Hand of kid playing a blocks wood tower game showing third party risk

Identifying Third Party Risk Is Only Half the Challenge; Building Secure Ecosystems and Monitoring Risk Are the Real Task

With cybercrime and other security risks on the rise, often targeting critical infrastructure and services, it is clear these attacks will remain a threat and exploit any opportunity to collect data, encrypt systems for ransom, or otherwise surveil and steal information through third parties or other unknown vulnerabilities. Similarly, there have been other hacks in the last year which ultimately resulted from vendor failure, leading to one of the largest cyber crimes in United States history.

Organizations are on high alert with over half of risk leaders expecting third party risk to increase this year, according to a recent PwC survey. To prevent compromises in supply chains – 65 percent of organizations are expecting cyber and data protection risks also to increase – solidifying the importance of a company’s need to reevaluate the risk of their third party partnerships, institute continuous monitoring solutions and improve the resilience of their suppliers and systems.

Identify in order to understand

Understanding third party risks starts with learning how to identify them. Organizations need to understand key, cybersecurity, financial, ESG and reputational risk considerations when vetting a new partner. First, evaluate the core reason for engaging with the third party and evaluate the current and future uses of data from either side to identify potential risks. An obvious indicator they are a target for bad actors can be their concentration of market power, making them a more enticing mark.

To effectively mitigate risk, organizations need to consider review frequency, operations management and data monitoring. The old method of performing an initial due diligence assessment at the start of a third party relationship no longer holds. “Set it and forget it” needs to be replaced with persistent monitoring to regularly assess third party risk as threat actors evolve. From an operations perspective, the digital-first, global economy requires real-time alerts to assess operational risk for suppliers. There are countless data points that need to be monitored internally and externally to assess risk. To stay ahead of potential threats, risk management teams need to use technology that leverages AI to scan global data sources and pinpoint risk. These systems can continuously scan data for anomalies, which would be impossible for humans.

If organizations do not invest in new technologies to increase frequency of risk assessments, monitor global operations, or tackle complex data of third party relationships, they will be an easy target to manipulate.

Cyber risk in your third party ecosystem

There could be breaches at any point in your third party ecosystem and supply chain, from software, hardware, transactions, or at checkpoints to process physical goods. Organizations have to balance flexibility in supply chains and the ecosystem with managing third party risk. In a recent PwC survey, 35 percent of respondents said their organization has not fully addressed this balance.

Numerous factors go into how organizations build and protect their third party ecosystem. To find the balance of flexibility and security, companies need to continuously evaluate regulatory pressures, changing business needs, and events. It’s crucial to comply with updated regulations or guidance from regulators in regard to third party risk management, and what risk you might be responsible for, even though it resides in your ecosystem. In turn, these external changes, coupled with internal business process changes, can affect how organizations monitor third parties and influence their long term success.

Some of the biggest newsmaking hacks of the past few years have used third parties as the route in. This was evident in the case of a recent major attack on an IT management software company. A vendor’s weakness is your organization’s weakness. The initial hack on this one entity set off a chain reaction across multinationals, government agencies, regulators and organizations to re-evaluate third party partnerships and improve supply chain security. To prevent future events, at a small or large scale, companies need to invest in continuous monitoring solutions that will address these factors and provide specialized guidance on third party risk.

Using an always-on monitoring solution

External and internal risk factors are always evolving, which is why organizations need to use new technology tools to protect themselves from third party risks. But before making this investment, there are key questions that need to be addressed to find the right solution.

Starting with something as simple as, “What are you monitoring?” from locations and people to supply chain partners, can influence the type of program. Types of data, analytics, and measurement are also key considerations. And once a system is in place, it is equally important to understand what compliance excellence looks like for an organization. These needs will be different for every company, and compliance excellence will adjust to these needs, but success will ultimately be seen as less risk incidents and more trust throughout the supplier network.

Identifying and protecting against #thirdpartyrisk will set organizations up to be healthier and stronger partners to their vendors, stakeholders and employees, holding each other accountable from a #security standpoint. #respectdata Click to Tweet

Identifying and protecting against third party risk will set organizations up to be healthier and stronger partners to their vendors, stakeholders and employees. Anyone can be a great partner, but it is imperative that holding each other accountable from a security standpoint is in the equation as well.

 

Global Forensic Technology Leader at PwC US