Thursday 12th November 2020
What Do The Regulators Say About Third Party Risk?
Third party risk has long been identified as a key element for a cybersecurity strategy. According to Ponemon as many as 56% of firms have experienced a breach caused by a third party. We have seen an increase in the number of breaches that have their origin in a third party. With varying levels of detail, the major regulators and regulations and security standards have all made some comment on third party risk and what needs to be done to mitigate it. The key factors across all is that the risk of using a supplier should be assessed. Critical functions attract more attention and this is where we see more detail on monitoring suppliers and auditing them against any requirements.
Often held up as the leading industry standard for security implementation, NIST gives some clear guidelines on managing third party risk. It states that requirements for third parties should be determined for suppliers and then formalised, ideally via the procurement process and via contracts. This process should be informed by the security department, and should also factor in requirements of regulators.
The framework of security processes for suppliers can then be assessed and implemented together. This has the benefit of not only assessing their security environment but building a relationship with the supplier. Communication on the relevant risks and remediation is important for a successful long term relationship.
It is also important for NIST, when putting a third party risk management process in place, that organisations look to improve their own security first. Having a robust security posture for your own organisation enables a company to suggest and enforce better security from their third parties.
The GDPR mandates a data privacy risk assessment for third party companies that have access to data.
The third party requirements from the GDPR are focussed on how the parties process data, rather than more detail on specific cyber risks. For processing data, controllers (who decide how the data will be used) must make sure that processors (who handle the data):
- Are able to comply with GDPR
- Approve any sub-processors e.g. fourth parties
- Have a contract with all processors that covers data protection.
For the cyber risk, undertaking a risk assessment under the GDPR is not enough. Critical third parties must be monitored. The GDPR does not specify the process for undertaking the assessment or how they should be monitored. However, the industry trends suggest the previous process of conducting annual questionnaires is fast becoming obsolete. The evidence of this process must be documented. This is a key feature of the GDPR as the regulator will look for evidence of mitigation taken by an organisation in the event of a breach.
This also makes reference to third party suppliers, albeit with a more policy-focused approach. IT requires third party risk is to be included in supplier agreements which need to be managed and audited.
There should be a policy in place for third party suppliers and the information security requirements they are expected to have in place. These requirements should also form a part of the contractual agreement with the supplier. This may also include a right to audit clause which would be especially important for critical suppliers. A process is needed to manage any changes to the requirements. If security requirements are updated, these requirements will also need to be updated with any third parties. Monitoring suppliers is also a key part of ISO27001 and this should be done at regular intervals.
The FCA recognise in their advice that suppliers involved in different aspects of the business will have different levels of risk. This will differ between organisation as the FCA oversees a wide range of financial services organisations that have different needs and level of criticality to the national infrastructure. A critical function is described by the FCA as a function where, the discontinuance of [said function] which is likely, to lead to the disruption of essential services to the real economy or to disrupt financial stability. Where suppliers are involved in critical functions, more rigour is expected in the security vetting and process. They have also shown they are ready to enforce their guidance and have issued fines for failures managing third parties such as the 2019 fine for Raphael & Sons.
The FCA expect risk assessments to form a critical part of outsourcing. This starts when deciding to outsource and should form a part of the selection criteria. Where a critical function is being outsourced, this should attract more scrutiny that non-critical functions.
The firm retains overall responsibility for any outsourced functions. The FCA say that an appropriate senior manager should be put in charge of the outsourcing; someone who is able to understand and mitigate any risk associated with the relationship.
Due diligence is an essential part of the outsourcing strategy. The FCA also expects to see that this process has been documented. The relationship should be governed by clear SLA’s and security provisions. This should also be monitored on an ongoing basis and remediation provisions included in the contract.
The European Banking Authority look for due diligence and risk assessments from organisations over their third parties. What is most interesting about the EBA’s requirement is they look for continual monitoring. This is an essential part of a third party strategy as the risk profile can change over a short period of time. They also look for organisations to provide remediation guidance.
Critical suppliers are defined as those which have a bearing on an institutions risk profile or internal controls. Stricter requirements are applied to those outsourced functions which impact critical services. While this is a European regulator, companies that supply to European organisations but are themselves based outside of the Europe are still in scope.
The guidelines for the EBA were expanded to included all organisations under their remit, whereas older advice had only included credit organisations. They are aware that much of a financial services organisations activities can now be outsourced. They make it clear that the organisation should maintain control over the services they outsource and not allow themselves to be a “shell” organisation that lacks substance.
The SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), enacted by New York, looks for organisations to use suppliers who are capable of maintaining cybersecurity practices. This could penalise smaller businesses who, while exempt from some requirements themselves, may not be able to meet the requirements of a larger customer.
Third party suppliers should be assessed and given contracts that meet the requirements of the SHIELD Act. The effectiveness of these programmes should be monitored and the business should be able to adapt their third party risk programme based on changing business conditions. Data mapping is part of the “reasonable” security measures required by the act. This mapping ensures organisations understand what data they hold and where, a crucial measure in assessing which third parties could be deemed critical.
The act is quite generous in its definition of security. It enforces “reasonable” security measures which can encompass many different stands. Organisations that already comply with alternative legislation, such as HIPPA, would be considered compliant. Small businesses also find themselves exempt. If a business has less than 50 employees, less than $3 million in gross revenue for the preceding 3 year or less than $5 million in total assets they would be exempt from the requirements.
While passed by New York, like the GDPR and CCPA, the act is enforceable against any organisation that holds the data of a New York resident. Therefore, even companies outside New York or even the US could find themselves within the scope of the act.
Office of the Comptroller of the Currency (OCC) potentially goes the furthest on third party risk. They make it clear that whether the function is dealt with internally or by a supplier, it makes no difference when looking at where responsibility for the issue lies. Third parties should be assessed and they should be evaluated on their effectiveness for risk and security controls. They should also be subjected to ongoing monitoring which should be documented. There should be a clear process for this when onboarding a new company and clear plan for how suppliers can be terminated if they don’t meet the required standards.
The OCC has also been broader on it’s definition of a third party. While traditionally, a third party is considered to be a business within the supply chain, third parties could also be revenue generators. Franchisees and joint venture partners would also be in scope for the OCC.
Third party relationships have key business benefits despite the risks associated with them. Technology, such as the solution provided by Orpheus, allows for effective and continuous supply chain monitoring. By providing remediation advice for any security risks identified, organisations can build ever stronger relationships with their third parties.
|Key feature||Orpheus Solution|
|Assess the security of critical suppliers||A cyber risk rating is applied to all suppliers based on the threat and vulnerabilities visible to an attacker.|
|Monitor the security of suppliers||Organisations are scanned regularly so their risk level is up to date within days or hours, not annually.|
|Remediate any issues||Our platforms identifies key threats and vulnerabilities per supplier so personalised advice can be given instantly.|
|Consider your own security posture as well as imposing conditions on third parties||With access to our platform, you can see your own score, vulnerabilities and threats. The threats and vulnerabilities are scored to help you prioritise which ones to address first. We can even tell you which vulnerabilities are most likely to be exploited in the future. This helps with vulnerability management and provides high quality threat intelligence.|
|Third party companies need to meet security standards||Subscribe to our monthly reports which provide your cyber risk score and highlights what your customers might be seeing.|
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.