Simplifying Third-Party Risk Management

Ilia Sotnikov


August 1, 2019

Working with third parties has become an essential part of business operations. Unfortunately, third-party risk management still receives insufficient attention, especially when it comes to data security. According to a study by the Ponemon Institute, the average company shares sensitive information with approximately 583 third parties as part of its business activity, but only 34% of organizations keep a comprehensive inventory of those third parties.

To stay competitive, organizations often must turn to specialized solutions and skills from various vendors, but as organizations outsource more functions, the risk of data breaches increases. Therefore, every business leader should ensure that all third parties operate in a manner consistent with their organization’s security and compliance standards. Effective third-party risk management can help organizations choose partners wisely, minimize the impact of third-party problems and improve incident response.

The following five steps can help companies assess the vulnerabilities when considering taking on a new partner and continually mitigate the risks by improving third-party risk management programs:

1. Conduct third-party risk assessments.

To evaluate the security risks involved in relationships with third parties, risk assessment is essential whenever outsourcing sensitive data to a potential partner or granting a contractor access to networks. Moreover, it is obligatory if your company is subject to industry standards that regulate third-party relationships, such as the Health Insurance Portability and Accountably Act (HIPAA) and Federal Information Security Management Act (FISMA).

For example, a partnership that requires a third party to pay fees, taxes or payments on behalf of your company is high-risk and requires thoroughly assessing the third party’s policies and practices that affect the processing of your sensitive data. On the other hand, agreements in which the third party only processes non-sensitive data are low-risk and do not require as detailed an assessment.

In addition to an initial evaluation during the onboarding period, it is good practice to conduct third-party risk assessments regularly.

2. Undertake due diligence.

The specifics of the due diligence procedure will depend a great deal upon your industry and your business, but some general tips include:

  • Perform a credit check. If a supplier owes millions of dollars in unpaid invoices, that could impact its ability to deliver the services it agrees to provide.
  • Check the third party’s litigation history to see if it has ever been held liable for a data breach.
  • Review media archives for negative news about the potential partner.
  • Ask for evidence of how the company protects sensitive data as it stores and processes it, as well as how it utilizes cloud technology.
  • Conduct audit checks to see whether the potential partner ­follows through on its promises.
  • For low-risk third parties, due diligence involves checking the entity itself. For high-risk third parties, be sure to also perform due diligence review of the entity’s associates, subsidiaries and other related companies.

3. Detail all obligations in a written contract.

A partner agreement is a necessary document that governs a company’s relationships with a supplier and helps resolve any possible disputes. It is good to have a detailed agreement with each supplier; in fact, some regulatory standards like HIPAA oblige companies to sign a business associate contract with their suppliers.

If the supplier is going to process your sensitive data, you should outline appropriate risk-based data security and privacy obligations and controls in the agreement, such as access controls, physical security controls and requirements for data integrity. If a partner will get access to your network, it is particularly important to outline working hours so that you can flag any activity by their employees outside of those hours.

4. Monitor third-party activity.

Even if you have double-checked your partner for reliability and signed a detailed contract, you must remain vigilant to ensure that they fulfill their obligations. In particular, you should implement technologies that enable you to monitor user activity to confirm that only authorized users access sensitive data, and only within the scope of activity specified in the contract. Having such technology will enable you to detect and investigate security incidents more quickly.

You should also ask your third parties to implement similar technology in their environments and provide you with evidence that they are using proper security controls. It is a good idea to appoint a dedicated person who will regularly review the state of information security within your joint ecosystem to make sure proper controls are in place at all times. Without proper visibility into your IT environment and third-party infrastructures, data breaches can remain concealed for months or even years. The longer a data breach remains undetected, the more damage can be done to the environment and the higher the costs.

5. Adopt a unified framework for security incident notification and response.

No matter how effective your security strategy is, data breach is always a risk. Some regulatory standards have very specific breach notification rules, and under some standards like the European Union’s General Data Privacy Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS) and HIPAA, the responsibility for data breaches falls on both parties, even if only one failed to implement reasonable security standards. For example, if a company regularly trains its employees to raise their cybersecurity awareness, but their third-party partner does not do the same, they are still equally liable if a breach occurs.
Therefore, it is crucial to create an incident response plan and require contractors and subcontractors that process your sensitive data to stick to it. Make sure your contractors are able to quickly detect deviations from normal operations across their IT environments and identify security incidents. In case of an incident, the third party should notify you as soon as possible, and provide all information that might help you assess the scope of the breach, such as whether unauthorized users actually acquired or viewed any sensitive data, the number of records affected, when and where the incident occurred, and the extent to which the risk to this sensitive data has been mitigated. The response plan should also outline proper recovery measures and procedures for learning from every incident.

Ilia Sotnikov is vice president of product management at Netwrix.