Companies need to step up efforts to manage third-party risks
Organizations can no longer afford financial, reputational fallout from breaches
By Rodika Tollefson, ThirdCertainty
Third-party risk—the notion that a contractor or a supplier could inadvertently expose the first-party organization to a network breach—is a tangible and growing concern.
However, while many companies are cognizant of third-party risk, actually addressing this emerging concern is not yet a high priority in the commercial sector.
It should be, especially among small and medium-size organizations that soon may have to prove their cybersecurity fitness in order to win contracts from first-party business customers.
“In the perfect world, any company that wants to do business with you should put forth their security policy and posture to you and defend it,” says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider.
A Ponemon Institute survey recently found that the majority of the 600-plus respondents agreed that third-party risk was both serious and has been significantly growing in their organizations. In fact, the average cost of responding to security incidents that resulted from third parties was $10 million.
On the other hand, Ponemon found that only a third of those organizations had formal programs in place to manage third-party risks, and only about a quarter of them purchased cyber insurance to reduce the economic impact of third-party risks.
Meanwhile, another survey by Soha’s Third Party Advisory Group found more than 60 percent of data breaches can be linked directly or indirectly to third-party access. Yet of the 200-plus survey respondents, only 2 percent considered that access a top IT priority in the context of security.
Security expectations grow
Security experts note that first-party organizations in a business-to-business transaction are increasingly demanding proof of robust information security practices from third-party suppliers.
That means third-party contractors—including those that supply legal, accounting and marketing services—should definitely expect to be challenged about their information security practices, going forward, Patterson says.
“Third parties should be prepared for this kind of scrutiny,” he says. “Security can be used as a way of getting more clients and revenues, not just protecting clients and revenues.”
Ignorance a factor
First-party organizations also are contributing to the problem. Some 56 percent of respondents to the Ponemon survey didn’t even know what kind of high-value assets and intellectual property their organizations placed into the hands of third parties.
The Ponemon poll was sponsored by Shared Assessments, a third-party risk management program of the Santa Fe Group.
“I think that there is a lot of information that is yet to be understood in the third-party risk space—there’s an upward learning curve in terms of what some of the threats (are) and what the impact of those threats are on the institution,” says Charlie Miller, senior vice president at the Santa Fe Group.
With awareness low, criminals are taking advantage of supply-chain weaknesses, which, Patterson notes, is not hard to do. Vendors frequently send out news releases or list their customers on their websites so “smart attackers know who the third parties are,” he says.
With outsourcing continuing to rise, the problem is going to get worse before it gets any better, observes Haseeb Budhani, co-founder and CEO of Soha Systems. That’s because first-party companies are not treating their contractors as a separate class of users when it comes to access, he says.
“The risk is much higher with third parties because they don’t work for you and may not be following the same policies that you enforce for your employees,” Budhani says. “And hackers look for those types of users, like contractors, and target them to get into networks.”
Soha’s survey also found that to enable access, an average of five to 14 software or hardware components were involved.
“It’s clear that the complexity involved is the biggest impediment to a good solution to a secure environment,” Budhani says.
Historically, the relationship between the first and third party was largely about contractual governance—having the right contract language to ensure a vendor would indemnify the company in the case of breach liability, says Brian Branner, executive vice president at RiskAnalytics, a cyber risk management and security company.
Vendors get harder look
Though introducing security fitness as a contractual component is in the early development stage, some first-party companies are beginning to assess vendors’ ability to protect sensitive information.
“Some of the larger (companies) will even go as far as physical visits, not just asking questions on an application or assessment,” says Branner, who leads insurance carrier and brokerage negotiations.
Some business contracts now require the vendors to not just carry a cyber insurance policy, but also to have specific provisions. He cautions that it’s easy to buy cyber risk policies online if the business’ revenues are under $25 million, “but it’s not going to be a good policy.”
With first-party organizations moving toward requiring specific cybersecurity provisions, third-party vendors need to be more diligent as they navigate the various plans.
Small and medium-size businesses also are more likely to rely on cyber coverage in other insurance policies, but Patterson sees a decrease in the overlap between cyber and professional and general liability policies.
“Insurers are trying to push as much cyber as possible out of general liability umbrella into dedicated policies—but we’re a couple of years off [from figuring it out],” he says.
In the meantime, Budhani expects to see more pressure on vendors and contractors to address their security risks.
“We are moving toward an inflection point, but awareness hasn’t reached a crescendo yet,” he says. “In the next year or so, I would expect this to be a bigger problem—and then we’ll get to a point of enforcing better practices as an industry.”
More stories related to security risks:
Third-party vendors are the weak links in cybersecurity
Cyber insurance rises to meet increasing security challenges
Companies tap into cyber insurance to manage business risk