10 tips for managing third-party cyber risks
What with data breaches on the rise, HIPAA audits by the Office for Civil Rights looming, and a changing threat landscape, healthcare organizations need to be more vigilant than ever when it comes to third-party risks, be those business associate agreements and otherwise.
That’s the assertion of Shared Assessments, “a cross-industry member-driven organization focused on third-party risk management,” which asked experts for advice on best practices.
Here are the 10 tips they collected:
1. Hackers are using your third parties to get to your data. Understand the risks of outsourcing functions and make sure that you’re comfortable with their privacy and security posture, in advance of executing the relationship. — Catherine A. Allen, chairman and CEO, The Santa Fe Group
2. Ensure your third parties perform sufficient background checks on their workforce. The workforce continues to be one of the largest security vulnerabilities. Are you comfortable that the third party you are contracting with has performed sufficient background checks on all members of its workforce who will have access to your sensitive data, and is requiring its subcontractors to do the same? — Adam Greene, partner, Davis Wright Tremaine LLC
3. Proactively plan for third party data compromises. Many organizations are not prepared to manage their own incidents and cyber attacks — let alone plan for third party incidents and attacks. The same due diligence that organizations apply to their own incident response plans must be applied in this critical area of managing sensitive data outsourced to third parties, including demonstrating how they are protecting the data, maintaining a mature incident response plan, testing the plan, and providing strong contractual service level agreements to report compromises back to the organization. — Rocco Grillo, managing director, Protiviti Inc.
4. Implement a holistic approach to vendor risk management. Assessing and managing vendor risk is an ongoing process at each phase of the lifecycle of the third party relationship, from onboarding to ongoing monitoring, to exit strategies. Programs should adopt an approach that brings together all of the parts of an organization that play a role in third-party risk management, to drive a holistic approach to vendor risk assurance. — Mary Kipp, president, El Paso Electric
5. Don't overlook nested relationships. Understanding how your service provider is protecting its relationships with other parties and the potential impact to your sensitive data is critical. As this dependency will only increase, organizations will need to manage these relationships intelligently, being diligent in evaluating and determining what additional parties are involved in the service provided; the level of risk involved; and how they can ensure the protection of payment card data wherever it may travel — including locations such as backup contingency for the service provider directly. — Troy Leach, CTO, PCI Security Standards Council
6. Know your vendor. This is essential for managing the risks holistically throughout the third party relationship lifecycle. One critical part of this practice is to perform a vendor risk assessment to identify, mitigate, and monitor security risks based on the organization's control objectives. Applying industry standards will enable the organization to achieve efficiency and scalability in the implementation. — Lin Lu, managing director, Deutsche Bank
7. Define a comprehensive set of security safeguards for your data. You cannot outsource your security responsibilities with regard to protecting corporate data that is critical to your mission and business success. Defining a comprehensive set of security safeguards for the protection of such data and obtaining verifiable evidence that the selected safeguards have been effectively implemented, increases the level of transparency and trust between consumers and producers. — Ron Ross, NIST Fellow, National Institute of Standards and Technology
8. Don't treat all third parties with the same risk perspective. Third party risk is not created equally. Define criteria to classify your service providers by risk or criticality, and focus oversight efforts. Make sure you define and drive your third party program, leveraging tools to support your objectives versus letting a tool drive your third party risk strategy. — Linnea Solem, chief privacy officer and vice president-risk/compliance, Deluxe Corporation
9. Factor in risks. Often in offshoring and outsourcing, companies account for operational or technical risks but do not factor in location risks. Also, companies factor in and monitor operations and service risk but do not factor in and monitor people-related risks. Monitoring risks is a key capability that risk managers need to either create themselves or buy. This capability needs to be real-time to be adequate and effective. — Atul Vashistha, chairman, Neo Group
10. Detect and share information about cyber threats. With a rapidly changing cybersecurity threat landscape, it is important to influence your vendor community to actively participate in Information Sharing & Analysis Centers (ISACs) to continually detect and share information about cyber threats. The more information organizations share, the more resilient all of our IT security programs. — Brenda Ward, director of global information security, Aetna.