Why is cybersecurity Third-Party Risk Management so important?

Over the past years, a lot of effort has been made in cybersecurity to try to develop better ways of managing risk, and companies that have invested in Third-Party Risk Management programs have turned out to be more resilient to the COVID-19 crisis. These organisations protect themselves simultaneously against operational risk, legal risk – regarding compliance with the General Data Protection Regulation (GDPR) –, and financial risk.

What is cybersecurity Third-Party Risk Management (TPRM) about?

As the “extended enterprise” model has been a huge success for quite some time, the necessity of managing cybersecurity third-party risks has emerged.

The cybersecurity challenges of the extended enterprise model

The extended enterprise model has been dominant since the mid-1990s, with car manufacturer Chrysler being the first to adopt it. The extended company model relies on the digitalisation of its processes to propel partnerships even further. As a "lead firm”, it creates added value, while third-party companies provide the skills it lacks.

These third-party vendors interact with the lead firm through new ways of sharing digital information. The extended enterprise is characterised by this digitalised sharing of information and processes, whether that is via computer networks, software, messaging, or data exchange systems.

This broad third-party ecosystem has the advantage of creating new growth synergies. However, this ecosystem also constitutes a favourable ground for the emergence of cyber risks, as each partner represents a potential entry point for cyberattacks.

What does third-party risk mean in terms of cybersecurity?

At C-Risk, our method of risk management, vulnerability assessment, and cybersecurity control is based on the FAIR™ standard, according to which, risk is an uncertain event capable of generating an asset-related loss. That loss is characterised by its probability of occurrence. Risk thus becomes “the expected frequency and magnitude of future loss”.

Information security risks are diverse and can take different forms from one company to another, although third-party cyber risks tend to remain the same:

• confidential data breach;
• unavailability of services, for example in the event of a ransomware cyberattack;
• industrial espionage;
• Smurf attack, a type of attack exploiting the vulnerabilities of subcontractors that are less protected than the lead firm;
• fine for lack of compliance with various regulations.

Third-party cyber risk therefore falls under operational, but also financial, reputational, legal, and regulatory risk.

Who are the cybersecurity third parties?

In legal terms, "third party", or "third-party company", designates a legal entity external to a business relationship. Third parties can be made up of many external stakeholders:

• suppliers;
• co-contractors and subcontractors;
• distributors;
• franchisees;
• consultants and experts;
• partners;
• clients ;
• insurance companies.

Obviously, the types of third parties differ from one lead firm to another. It is always necessary to go through cyber risk assessment and cybersecurity strategy reviews to identify those third parties. These are critical processes because they prevent the third-party ecosystem – whose purpose is to bring additional skills – from threatening either the activities or the reputation of the lead firm.

How does Third-Party Risk Management work in a corporate context?

Third-Party Risk Management (TPRM) involves designing and then executing a continuous preventive procedure. In cybersecurity, TPRM is, indeed, more about preventing damage than repairing it. This approach calls for management centralisation and continuous monitoring of third-party network and IT processes.

The task may therefore require putting someone (risk manager or CIO) in charge of cybersecurity TPRM, and in any case, several divisions will have to cooperate:

• the IT division, of course, has the role of paying attention to software or digital communication channels that they find to be insufficiently secure;
• general management is expected to warn other divisions if an external partner’s change of governance may call for a reevaluation of their IT reliability;
• the legal affairs division should scrutinise third parties’ regulatory compliance.

Third-Party Risk Management: prevention best practices

There are various methods for setting up an effective TPRM programme, all of which rely on two mainstays: verification of third-party due diligence, and continuous monitoring of the risk for as long as the business partnership lasts.

C-Risk’s Third-Party Risk Analysis: the CIA model

At C-Risk, our third-party risk analysis is based on the FAIR™ Analysis method, whose process starts by determining the extent of the risk, i.e., the potential “loss event”.

You first need to determine which asset is at risk – in other words, which element of your operation would lose value or result in your civil or criminal liability if it were compromised. In such a scenario, you also need to pinpoint the threat agent, which is why you should list all the suppliers with which your structure exchanges data.

Finally, you should also estimate the consequences of that risk. According to the CIA model, those consequences can fall under three categories:

• C (Confidentiality): direct repercussions on regulatory compliance requirements – more specifically on GDPR;
• I (Integrity);
• A (Availability) of the elements critical to value production.

The second step of this process is to estimate the expected frequency and magnitude of the potential financial loss. Ultimately, you should schedule a meeting with the most exposed partners of your supply chain to discuss their cyber risk mitigation strategies. Some third parties are more vulnerable than others, due to their:

• activity – e.g., an online payment solution;
• geographical parameters;
• security clearance regarding access to your critical servers, information systems, and data.

What should you do if a third-party risk turns out to be remarkably high?

First and foremost, here are a few fundamental requirements:

• know your company's regulatory framework in terms of cybersecurity and data confidentiality;
• be prepared to conduct a cyber risk assessment of your most exposed third parties;
• continuously monitor the risk, particularly when a third party makes a change to their regulations or in their scope of action.

In the event that a third-party risk becomes remarkably high, you should follow the 4T rule and select one or more of the following options:

• Terminate the risk by putting an end to your business partnership;
• Treat the risk by mitigating its consequences;
• Transfer the risk to another third party, like an insurance company;
• Tolerate the risk if the termination of the partnership is detrimental to your company.