Data breaches via third parties are an increasing problem in many industries. So how can companies ensure their data is secure, even when it is in the hands of their third parties and vendors? According to a recent Extended Enterprise Risk Management (EERM) study by Deloitte, “Seven out of ten respondents believe that risks inherent in managing their extended enterprise have increased at least by some extent if not significantly. However, organizational self-assessment of their overall levels of EERM maturity continues to improve at a slow pace.” One perception that likely contributes to the slow maturity of EERM and third-party risk management programs is that simply adhering to compliance and industry regulations will reduce risk.
The reality is, regulations are kind of like flare. They only tell you what or how many things you are required to have, but they don’t necessarily describe how state of the art or mature those things should be. A risk-based approach includes compliance as a by-product of the risk assessment activity – so you can ensure your third parties have the right pieces in place, while gaining insights on the strength and maturity of those pieces. You essentially kill two birds with one stone.
Take new regulations such as the EU’s General Data Protection Regulation (GDPR) and NY DFS as examples. These regulations provide guidance on valuable steps and measures that organizations should implement to protect data, but these are really best used when paired with a risk-based approach. A risk-based approach helps companies identify and prioritize critical control gaps that are not only necessary to meet compliance requirements, but also necessary to the security of your data. The ability to prioritize these gaps, or risks, enables organizations to make decisions on the issues that they need to focus on when it comes to compliance and data security.
Security and compliance management, as it relates to your third parties, needs to be managed collaboratively, with all parties involved. Because ultimately, if your data is exposed by one of your vendors or third parties – by breach or lack of compliance – your organization will be held responsible by regulators and customers for not doing enough to uncover and address the issue in a timely manner.
One great way to monitor a vendor’s compliance with a regulation is to understand how you yourself comply with the same statute. If you comply with GDPR by taking certain steps, assess whether or not your vendor can produce evidence of the same activity. Another great way is conducting pre-contract due diligence with a third-party risk assessment. Identifying potential vendor-originated exposures before a contract is in place (even if you have great protection under terminations and provisions) will put you in a better position to mitigate risk before a threat occurs. Applying a risk-based due diligence approach against existing vendors is also critical. In fact, third-party risk assessments should provide you with ongoing security and compliance insights by continuously measuring the controls your vendors have in place against the nature of the services you are leveraging (or looking to leverage) as well as against the evolving security landscape.
Third-party related breaches have continued to dominate the headlines in 2018 – from retailers like Sears, Delta and Lord & Taylor to US gas pipelines. The fact of the matter is, whether you, or your third parties were compliant will not matter to the public when your (their) data is exposed. The Facebook and Cambridge Analytica story is a great example of this. A PWC audit in 2017 found Facebook’s data practices and privacy controls were compliant even after Cambridge Analytica got control of millions of users’ data – but that hasn’t stopped many Facebook users from cancelling their Facebook accounts.
Any third party or vendor that your organization does business with can make your organization vulnerable to threats. CyberGRX will help you identify risks and compliance gaps, so you can make informed, risk-based decisions about your third parties.