The more business partners an extended enterprise has, the greater the need to think about third-party cybersecurity risk management.
In May 2021, a study conducted by the Ponemon Institute found that 51% of companies had already been the victims of data breaches because of their subcontractors. This fact not only illustrates one of the many cybersecurity challenges for companies in 2021 but also highlights the need to put the management of third-party cybersecurity risks at the top of your priorities.
Over the past years, a lot of effort has been made in cybersecurity to try to develop better ways to manage risk. Companies that have invested in Third-Party Risk Management programs have turned out to be more resilient to the COVID-19 crisis. These organisations protect themselves at the sametime against operational risk, legal risk – regarding compliance with the General Data Protection Regulation (GDPR) – and financial risk.
As the “extended enterprise” model has been meeting huge success for quite some time, the necessity of managing cybersecurity third-party risks has emerged.
Since the mid-1990s, the extended enterprise model has been dominant. Chrysler, the car manufacturer, was the first to adopt it. The extended company model relies on the digitisation of its processes to bring partnerships further. As a "lead firm”, it creates added value, while third-party companies provide for the skills it lacks.
These third-party vendors interact with the lead firm through new ways of sharing digital information. Computer networks, software, messaging and data exchange systems: the extended enterprise is characterised by the digitised sharing of information and processes.
This broad third-party ecosystem has the advantage of creating new growth synergies. However, this ecosystem also constitutes a favourable ground for the emergence of cyber risks as each partner represents a potential entry point for cyberattacks.
At C-Risk, our method of risk management, vulnerability assessment and cybersecurity control is based on the FAIR™ standard, according to which, risk is an uncertain event capable of generating an asset-related loss. That loss is characterised by its probability of occurrence. Risk thus becomes “the expected frequency and magnitude of future loss”.
Information security risks are diverse and can take different forms from one company to another. However, third-party cyber risks tend to remain the same:
Third-party cyber risk therefore falls under operational, but also financial, reputational, legal and regulatory risk.
In legal terms, third party, or third-party company, designates a legal entity external to a business relationship. Third parties comprise many external stakeholders:
Obviously, the types of third parties differ from a lead firm to another. It is always necessary to go through cyber risk assessment and cybersecurity strategy review to identify those third parties. These are critical processes because they prevent the third-party ecosystem – whose purpose is to bring additional skills – from threatening either the activities or the reputation of the lead firm.
Third-Party Risk Management (TPRM) involves designing and then executing a continuous preventive procedure. In cybersecurity, TPRM is indeed more about preventing damage than repairing it. This approach calls for management centralisation and continuous monitoring of the third-party network and IT processes.
This task may therefore require to put someone in charge of cybersecurity TPRM. This can be the risk manager, or the CIO. In any case, several divisions will have to cooperate:
There are various methods to set up an effective TPRM program. All of them rely on two mainstays: verification of third-party due diligence, and continuous monitoring of the risk for as long as the business partnership lasts.
At C-Risk, our third-party risk analysis is based on the Fair Analysis method. This method starts by determining the extent of the risk, i.e. the potential “loss event”.
You first need to determine which asset is at risk, in other words, which element of your operation would lose value or engage your liability if it happened to be compromised. Then, you also need to pinpoint the threat agent in such a scenario. This is why you should list all the suppliers your structure exchanges data with.
Finally, you also ought to estimate the consequences of that risk. According to the CIA model, those consequences can fall under three categories:
The second step of this process is to estimate the expected frequency and magnitude of the potential financial loss. Ultimately, you should schedule a meeting with the most exposed partners of your supply chain to discuss their cyber risk mitigation strategies. Some third parties are more vulnerable than others, due to their:
First of all, here are a few fundamental requirements:
Now if a third-party risk were to become remarkably high, you should follow the 4T rule and select one or more of the following options:
The current interest in Third-Party Risk Management can be explained by the increase in information security and confidentiality breach events.
Be they IT-related or not, third-party risks can have operational, reputational, legal, regulatory and financial repercussions on the lead firm.
If you conduct third-party cyber risk assessment on a regular basis, you will be able to prevent behaviours that might entail IT vulnerabilities. This is also one of the best possible means of preparation for ICO inspections.
related to Cyber Risk Quantification and Cybersecurity