The recent ransomware attack of the Colonial Pipeline has dramatically emphasized the need for Cyber Risk Evaluations and Management.
While many of the factors regarding this cyber-attack are still unknown, the primary realization worldwide is the fact that not only the United States, but the entire world, is starting to realize they must become more proficient at managing their risk, more so related to the risk brought on by their third-party suppliers. In the United States, the most important corporate infrastructures have been cyberattacked. The Colonial Pipeline ransomware attack, in itself, had a domino effect on all areas inherent to the industry; from chemical factories and refinery operations to gas stations, all related corporations, small businesses and the public in general were adversely affected.
The Colonial Pipeline has not been the sole target of cyber hacking. Many major corporations in the United States, from retailer Target to the IT firm SolarWinds, have been victims of ransomware attacks. Although one may never know why these companies were targeted, it makes the rest of the industry question their own controls in place to ensure they are not vulnerable and exposed.
There is a need to recognize that far too many third-party relationships by definition present a vast array of potential risks that should be properly identified and managed prior to and throughout the business relationship in order to optimize profits and minimize their risks.
Implementing a Vendor Risk Management Program will help any organization establish the policies, standards and procedures by:
- Offering a framework to develop a standard of evaluation and management of vendor and third-party operations: identifying the types of risks to ensure against potential losses arising from ransomware attacks on third parties.
- Ensuring that all vendor and third-party relationships are managed in a way that complies with all relevant regulatory requirements, while determining how far our vendors will have to go in order to prevent and deal with cyberattacks and or create rapid backup systems for when or if critical infrastructure fails.
- Assisting vendors in calculating residual risks discovered during the evaluation process, along with monitoring and re-assessing the overall risk management to achieve the maximum protection, while enhancing and optimizing profitability for our vendors.
While no vendor risk management program can guarantee that business will remain free of ransomware or cyberattacks forever, the World recognizes and generally fears the uniquely creative tricks of hackers to violate systems. Because of this, we must become smarter in managing our vendors and ensuring they are performing the necessary tasks to manage all of our data. By having a Vendor Risk Management Program in place where knowledgeable due diligence is performed, as well as on-going monitoring of the controls in place, ensuing third party relationships with state-of-the-art technology in cyber risk assessments, we can try to enjoy the peace of mind that our proper due diligence and preparation and controls in place, are protecting us just in case something were to happen.