What is cybersecurity Third-Party Risk Management (TPRM) about?
As the “extended enterprise” model has been a huge success for quite some time, the necessity of managing cybersecurity third-party risks has emerged.
The cybersecurity challenges of the extended enterprise model
The extended enterprise model has been dominant since the mid-1990s, with car manufacturer Chrysler being the first to adopt it. The extended company model relies on the digitalisation of its processes to propel partnerships even further. As a "lead firm”, it creates added value, while third-party companies provide the skills it lacks.
These third-party vendors interact with the lead firm through new ways of sharing digital information. The extended enterprise is characterised by this digitalised sharing of information and processes, whether that is via computer networks, software, messaging, or data exchange systems.
This broad third-party ecosystem has the advantage of creating new growth synergies. However, this ecosystem also constitutes a favourable ground for the emergence of cyber risks, as each partner represents a potential entry point for cyberattacks.
What does third-party risk mean in terms of cybersecurity?
At C-Risk, our method of risk management, vulnerability assessment, and cybersecurity control is based on the FAIR™ standard, according to which, risk is an uncertain event capable of generating an asset-related loss. That loss is characterised by its probability of occurrence. Risk thus becomes “the expected frequency and magnitude of future loss”.
Information security risks are diverse and can take different forms from one company to another, although third-party cyber risks tend to remain the same:
- confidential data breach;
- unavailability of services, for example in the event of a ransomware cyberattack;
- industrial espionage;
- Smurf attack, a type of attack exploiting the vulnerabilities of subcontractors that are less protected than the lead firm;
- fine for lack of compliance with various regulations.
Third-party cyber risk therefore falls under operational, but also financial, reputational, legal, and regulatory risk.
Would you like to learn more about Cyber Risk Quantification?
Schedule a call to discuss how our CRQ Solutions can help you identify and quantify your most frequent and most costly cyber risks.
Who are the cybersecurity third parties?
In legal terms, "third party", or "third-party company", designates a legal entity external to a business relationship. Third parties can be made up of many external stakeholders:
- co-contractors and subcontractors
- consultants and experts
- insurance companies
Obviously, the types of third parties differ from one lead firm to another. It is always necessary to go through cyber risk assessment and cybersecurity strategy reviews to identify those third parties. These are critical processes because they prevent the third-party ecosystem – whose purpose is to bring additional skills – from threatening either the activities or the reputation of the lead firm.
How does Third-Party Risk Management work in a corporate context?
Third-Party Risk Management (TPRM) involves designing and then executing a continuous preventive procedure. In cybersecurity, TPRM is, indeed, more about preventing damage than repairing it. This approach calls for management centralisation and continuous monitoring of third-party network and IT processes.
The task may therefore require putting someone (risk manager or CIO) in charge of cybersecurity TPRM, and in any case, several divisions will have to cooperate:
- the IT division, of course, has the role of paying attention to software or digital communication channels that they find to be insufficiently secure;
- general management is expected to warn other divisions if an external partner’s change of governance may call for a reevaluation of their IT reliability;
- the legal affairs division should scrutinise third parties’ regulatory compliance.
Third-Party Risk Management: prevention best practices
There are various methods for setting up an effective TPRM programme, all of which rely on two mainstays: verification of third-party due diligence, and continuous monitoring of the risk for as long as the business partnership lasts.
C-Risk’s Third-Party Risk Analysis: the CIA model
At C-Risk, our third-party risk analysis is based on the FAIR™ Analysis method, whose process starts by determining the extent of the risk, i.e., the potential “loss event”.
You first need to determine which asset is at risk – in other words, which element of your operation would lose value or result in your civil or criminal liability if it were compromised. In such a scenario, you also need to pinpoint the threat agent, which is why you should list all the suppliers with which your structure exchanges data.
Finally, you should also estimate the consequences of that risk. According to the CIA model, those consequences can fall under three categories:
- C (Confidentiality): direct repercussions on regulatory compliance requirements – more specifically on GDPR;
- I (Integrity);
- A (Availability) of the elements critical to value production.
The second step of this process is to estimate the expected frequency and magnitude of the potential financial loss. Ultimately, you should schedule a meeting with the most exposed partners of your supply chain to discuss their cyber risk mitigation strategies. Some third parties are more vulnerable than others, due to their:
- activity – e.g., an online payment solution;
- geographical parameters;
- security clearance regarding access to your critical servers, information systems, and data.
What should you do if a third-party risk turns out to be remarkably high?
First and foremost, here are a few fundamental requirements:
- know your company's regulatory framework in terms of cybersecurity and data confidentiality;
- be prepared to conduct a cyber risk assessment of your most exposed third parties;
- continuously monitor the risk, particularly when a third party makes a change to their regulations or in their scope of action.
In the event that a third-party risk becomes remarkably high, you should follow the 4T rule and select one or more of the following options:
- Terminate the risk by putting an end to your business partnership;
- Treat the risk by mitigating its consequences;
- Transfer the risk to another third party, like an insurance company;
- Tolerate the risk if the termination of the partnership is detrimental to your company.
FAQ : Third-Party Risk Management
Why is Third-Party Risk Management so popular?
The current interest in Third-Party Risk Management can be explained by the increase in information security and confidentiality breach events.
What are the main consequences of third-party risks?
Whether they are IT-related or not, third-party risks can have operational, reputational, legal, regulatory, and financial repercussions on the lead firm.
Why should you base your Third-Party Risk Management on analysis?
If you conduct third-party cyber risk assessments on a regular basis, you will be able to prevent behaviours that might entail IT vulnerabilities. This is also one of the best possible means of preparation for ICO inspections.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.