Why is cybersecurity Third-Party Risk Management so important?

In May 2021, a study conducted by the Ponemon Institute found that 51% of companies had been the victim of data breaches brought about by subcontractors. This fact not only illustrates one of the many cybersecurity challenges for companies in 2022, but also highlights the need to put the management of third-party cybersecurity risks at the top of your priorities.

Over the past years, a lot of effort has been made in cybersecurity to try to develop better ways of managing risk, and companies that have invested in Third-Party Risk Management programs have turned out to be more resilient to the COVID-19 crisis. These organizations protect themselves simultaneously against operational risk, legal risk – regarding compliance with the General Data Protection Regulation (GDPR) –, and financial risk.

Lydie Aubert

An article from

Lydie Aubert
Marketing Director
Published
March 30, 2023
Updated
March 30, 2023
Reading time
minutes
third party risk management - C-Risk

What is cybersecurity Third-Party Risk Management (TPRM) about?

As the “extended enterprise” model has been a huge success for quite some time, the necessity of managing cybersecurity third-party risks has emerged.

The cybersecurity challenges of the extended enterprise model

The extended enterprise model has been dominant since the mid-1990s, with car manufacturer Chrysler being the first to adopt it. The extended company model relies on the digitalization of its processes to propel partnerships even further. As a "lead firm”, it creates added value, while third-party companies provide the skills it lacks.

These third-party vendors interact with the lead firm through new ways of sharing digital information. The extended enterprise is characterized by this digitalized sharing of information and processes, whether that is via computer networks, software, messaging, or data exchange systems.

This broad third-party ecosystem has the advantage of creating new growth synergies. However, this ecosystem also constitutes a favorable ground for the emergence of cyber risks, as each partner represents a potential entry point for cyberattacks.

What does third-party risk mean in terms of cybersecurity?

At C-Risk, our method of risk management, vulnerability assessment, and cybersecurity control is based on the FAIR™ standard, according to which, risk is an uncertain event capable of generating an asset-related loss. That loss is characterized by its probability of occurrence. Risk thus becomes “the expected frequency and magnitude of future loss”.

Information security risks are diverse and can take different forms from one company to another, although third-party cyber risks tend to remain the same:

  • confidential data breach;
  • unavailability of services, for example in the event of a ransomware cyberattack;
  • industrial espionage;
  • Smurf attack, a type of attack exploiting the vulnerabilities of subcontractors that are less protected than the lead firm;
  • fine for lack of compliance with various regulations.

Third-party cyber risk therefore falls under operational, but also financial, reputational, legal, and regulatory risk.

The extended company enforces Third-Party Risk Management

Would you like to learn more about Cyber Risk Quantification?

Schedule a call to discuss how our CRQ Solutions can help you identify and quantify your most frequent and most costly cyber risks.

Who are the cybersecurity third parties?

In legal terms, "third party", or "third-party company", designates a legal entity external to a business relationship. Third parties can be made up of many external stakeholders:

  • suppliers
  • co-contractors and subcontractors
  • distributors
  • franchisees
  • consultants and experts
  • partners
  • clients
  • insurance companies

Obviously, the types of third parties differ from one lead firm to another. It is always necessary to go through cyber risk assessment and cybersecurity strategy reviews to identify those third parties. These are critical processes because they prevent the third-party ecosystem – whose purpose is to bring additional skills – from threatening either the activities or the reputation of the lead firm.

How does Third-Party Risk Management work in a corporate context?

Third-Party Risk Management (TPRM) involves designing and then executing a continuous preventive procedure. In cybersecurity, TPRM is, indeed, more about preventing damage than repairing it. This approach calls for management centralization and continuous monitoring of third-party network and IT processes.

The task may therefore require putting someone (risk manager or CIO) in charge of cybersecurity TPRM, and in any case, several divisions will have to cooperate:

  • the IT division, of course, has the role of paying attention to software or digital communication channels that they find to be insufficiently secure;
  • general management is expected to warn other divisions if an external partner’s change of governance may call for a reevaluation of their IT reliability;
  • the legal affairs division should scrutinize third parties’ regulatory compliance.

Third-Party Risk Management is inherent to every partnership

Third-Party Risk Management: prevention best practices

There are various methods for setting up an effective TPRM program, all of which rely on two mainstays: verification of third-party due diligence, and continuous monitoring of the risk for as long as the business partnership lasts.

C-Risk’s Third-Party Risk Analysis: the CIA model

At C-Risk, our third-party risk analysis is based on the FAIR™ Analysis method, whose process starts by determining the extent of the risk, i.e., the potential “loss event”.

You first need to determine which asset is at risk – in other words, which element of your operation would lose value or result in your civil or criminal liability if it were compromised. In such a scenario, you also need to pinpoint the threat agent, which is why you should list all the suppliers with which your structure exchanges data.

Finally, you should also estimate the consequences of that risk. According to the CIA model, those consequences can fall under three categories:

  • C (Confidentiality): direct repercussions on regulatory compliance requirements – more specifically on GDPR;
  • I (Integrity);
  • A (Availability) of the elements critical to value production.

The second step of this process is to estimate the expected frequency and magnitude of the potential financial loss. Ultimately, you should schedule a meeting with the most exposed partners of your supply chain to discuss their cyber risk mitigation strategies. Some third parties are more vulnerable than others, due to their:

  • activity – e.g., an online payment solution;
  • geographical parameters;
  • security clearance regarding access to your critical servers, information systems, and data.

What should you do if a third-party risk turns out to be remarkably high?

First and foremost, here are a few fundamental requirements:

  • know your company's regulatory framework in terms of cybersecurity and data confidentiality;
  • be prepared to conduct a cyber risk assessment of your most exposed third parties;
  • continuously monitor the risk, particularly when a third party makes a change to their regulations or in their scope of action.

In the event that a third-party risk becomes remarkably high, you should follow the 4T rule and select one or more of the following options:

  • Terminate the risk by putting an end to your business partnership;
  • Treat the risk by mitigating its consequences;
  • Transfer the risk to another third party, like an insurance company;
  • Tolerate the risk if the termination of the partnership is detrimental to your company.

FAQ : Third-Party Risk Management

Why is Third-Party Risk Management so popular?

The current interest in Third-Party Risk Management can be explained by the increase in information security and confidentiality breach events.

What are the main consequences of third-party risks?

Whether they are IT-related or not, third-party risks can have operational, reputational, legal, regulatory, and financial repercussions on the lead firm.

Why should you base your Third-Party Risk Management on analysis?

If you conduct third-party cyber risk assessments on a regular basis, you will be able to prevent behaviours that might entail IT vulnerabilities. This is also one of the best possible means of preparation for ICO inspections.

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.