Your Security Posture is Only as Strong as the Weakest Link in Your Ecosystem

Managing Third-Party Risk

  • Unprecedented Reliance

    With organizations increasing their reliance on vendors to provide their most critical business applications, technology support, and operational support, these working arrangements introduce unique risks, which many small and medium sized businesses fail to understand and/or appropriately manage. If one of your vendors suffers a cyber attack, system outage, or data breach, this will likely directly impact your organization.

  • No Two Vendors are the Same

    While the use of third-party vendors introduces new risks to your organization, the nature of the risks are driven by the type of services you receive from the vendor. If your vendor provides you with cloud services or applications, you are likely reliant on them for system availability, protection of your infrastructure, and securing your data. If your vendor provides you with system development services, you are reliant both on their ability to develop secure code and securely handle your organization’s data. Different types of vendors introduce different types of risk. However, risks associated with these third-parties should be treated identically as if they originated within your organization.

  • Risk Assessments

    When considering the use of a product or service provided by a third-party, you should understand both the impact and the likelihood that a control breakdown suffered by the vendor will have on your organization. Before signing a contract with a vendor, it is critical to understand the risks introduced to your organization by working with the third-party. From there, you take steps to obtain assurance that the vendor has adequate controls in place to mitigate these risks and that you actively monitor each vendor’s compliance with required policies and standards.

  • Ongoing Monitoring

    Risks associated with using a third-party don’t cease once you’ve signed a contract with them. The contract you sign should require the vendor to periodically provide evidence that they are meeting key performance indicators (KPIs) and complying with the policies, and standards defined within your agreement. Additionally, some vendors may be required to provide you with evidence that their controls are operating effectively, either by sharing audit results and evidence of successful disaster recovery testing on an annual basis.

Our subject matter experts at Malcom Risk Advisors can assist you by performing the following third-party risk activities:

1) Vendor evaluation / vendor due diligence

2) Vendor risk assessments

3) Defining required contract language related to data security, data privacy, system availability, and other relevant key performance indicators (KPIs)

4) Ongoing monitoring of vendor performance and the vendor’s compliance with your contractual agreement

With the volume of third-party products and services used by organizations in today’s digital world, it’s extremely difficult to keep track of, let alone effectively manage, each vendor. Businesses must understand that a risk to a third-party vendor that they work with is as much of a risk to their own company. As the number of data breaches and cyber attacks that originate due to vulnerabilities introduced by third-parties continues to rise, organizations must take steps to protect themselves from the impact resulting from a cyber attack suffered by their vendors.

— Quote Source