According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is higher at 61 percent. Also noted that many breaches go undetected: 22 percent of respondents admit they didn’t know if they had a third-party data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach cost.
We covered the Major Breaches and Bankruptcy in Part I, and Part II and III were about the Drivers, Alignment, and Governance of Third-Party Risk Management (TPRM). The series will cover the following topics at a high level to provide sufficient knowledge for professionals to design the program that commensurates with the size, nature, and objectives of the organization. It explores the topics below:
- Drivers of Risk Management
- Alignment and Governance
- Categorizing Vendors
- Analyzing Vendor Risks
- Monitoring Vendor Risks: The Vendor Management Organization
- Communicating Vendor Risks
- Optimization and Standards
Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy.
Categorizing Vendors – In Part II we discussed Drivers of Risk Management. Part III is about Alignment and Governance. The four very important considerations for TPRM governance are:
- Alignment of customer and providers goals
- A comprehensive inventory of third parties
- Accountability for oversight and the overall management of your TPRM Program
- Clearly defined roles and responsibilities across the organization
The alignment of customer and provider goals is very important especially when the provider’s services directly impact the strategic objective of the customer business. The governing of such providers will need a well-defined contract, which includes a detailed list of services, roles, and responsibilities, plus specific Service Level Agreements or Key Performance Indicators
Inventory of Third Parties –
The last thing an organization wants to deal with receiving a breach notification call from the third party who is never listed in the vendor list. A comprehensive inventory of all third parties with whom the firm has a relationship is a very important step in the process. Many firms find it difficult to build this list of third parties. The enterprise-wide surveys and data algorithms to reconcile data are effective tools in building inventory. The important control over the process is having a role with the responsibility to manage a third-party management life cycle.
Roles and Responsibilities –
The term commonly used in the organization is a business owner who is receiving the services of the third party. E.g. if you ask IT as to whom the owner of certain applications used in the organization is, you will hear the name of a business owner is so and so. This role requires a deep understanding of what functions/actions third party performs and the data accessed/processed by third-party on behalf of the enterprise.
In large organizations, this role is performed by a contract manager or relationship manager whose primary responsibility is to control and manage third parties using the master service agreement (MSA). The MSA includes the requirements for cybersecurity, data privacy data sharing, and risk management controls. The other responsibility managed by the relationship manager is access approvals and data access needed by third parties. The role could be performed by administrators tasked with managing procurement, accounting, granting access, etc.
The other important role is a legal team responsible for reviewing contracts and managing privacy obligations through contracts.
Data Handling –
The third-party access to private data of an organization has compliance and security implications. The organizations need to ensure compliance applicable laws such as HIPAA, HITRUST, GDPR, CCPA, etc. This means they are responsible for data processed by third parties on their behalf. Many organizations do not have proper data handling agreements in place with third parties. There has been a lot of changes in the process over the last two years, and the agreements ensure that data are transmitted in the context of appropriate legal and privacy protections and proper information security controls
In Part IV we will cover the next topic “Categorizing Vendors.”