Static assessment solutions cannot scale with your ever-evolving third-party relationships, their ongoing mitigation efforts, and the constantly changing threat levels.  More and more organizations are looking for a way to scale their programs, without increasing their costs.

Dynamic data and new delivery models will not only help you scale, but they will do so cost-effectively.

To learn more about these trends and how to prepare for them, check out our Dark Reading webinar with Michael Rasmussen, Founder of GRC20/20, and Gary Phipps, Senior Director of Solution Engineering at CyberGRX, so you can kick off 2018 with a strategic approach to third-party cyber risk management.