Blog | 24By7Security

Third-Party Risk Management is a Continuing Challenge

Written by Sanjay Deo | May, 7 2024

No supply chain is completely secure, despite our best intentions, but there are actions you can take to strengthen security

In our hyperconnected digital world, transparency isn’t always a given. As we browse, conduct research, or shop online, we’re not always certain exactly where information is coming from and may not even be sure exactly where we are. Another foible of hyperconnectivity is the length and expanse of any given supply chain. How many suppliers contribute to the store we might be shopping in? Are we buying from a trusted source, or are we being taken to an unknown third party to procure what we need? Is every website secure, or are some more vulnerable to malware and hacking than others?

Third-party risk management (TPRM) is an issue for consumers, certainly. But it also presents a substantial challenge for businesses who rely on other businesses for goods and services. Despite our best intentions, supply chain security continues to be the Holy Grail of procurement.

The Vulnerability of the Supply Chain

Investopedia defines supply chain as a network between a company and its suppliers to produce and distribute a specific product to the final buyer. The network includes different activities, people, entities, information, and resources.

A supply chain attack occurs when a hacker or other bad actor exploits a member of your supply chain (i.e., a vendor or supplier) who you have authorized to access your networks, systems, and data in order to provide the goods or services you require.

After attacking your supplier’s network, the hacker is then able to access your organization’s digital infrastructure and steal sensitive data. Software development tools, software upgrades, specialized code embedded in hardware and firmware, and smart devices such as phones, USBs, and medical equipment can all be compromised in this manner.

Ironically, the more popular a device or software app is and the greater the number of customers using it, the more damage a supply chain attack can inflict.

As businesses large and small continue to collaborate with and outsource to each other, more suppliers than ever before now have legitimate access to their clients’ networks, systems, and data. And while you may trust your own company’s cybersecurity, what degree of visibility do you have into your various suppliers’ security programs? Have they implemented a comprehensive cybersecurity framework, such as those developed by NIST, PCI, HITRUST, or ISO, for example? How much confidence do you have in any given supplier to effectively safeguard your data as they acquire, use, and store it? Do you even have enough information to answer these questions?

The Need for Third-Party Risk Management is Widely Recognized

Recognizing the importance of securing not only regulated organizations but their supply chains as well, most security frameworks include provisions for TPRM. Many also require security risk assessments of vendors and suppliers.

One example is the Cybersecurity Maturity Model Certification (CMMC) program mandated by the U.S. Department of Defense. CMMC enforces the protection of sensitive information that is shared by the DoD with its contractors and subcontractors and ensures that they meet established cybersecurity requirements or are removed from the DoD supply chain.

Another example is the final third-party risk management guidance published in June 2023 by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Treasury to promote consistency among regulated financial institutions in managing supply chain risk. The guidelines provide banking organizations with sound risk management principles for use in developing and implementing risk management practices across the entire life cycle of third-party relationships.

Guidelines for Third-Party Risk Management Programs

Collected from several widely adopted security frameworks, the following guidelines are a solid foundation upon which any organization can build a robust vendor risk management program.

  • Exercise due diligence in researching, selecting, and managing ongoing relationships with all members of your supply chain.
  • Ensure that contracts have clear provisions requiring third parties to meet the security responsibilities, controls, and reporting protocols you deem necessary—or that are mandated by applicable regulations. (As one example, HIPAA requires healthcare providers to maintain Business Associate Agreements with suppliers and vendors.)
  • Make sure that complete non-disclosure or confidentiality agreements have been executed with all vendors to protect your confidential data, intellectual property, and personally identifiable information of employees, customers, and other stakeholders.
  • Document procedures for data breach notification by vendors in accordance with reasonable expectations or regulations, if applicable.
  • Throughout the course of every third-party relationship, make sure that security risks are appropriately identified, measured, mitigated, monitored, and reported. This can be accomplished by revisiting vendor security programs on a regular schedule.
  • Make sure contracts include language that permits you, either directly or via qualified third party, to perform comprehensive security risk assessments that include vendor site visits if needed. Maintain service level agreements that require timely remediation of findings prioritized by level of severity or degree of risk.

In addressing the requirement for security risk assessments, some vendors may prefer to have their assessments performed by an external resource of their choosing and provide that report to you. Comprehensive security risk assessments conducted by qualified, experienced, independent assessors can effectively evaluate how well third parties are meeting the security responsibilities, controls, and reporting protocols mandated by applicable regulations or organizational policies.

The key to effective cybersecurity, both for your organization and for your supply chain, is to update security safeguards on a regular basis to keep pace with emerging threats and new regulatory requirements.

Summary

Managing security risk among vendors and suppliers presents a challenge for businesses who rely on others for goods and services—which is all businesses today. Despite our best intentions, supply chain security continues to be elusive.

Recognizing the importance of securing not only organizations but their supply chains as well, the leading security frameworks all include provisions for third-party risk management. Many require security risk assessments of vendors and suppliers. Guidelines for sound vendor risk management programs are readily available to assist organizations and their suppliers in safeguarding confidential data, intellectual property, and the personally identifiable information of employees, customers, and other stakeholders. Finally, experienced professional assistance is available to conduct security risk assessments of your vendors and suppliers.