A Dive Into The TPRM Landscape
By Carmine Valente, CISSP | CISM | CISA, Vice President of Information Security at Paramount Global
Corporate organizations have historically been characterized by various interconnected business environments, often relying on third-party providers and partners to enhance efficiency and streamline operations. While these collaborations are essential to day-to-day business operations, bringing numerous benefits, they also expose companies to a myriad of risks. In the past few years, third-party risk management (TPRM) has emerged as a critical aspect of risk management, allowing organizations to effectively navigate the complex landscape of external partnerships with resilience and security.
Third-party risk encompasses the potential threats and vulnerabilities arising from an organization’s relationships with external entities. These entities can include suppliers, vendors, service providers, and contractors. As businesses continue to expand globally, outsourcing critical and non-critical functions, the scope and complexity of third-party relationships have increased, making effective risk management more crucial than ever. The question that immediately comes to mind is:
What risk are third parties introducing to their customer’s organizations?
Aside from operational and financial risks arising from the use of third-party providers, there are many other risk considerations involving data security, privacy, supply chain, compliance, and the overall cybersecurity spectrum of risk. Global regulations, such as GDPR, CCPA, HIPAA, and various financial regulations, impose stringent requirements on organizations to protect sensitive data and maintain compliance. Ensuring that third parties adhere to these regulations becomes challenging, as they may operate under different legal frameworks. Cyber threats are another significant concern: security breaches in vendor’s systems have proved to have cascading effects on their customers’ organizations. Risk assessments and monitoring have, as such, become essential cybersecurity measures to be included in all information security programs.
Only a few years back, the industry consensus was that the foundation of effective TPRM lay in conducting thorough risk assessments. Organizations needed to identify and evaluate potential risks associated with each third party, considering data security, financial stability, and regulatory compliance. Today, the trend is changing. CISOs across multiple industries have started to realize that a point-in-time picture of the security posture of a third party does not provide enough information to evaluate and manage the risk brought on the organization effectively. TPRM, historically a quasi-compliance function, has effectively been promoted to a critical risk management function, with organizations starting to treat it as such. Assessments have transitioned from being the core component of TPRM to just another element of the overall TPRM strategy, supported by other capabilities such as continuous monitoring and scoring, vendor incident response, and contract provision management, all feeding into articulate and complex risk calculations.
As in all risk management capabilities, the key stands in data collection. Collecting relevant information on third-party providers allows for continuous risk analyses that consider internal and external risk factors and provide a comprehensive view of the risk associated with the overall process impacted by the third-party provider.
Third-party relationships are integral to success in a globalized business landscape, but they come with inherent risks and many compliance responsibilities. Organizations that invest in robust TPRM programs are better equipped to navigate the challenges posed by external collaborations.
But what information should a TPRM program collect and consider when evaluating the risk introduced by third-party providers?
The short and probably too anticipated answer to this question is risk information! Elaborating a bit more, a whole spectrum of risks can feed into the TPRM picture.
Continuous monitoring tools perform big-data analyses and internet sweeps to provide real-time or near-real-time risk insights on organizations. Analyses are typically summarized in the form of one or multiple scores outlining strengths, vulnerabilities, and risks. Although often useless without context, these risk indicators can be precious when associated with other third-party risk information.
Point-in-time risk assessments continue to be a valuable way to draw a sound picture of the overall security posture of a third-party provider. They can be high-level, focusing on security and privacy control design, or focused on specific domains to unveil technical vulnerabilities. Either way, they represent a critical component of TPRM programs.
Contract management also plays a significant role in TPRM. A clear picture of the data protection provisions, liabilities, restrictions, and requirements included in a contract with a third party can make a big difference when considering the risks associated with that third party. Each contract can have its characteristics, given by the nature of the engagement, the specific provider, etc. Risk considerations from contract management represent another critical component to feed the overall risk scoring of a third party.
Finally, actively considering third-party security breaches has become paramount for effective TPRM. Historically, organizations have been mainly focused on active response to internal breaches, often not considering breaches impacting their suppliers and how those breaches could impact the organization. Also, in this case, the trend is changing. According to Black Kite, while in 2021, the ratio between vendor breaches and affected companies was 2.46, this number went up to 4.73 in 2022, evidencing an increasing impact of vendor breaches on their customers. Organizations that want to manage third-party risks effectively must define a strategy to evaluate security incidents impacting their providers.
But where do we draw the line?
Some pioneer organizations have started to invest in creating vendor incident response functions that focus on analyzing vendor incidents to determine the short-, medium–, and long-term impact on the overall organization security posture. These functions work hand-in-hand with the cyber incident response team and can either sit under the overall cyber risk management program or feed into it, providing an additional layer of risk information that effectively extends the third-party risk management base of knowledge.
In conclusion, third-party relationships are integral to success in a globalized business landscape, but they come with inherent risks and many compliance responsibilities. Organizations that invest in robust TPRM programs are better equipped to navigate the challenges posed by external collaborations. By conducting comprehensive risk assessments, implementing due diligence processes, and fostering a collaborative approach, businesses can proactively manage and mitigate third-party risks, ensuring the resilience and security of their operations. As technology evolves and the business environment continues to change, the adaptability of TPRM frameworks will be crucial in safeguarding organizations against emerging threats in the dynamic world of third-party relationships.
Carmine Valente, CISSP | CISM | CISA
Vice President of Information Security at Paramount Global
________________________________________________________________
Photo by Juamil Garcia