How to Address Third Party Risk
Your extended risk ecosystem supports your overall goals, but as the organization evolves, the risk due to third-party partnerships typically increases. Progressive Risk teams evaluate the impact these changes exert on their risk profile, and specifically, on the third-party risk management program.
As the world becomes more interconnected through technology adoption, organizations are relying on a dramatically increasing number of third parties. Accounting and payroll, manufacturing, supply chains, HR/benefits and a variety of other third parties all have access to sensitive data, whether it’s personnel (and personal) information, research and development data, sales data, etc. This extended ecosystem supports your overall goals, but as the organization evolves the risk due to these partnerships almost always increases. Progressive Risk teams evaluate the impact these changes exert on their risk profile, and specifically, on the third-party risk management program.
As your organization grows and changes, your third parties are also affected. Changes could be as minimal as switching benefits providers or as drastic as an entire workforce beginning to operate remotely, as we’re seeing with the COVID pandemic.
Third-Party Risk Management Explained
When developing a third-party risk management (TPRM) program, you’re classifying based on the information they have access to, how they access it and how they handle it. This review helps determine the risks related to the partnership. You’re also putting in place a communication strategy to manage risk effectively. Contracts should include clauses regarding audits, including frequency. Reviews and audits should comprise an iterative process validating that the checks and controls you put in place are meeting all applicable regulations and legal obligations, such as GDPR, CCPA, HIPAA, etc.
Regardless of your risk management program’s maturity level, it’s essential to understand the changes to your risk profile when changes take place. A clear understanding of your organization’s most important information is critical to maintaining a strong risk posture, and an evaluation of your program and contracts may suggest updates to those contracts, or perhaps even to the third parties themselves.
Consider the current pandemic, for example. If you’re like a lot of organizations many of your employees began working remotely (in some cases, up to 100%). Your third parties were, or are, navigating the same process. An operational review may make clear the sense of investing in, and requiring the use of new technologies such as multi-factor authentication (MFA), not only for your own employees but for employees of third parties connecting to your infrastructure to gather, analyze and act on data.
Risk Profile Adjustments
To help optimize your risk profile during periods of (rapid) change:
- Evaluate the impact of change on your risk program. Understand new data flows and re-assess risk based on new operational modes.
- Ensure you’re continuing to meet meet compliance requirements.
- Readdress third-party classifications and evaluate contractual obligations.
- Develop or update triage processes.
- Enact auditing procedures for third parties, beginning with those that are highly classified.
All risks can be amplified by the complexity of vendor relationships and the difficulty of integrating them into your environment. As you add partners, networks, and systems, your level of general cyber risk gets compounded. Faced with ongoing changes, third parties may or may not understand how they’re handling the day-to-day information sharing and whether or not they’re meeting their obligations. It’s important to assess their ability to manage your data.
Brian Golumbeck is a practice director within Optiv Risk Management and Transformation Advisory Services Practice. Read more Optiv blogs here.