The recent SolarWinds breach has reminded news organizations, businesses, and leadership teams around the world just how vulnerable we are when one of our third parties is compromised. While SolarWinds is an unfortunate event for all affected (and that number is still growing), it is a good opportunity to review the various risk management programs that exist to reduce these kinds of breaches and take stock of how your organization’s programs measure up.
First, was SolarWinds a third-party or supply chain breach? The answer is both. “Third party” is an umbrella term for all kinds of vendors, suppliers, and partners. So, a supply chain vendor like SolarWinds is a third party, just as a cloud provider or law firm are third parties.
Then what is the difference between third-party risk management and supply chain risk management? Well, there’s a lot to unpack here, and the difference often comes down to the type of third party and/or the type of risk you are evaluating.
Before we dive into how to reduce the risk of third-party vendor breaches, let’s define the different types of third-party vendor risk management:
Third-Party Risk Management (TPRM)
TPRM is the act of identifying and addressing any type of risk (e.g., financial, fraud, or cyber risk) that is associated with third-party entities. A third party is an entity that provides a product or service directly to your customers and/or an entity critical to maintaining your daily operations. Third parties can include partners, consultants, vendors, or suppliers.
Third-Party Cyber Risk Management (TPCRM)
TPCRM is a subset of TPRM and is the act of identifying and addressing cybersecurity-related risks that are associated with your third-party entities. SolarWinds is a third-party cyber breach because SolarWinds is a third party to all the customers who were exposed, and the exposure compromised the confidentiality, integrity, and availability of the customers’ data and systems.
Vendor Risk Management (VRM)
VRM is the act of identifying and addressing any type of risk that is associated with vendor entities. A vendor is a type of third-party entity that provides a product or service directly to you. All vendors are third parties, but not all third parties are vendors.
Supply Chain Risk Management (SCRM)
SCRM is the act of identifying and addressing supply chain-related risks. A supply chain is the flow of goods and services and may be made up of internal or external (third party) entities. Supply chain risks can include anything from cyber risks and geopolitical risks to disruption risks that can occur via man-made or natural disasters.
There are three types of supply chain attacks—compromising commercial software, compromising open source software, or embedding malware during the physical production of technology. The SolarWinds breach is also referred to as a supply chain breach because the malware that enabled the breach of SolarWinds customers was embedded in official SolarWinds software updates. All supply chain attacks are third-party attacks, but not all third-party attacks are supply chain attacks.
How to Establish a Third-Party Risk Management Program
Every business with third-party vendors should define a risk management strategy. Keep in mind that your third parties may include plug-ins on your website, SaaS products, and so many more options.
The first step in establishing a third-party risk management program is determining which department and roles are responsible for establishing and administering your protocol. If you don’t have a risk management department—and many companies don’t—the responsibility often falls to roles like:
- Chief Information Security Officer (CISO)
- Chief Technology Office (CTO)
- Information Technology (IT)
- Sourcing and Procurement
- Contract Manager
From there, you must develop a protocol for handling risk management. This process starts with understanding the third-party vendor management life cycle so you can systematically review the risks associated with every third party.
What is the Third-Party Risk Management Life Cycle?
Developing a process for third-party risk management means defining and understanding the lifecycle of third-party relationships.
While every company is different in how they approach risk management, here are some key stages of the life cycle to consider for your formal process.
Sourcing & Vetting
As soon as you identify a need for a third party, make a list of all of the possible solutions and vet them. In addition to evaluating them on the solution, also take a few moments to evaluate the potential risks. While you’ll dive deeper into this at a later stage, it’s important to be aware of deal-breakers or high-risk situations.
Scoring the Risk
After choosing your top solution, it’s time to take a deep dive into risk. What specific risks are involved? How critical are those risks? Risk factors typically include severity and how likely a problem is to occur.
Internal Assessment and Review
From there, you must define what changes or considerations your organization needs to make to mitigate those risks. At this time, you also must define how frequently you need to review this vendor, and what metrics you’ll use for evaluating ongoing risk.
For the duration of your relationship with the third party, you’ll need to conduct ongoing monitoring. Some of this will be their responsibility, but you’ll also want to pay attention to media reports, business updates, sanctions lists of an international company, breach notifications, and other various methods of gathering intelligence.
This phase includes maintaining compliance with all applicable laws and regulations. Some of the most common regulations you must comply with include ISO 27001 and 27701 and NIST SP 800-53. It’s your responsibility as an organization to ensure that you are aware of all regulatory bodies and requirements your company is subject to.
Ending the Relationship
Whether you no longer need the third party or the risk becomes too great to continue, there comes a time to end the relationship. Rather than letting it gather dust and opening yourself up to the possibility of unmonitored breaches, you must develop a specific offboarding process. After ensuring that any and all obligations have been met, it’s time to end the relationship and completely extract the third party from your business.
If terminating a relationship because the third party exceeds your tolerance for risk, it’s time to start sourcing and vetting a new solution. If, however, you’re moving on because you no longer need that solution, you can cease the partnership after divesting yourself of the third party.
As your third-party ecosystems continue to grow in the digital world, it’s critical that you find a scalable and repeatable approach that can keep up. Again, while your supply chain risk management process will vary based on your organization and your needs, this offers a guideline for different factors to consider.
Best Practices for Reducing Your Chance of a Third-Party (or Supply Chain) Breach
To reduce your chances of suffering a third-party or supply chain breach, collaborate with your critical third parties to review their cyber risk profile.
Many organizations have thousands of third parties, so assessing each one is a Sisyphean task. We recommend starting by prioritizing your third-party portfolio based on each third-party’s inherent risk. This refers to the risk they pose without taking into consideration the security controls they have in place. Then you can focus on the ones that potentially present the most inherent risk and assess whether they have the security controls in place to mitigate that risk.
There are a variety of methods to do this today.
Reduce Silos With Standardized Data
We believe the best way to do this is to move away from siloed, bespoke, and static approaches, like traditional Excel-based questionnaires, and begin using a standardized data set that can be shared via a dynamic exchange.
Standardized data allows third parties to share one assessment with multiple customers, so they can spend more time securing their customers’ data and less time filling in assessments. A 2018 study found that third parties were spending an average of 14,000 hours a year filling in assessments—that’s a lot of time that could be better spent patching and addressing potential security issues like supply chain vulnerabilities.
Automate What You Can
Automation goes beyond standardizing your data by allowing you to increase efficiency. Some opportunities for automation include:
- Task management assignments and reminders
- Third-party reporting and performance reviews
- Scheduling reassessment
- Sending reminders
- Scheduling reports
Be Aware of Different Risks
Third-party risk management is about more than cybersecurity. A potential breach can have lasting repercussions in every aspect of your business. Some of the related risks you must consider include:
- Team Morale
Risk Management Is Essential for Your Continued Success
It should go without saying that to succeed in the coming years, you must be aware of — and take strides to mitigate — any third-party risk. While establishing a third-party risk management program doesn’t remove all possibility of future breaches, it does reduce the likelihood of a lasting effect on your business.
CyberGRX excels at third-party risk management. Contact us today to find out how we can help you establish a supply chain risk management program designed with your business in mind.