Strengthening Cyber Resilience: The Imperative of Third-Party Risk Management

Strengthening Cyber Resilience: The Imperative of Third-Party Risk Management

Purple Flower
Purple Flower
Purple Flower

This latest research article, authored by noted GRC professional Ankit Sharma, delves into the importance of Third-Party Risk Management (TPRM) in safeguarding organizations against third-party breaches, emphasizing risk assessment, monitoring, and offboarding protocols.

In the latest report by SecurityScorecard, it was revealed that a staggering 98% of organizations maintain relationships with third parties that have experienced at least one breach. According to Gartner, the cost of a third-party breach is typically 40% higher than that of an internal breach. These alarming statistics underscore the critical risks associated with third-party engagements.

Yet, can organizations afford to operate without third-party partnerships in today's interconnected digital landscape? The answer is a resounding NO. Trust and cyber resilience must go hand in hand, necessitating a well-crafted cyber resilience strategy aligned with business objectives.

A cornerstone of such a strategy is Third-Party Risk Management (TPRM). This approach aims to mitigate, reduce, transfer, or share risks linked to third-party relationships. Here are some key components:

Risk Assessment and Due Diligence

Organizations often focus solely on information security risks, emphasizing data leakage or breaches. However, initial risk assessments and due diligence should also encompass brand reputation, business continuity, and disaster recovery. Vendors should be categorized based on the type of information shared and the associated risks.

Onboarding

During onboarding, it's essential to establish clear terms and conditions, ensuring that regulatory requirements are communicated to the vendor for overall compliance. Contracts should detail Service Level Agreements (SLAs) and explicitly outline the implications of SLA breaches. Key clauses should include confidentiality, availability (BCP and DR), the right to audit, compliance with standards like ISO 27001, HIPAA, and GDPR, and crucially, data retention and deletion protocols.

Monitoring

Monitoring contractual obligations and SLAs is often a regulatory mandate for critical IT vendors, such as Payment Aggregators and Gateways. Diligently tracking SLAs ensures that vendors deliver services as agreed. Organizations should define methodologies and periodicity for audits based on vendor classification.

Offboarding

Offboarding is a critical yet frequently overlooked phase. Organizations must ensure that vendors securely delete information, providing deletion certificates as proof. Vendors should adhere to retention periods specified in contracts, archiving and encrypting data to prevent misuse.

These facets of TPRM can be further enhanced with technology and automation, creating a robust framework for managing third-party risks effectively.

By prioritizing Third-Party Risk Management, organizations can bolster their cyber resilience and maintain trust in their digital ecosystems.

*Disclaimer- DPO Club is a not-for-profit research initiative aimed at raising awareness regarding data privacy. The views expressed by the authors and reviewers are their personal opinions and do not necessarily reflect the views of their respective organizations.