You can't ignore cyber-risk at your third parties

29 July, 2020

Cyberattacks and data breaches are rarely out of the news, and when they occur they have wide-ranging impacts. In response to an ever-evolving cyberthreat landscape, many Irish firms have made significant investments strengthening their cybersecurity capabilities. We've seen clients deploying new technologies, developing new capabilities, and implementing new security processes, all to increase the cyber-resilience of the organisation.

However, focusing on what's inside your organisation is only part of the challenge. Any firm's security posture is only as strong as its weakest link. And very often, the weakest link exists outside your organisation.

A photo of a team of office workers in a meeting room as seen through glass walls.

While it's not a new concept, more and more firms are engaging with third parties to reduce costs, enhance performance or avail of a specific skill set that they don't have. The term 'third party' can be used interchangeably with 'vendor', 'supplier', 'partner' or 'outsourced provider'. Regardless, they mean the same thing: an increased risk of cyberattacks for your organisation.

The COVID-19 crisis has only reinforced how dependent most organisations are on an interconnected ecosystem of third parties to run their business. We've seen firms struggling to get visibility into the resilience of their supply chain to ensure that the lights can be kept on, across all sectors. Suppliers are facing the same challenges of getting their workforce connected securely, adhering to security policies and maintaining a culture of cybersecurity awareness. All of this is against the backdrop of a heightened threat landscape. Opportunistic cyber-thieves are looking to take advantage of the uncertainty created by the crisis.

When you're operating in an interconnected environment with third parties, the attack surface is expanded for cybercriminals to launch an attack.

You can outsource almost everything but accountability

Our Global Economic Crime and Fraud Survey 2020 highlights that one in five respondents identified vendors and suppliers as the source of their most disruptive external fraud.  Half of respondents lacked a mature third party risk management programme and 21% had none at all. This highlights the size of the challenge faced by firms. And when a third party has an incident that impacts the security of your customers' data, or impacts your ability to deliver a service, your customers don't see the distinction. You can't outsource accountability.

To compound the matter further, all of the above is happening in the face of the pressures of reducing costs and improving efficiency, along with increased regulatory expectations.

To navigate some of the above challenges, below are some practical steps your organisation can establish to manage the risk of cyberattacks caused by engaging with third parties.

The five key actions to take now

1. Establish your operating model

Developing your operating model and framework is the foundation to effective third-party risk management. The operating model should outline the governance and reporting requirements over your third parties, how to determine the criticality of each third party, and what technology can be leveraged. For mature or regulated entities, a centralised program likely already exists, but the security team should be active participants. For less mature organisations, the security team might be the driver.

2. Identify your inventory

Creating a complete and accurate inventory of your third parties is a prerequisite for effective risk management of your supply chain, including your fourth and fifth parties (also referred to as chain outsourcing).

3. Plan before you engage

Before you bring a prospective third party on board, invest time in understanding their security posture. Do they meet your minimum security expectations and standards? If not, do they have other mitigating plans or processes that will give your organisation more comfort?

Not all products or services lend themselves to outsourcing so make sure to develop a robust planning process, where assumptions can be challenged, to ensure that outsourcing or engaging a third party is not outside the risk tolerance of the firm. Security requirements should be baked into contracts and Service Level Agreements.

4. Monitor, monitor, and then monitor some more

The most time- and resource-consuming activity is typically your ongoing monitoring and governance. The security team should be included in weekly or monthly operational meetings for critical third parties, and risk assessments should be performed at least once a year for all your third parties. Tooling and ratings services are now common on the market to support this.

5. Exit gracefully

With all the right intentions and robust processes in place, surprises still happen. Be prepared with a backup plan if services cannot be provided by a third party, or if you need to exit the arrangement with little notice.

We are here to help you

Dealing with the fallout of the COVID-19 crisis is going to change the way firms do business. We expect to see further migration towards the digital transformation, and further focus on cost reduction and increased efficiency in the fallout. These will likely drive increased engagement of third parties. By establishing a robust program, you are positioning your firm to better manage the associated cybersecurity risk. We are ready to talk to you about how you can position yourself for future success. Contact us today.

Contact us

Pat Moran

Partner, PwC Ireland (Republic of)

Tel: +353 1 792 5308

Ian Trinder

Director, PwC Ireland (Republic of)

Tel: +353 1 792 5343

Follow PwC Ireland