The Keys to Effective Third-party Cybersecurity Risk Management

Vendors that have access to your business’s data and IT infrastructure create additional cybersecurity risk. A Verizon data breach investigation found that 62% of system intrusion incidents originated with a partner. It’s your responsibility to ensure your third-party partners are protecting your data while it’s in their possession. That’s why organizations must design and implement an effective third-party cybersecurity risk management program.

Vendor risk management is also an important aspect of maintaining regulatory compliance, safeguarding the organization’s reputation, and adherence to frameworks such as NIST CSF, ISO 27001, etc.

Here are some of the key components of an effective third-party cybersecurity risk management program:

Categorize Your Vendors

Different vendors will expose your organization to different levels of risk, so some will warrant more scrutiny than others. Create tiers to categorize vendors, such as low, medium, high risk, or critical and non-critical. The criteria used to categorize vendors can include the sensitivity of the data they’re handling, how critical their services are, the volume of data, and financial commitment.

Vetting a Partner’s Security Posture

When a potential vendor has been identified and categorized, have them fill out a security questionnaire. Your organization can have different questionnaires for different risk categories, with the vendors deemed the highest risk being given the most thorough questionnaires. Align your questionnaire to specific requirements or controls associated with security standards such as NIST CSF, NIST 800-53, or ISO 27001.

Use questionnaires to gather information about a third party’s governance, organizational structure, security controls, and technology. The line of questions should include:

• Who in the organization is responsible for cybersecurity?
• How is C-suite leadership involved in cybersecurity?
• How does your business protect customer information?
• Have you experienced a cyber incident? If yes, please describe.
• Do you outsource any IT services?
• What are your security training practices?
• What are your security measures for software and hardware?
• What are your data recovery capabilities?
• Do you conduct penetration testing and vulnerability scanning?
• Is an incident response plan in place?
• How do you monitor for unauthorized access?

Ask if the vendor holds any security certifications.

Get it in Writing

When you have selected a vendor to do business with, be sure to include your cybersecurity requirements for them in the contract. Specific requirements to consider include:

• Maintaining Security Certifications: If the vendor holds a security certification like ISO 27001, SOC 2, or PCI, put in the contract that they’re required to maintain that certification. Consider requiring a copy of the report or assessment that was conducted to maintain the certification.
• Incident Notification Timeline Requirements: The SEC requires public companies to disclose material cybersecurity incidents within four days of their discovery. If a vendor experiences a data breach or other cyber incident involving your data, you must know about it quickly to meet the SEC requirement. Specify a timeline in the contract that will give you at least 24 hours to report the incident.
• Technology Changes: Require your vendors to notify you of any significant IT infrastructure changes they make. For example, moving services from a data center to a cloud provider.
• Termination Clauses: Your contracts should clearly state that failing to adhere to the cybersecurity requirements will result in the partnership being terminated.

Monitoring Your Third Parties

Mitigating third-party cybersecurity risk is an ongoing process. You need to monitor and assess their security posture throughout the engagement.

Multiple platforms are available that specialize in third-party security monitoring, including Black Kite, BitSight, and Security Scorecard. These solutions can provide vendor cyber ratings, risk identifications, compliance monitoring, and more.

Consider requiring your vendors to conduct and share the results of security audits, penetration testing, and vulnerability scanning at least annually.

Include critical vendors or service providers in your annual incident response and disaster recovery tabletop exercise to facilitate collaboration and identify areas of improvement.

Watch this podcast to learn more about third-party cybersecurity risk management. A transcript of the episode is also available.

CompliancePoint has a team of experts who can help with every aspect of your cybersecurity program, including vendor monitoring. Reach out to us at connect@compliancepoint.com to learn more about our services.