CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
December 16, 2022
Small or large, every company works with third parties to help solve business challenges within their organization. It’s likely that most departments in your company work with a third party in some manner, whether you outsource payroll, hire a marketing firm, engage with tech consultants, or work with a social media management company. Third parties are indispensable.
But with each new vendor introduced to your organization, the risk of data breaches climbs. In fact, a Ponemon Institute report noted that 63 percent of breaches are linked to a third party.
In this blog, we’ll discuss what third-party risk management (TPRM) is, why it’s important, and how it applies to data privacy.
The concept of TPRM is not complex. It refers to the ways in which a company assesses, monitors, and responds to risks introduced by the vendors they work with throughout the organization.
In "The Business Case for Third Party Risk Management," the Third Party Risk Association defines risk as “the possibility of an adverse impact on an organization’s data, financials, operations, reputation, or other business objectives, as a direct or indirect result of a failure in process, resource, and/or technology.”
Another way of thinking of risk is as the total negative impact of an event multiplied by the likelihood of that event occurring. If something is highly likely to occur but wouldn’t have much of an impact, then maybe it’s not worth the effort to mitigate that risk. On the other hand, if something is unlikely to occur but would be totally catastrophic if it did, then it could be prudent to take some preventative measures.
Third-party vendors introduce risks that run the gamut of the insignificant and unlikely, the significant and unlikely, the insignificant and likely, and the significant and likely. Determining when and how to manage those risks is TPRM.
Your organization’s relationships with its vendors is essential in that these relationships help control costs, improve service, and enhance the value your company brings to its customers. But without a firm understanding of your vendors and their practices, along with measures to continually monitor security and effectiveness, your company could be at serious risk for a security incident.
In order for them to provide their services, your organization gives third parties access to privileged information. That fact alone poses a challenge, but there’s also the fact that your vendors also rely on third parties, and so on. Referred to as Nth parties, your vendors’ vendors, services, applications, and IT infrastructures pose similar risks to your organization. Yet, only 15 percent of companies have an inventory of these downstream vendors.
If any single vendor doesn’t have strong cybersecurity practices, it can create vulnerabilities in your organization, especially as it relates to handling and processing data. In short, if a third-party vendor is breached, the attackers will have access to your company’s data.
The consequences for a breach include regulatory actions, reputational damage, loss of revenue, and the potential shuttering of your business. According to data from the National Cyber Security Alliance, 60% of small businesses that suffer a cyberattack go out of business within six months of an attack.
Third-party vendor breaches are an expensive problem. More than half of survey respondents in a study said they had experienced a third-party data breach in the past two years, with an average cost of $7.5 million. The true costs, however, are likely much higher when impacts such as loss of reputation, a decrease in share value, and loss of business are factored in.
Like all data privacy and security initiatives, third-party risk management has a number of challenges. Here are some of the top challenges for companies trying to give their TPRM a boost.
The third-party landscape is rapidly evolving, and as it does, organizational leaders and IT professionals are struggling to keep up. In fact, companies share their confidential and sensitive information with an average of 583 third parties.
Only 34 percent of businesses track third-party vendors comprehensively. A lack of centralized control was cited as one of the key reasons behind this gap (in addition to lack of resources and the complexity of their vendor relationships). Businesses are also struggling to detect data breaches, with 22 percent of survey respondents confiding that they didn’t know if they had a third-party breach in the previous 12 months.
Regulatory bodies are putting pressure on companies to manage their risks more effectively. Some are requiring organizations to have a third-party risk management program in place, yet, despite the potential for hefty fines, companies aren’t effectively managing potential risks.
A lack of formal governance, inefficient workflows, and lack of scalability all lead to companies accepting risk (even inadvertently) for short-term benefit. This is often unnecessary, as risk management tools can help companies assess, track and monitor third-party vendors.
The benefits of managing third-party risk far outweigh the challenges associated with implementing an effective risk management strategy. Here’s why.
Implementing a TPRM program helps companies understand not only their relationship with vendors, but how each of these vendors play into their ecosystem. In turn, when you show your customers you take their privacy seriously, it has a ripple effect that builds trust and boosts your bottom line.
Once your vendors are identified and your organization understands its critical relationships, a properly executed TPRM program can quickly highlight redundancies, vulnerabilities, and where unnecessary risk has been taken on. Risks should be prioritized based on their overall impact to the organization.
Once you understand what potential risks your organization is exposed to, you can implement protocols to protect personal information. In order for your risk assessments to actually reduce the potential for breaches, however, they shouldn’t be “one and done.” Vendor risk management should be an ongoing activity. That way, you’re proving your organization is actively working to comply with regulations and mandates.
Increasingly, organizations are being held accountable for the actions of their downstream partners. In fact, when a breach occurs and the Department of Justice evaluates whether to file criminal charges against a company, one of the key factors they look at is if a company was working to effectively monitor its vendors. Was the company actively monitoring its third-party vendors for risk, and could the incident have been avoided if they had? If the incident could have been avoided through TPRM, enforcement authorities tend to be less lenient.
Once you recognize third-party vendor risk management is an issue your organization needs to tackle head-on, you may be wondering, “what’s next?” While the answer isn’t the same for every company, there are some steps every company should take to help protect themselves and their customers’ data and privacy.
Not only does data mapping help make your data more accessible, but it also helps keep this information organized and structured for more streamlined workflows. Include all data your vendors have access to so when the time comes, you can ensure you’re assessing and tracking risk appropriately as well as ensuring they understand your expectations in terms of data privacy with signed agreements.
Assessing risk should be done before your company engages with a new vendor and on an ongoing basis afterward. Your framework should include tiers of risk and what is acceptable by type of risk. This also enables organizations to focus their time, energy, and resources on higher risk vendors with more in-depth assessment and monitoring.
Tiers also should take into consideration the type of information that your organization shares with the vendor: whether the information is confidential, personal, or if someone else having access would impact critical functions of your organization.
If a process is predictable and repeatable, it can be automated. Things like calculating risk scores based on certain parameters, crawling documents to seek out changes, and triggering reviews can all be handled by a third-party vendor risk management solution. We dive deeper into the factors you should consider when evaluating platforms in the next section.
Selecting, onboarding, and offboarding vendors are critical moments for an organization because they involve either the sharing or careful retention of key data. Make sure vendors understand your practices, along with when and how to address potential risks and breaches. When your company is evaluating vendors, make sure there’s a predefined process to vet potential third parties you want to introduce to your company.
It can not be said enough that TPRM is not a one-time activity. It’s important to do your due diligence up front, but then to keep up with it after the ink on the contract has dried. That means reviewing financial statements, evaluating SOC and other reports, and conducting internal audits of your vendors.
Each organization’s third-party risk management needs vary based on its IT maturity and current TPRM processes. It’s important to assess several tools and how they can meet your organization’s specific needs. Below are a few questions to consider when you’re looking for an enterprise risk monitoring platform.
When it comes to privacy, Osano’s Vendor Risk Management platform can help. We make TPRM easy by identifying data practices and risk factors (taking NIST and ISO frameworks into account), calculating risk scores each night, and identifying changes that need to be reviewed by in-house privacy attorneys.
Third-party vendor risk management is complicated, but you don’t have to do it alone. We’ve reviewed the practices of more than 10,000 vendors, and we will partner with you every step of the way.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”