You can’t go more than a few days or so without seeing news on the internet about a cybersecurity breach. And often times when you actually read the story you discover that the breach occurred with a vendor or third-party for the company that is impacted.
While there are many other risks that your company needs to be concerned with, there is nothing more important than ensuring you have established the necessary controls to be aware of and actively manage the risk associated with third-party vendors that you are linking systems and sharing protected customer data. Given the significance of this, here are 3 tips to improve your third-party cybersecurity program.
#1 – Assess and Update Your Third-Party (Vendor Management) Policy
With all of the rapid changes to the threats coming from the cyber landscape, it is a useful exercise to conduct an annual or bi-annual assessment of your third-party (vendor management) policy. You should review your risk assessment, due diligence, contracting, onboarding, ongoing oversight and offboarding policies ensuring your policy aligns with your Information Security Plan and all cybersecurity regulations you must adhere to.
By reviewing and updating your policies you will be better prepared to ensure compliance and mitigate these risks across the entire life-cycle of working with your third parties.
#2 – Streamline and Improve Your Due-Diligence Process
One of the important things you can work on is to implement a risk-based due diligence process. This means that you are risk rating or risk tiering all of your third parties and creating due diligence questionnaires and procedures based on each of your risk tiers. In other words, “One size doesn’t fit all.
Of course, you want to make sure your due diligence process aligns with your updated policy, regulations and your companies current risk appetite. We are beginning to recommend to all of our clients that they seriously consider adding a cyber risk monitoring tool like Cyber GRX, Risk Recon, Security Scorecard or Bitsight to augment your point in time due diligence with ongoing monitoring and alerts. This ensures you are taking a comprehensive and proactive approach to your third-party cyber security risk management.
#3 – Review and Update Your Contracts with Your Vendors and Third Parties
The last tip is to ensure you have your information security and legal stakeholders review and provide any updated language to your contracts that align with your Information Security Plan, regulations and risk appetite. It is a necessity to have clarity around protecting data and requirements in the event there is a breach.
It is also important to outline your requirements for offboarding your third parties to ensure there is legally binding agreement for how you handle data and system access upon termination of a contracted relationship.
By taking a common sense and risk-based approach to addressing your third-party cybersecurity risk management, you will help your vendors/third parties meet your requirements and mitigate this risk throughout every stage of the lifecycle of managing these very important relationships. It is critically important to have this fully addressed in your policies and ensure you have the appropriate controls and contract protections in place to mitigate this risk.
You can no longer do this on an ad hoc basis as this is definitely an area that will only pose more threats to your company in the future. Don’t fall prey to a “It won’t happen to us” mindset. Prepare, protect and hopefully prevent but in the event a breach does occur ensure your company and your third parties have the response mechanisms in place to minimize the negative impacts to your company, your customers and all of your stakeholders.
Author: Paul Schrantz
Job Title: Director of Business Development & Client Success
Organization: Vendor Centric