Managing Third-Party Risk

Jacqui Kernot, Partner, Ernst & Young

Jacqui Kernot, Partner, Ernst & Young

Most of the stress in our lives comes from trying to control things we don’t have control over. As individuals, there are a range of tools available to help us cope with change and deal with things that are out of our control. As organizations, however, we need to understand and find ways to manage things that are technically outside of our direct control.

We live in a highly-connected world where collaboration and partnerships are an essential part of the speed and way we work today. When we engage in these types of business relationships though, we need to share data, information and sometimes even system access with people and businesses outside of our organization. More and more, our ability to do this in a short time frame is becoming a business differentiator, but of course, this brings with it several new dimensions of business risk. In this environment, third-party risk management is becoming a huge area of focus within cybersecurity. Regulatory frameworks, both locally and globally, are also catching up and insisting that third-party risk be included in control reviews and statements of compliance. So, with the pressure of speed to market and the huge potential attack surface that is opened when we share data and systems, how can financial services organizations best manage their third-party risks?

Much like individual stress, the best way to start is to control the risks we can, really effectively, and to be clear about those we can’t. This will allow the business to make an informed decision about whether to support a third-party agreement. So, although it may sound somewhat counter-intuitive, the best place to start when it comes to assessing third-party risk exposure is with yourself. You should consider questions such as: do you have a comprehensive list of all third-parties that take or use your organizations data? Do you understand which systems have third-party access? Do you have a good grasp of shadow IT? Once you are confident, you have an accurate map of where all your data is and who has access to or uses it, the real work can then begin.

"Managing risks in context and understanding the whole risk picture is essential to managing third-party risk as effectively as possible"

Approaches to third-party risk management

Most third-party risk is managed by sending out questionnaires asking the third-parties to identify where they might have processes or systems which may create a risk. The issue with this approach is that the questionnaires are often not based on a good understanding of the risks they are trying to control, or they are either too complicated or generic to effectively identify all areas of risk. An alternative approach – one which will save more time in the long run and help identify risk more effectively – is to interview the people requesting access first to better understand what they are trying to achieve. Armed with this information, you can then assess whether the same outcome could be achieved by limiting the data shared with the third party or by finding a way to secure the information before sharing it, for example by obfuscating data or encrypting it. Again, the idea is to start with the elements within your control – your own data and how it is shared or encrypted, in transit and at rest. The benefit of this approach is that you may identify areas where existing or tweaked data controls or processes can avoid the need for investment in new systems. Third-party questionnaires absolutely have their place, but you need to make sure the questions are relevant, unambiguous and up to date. This leads us to the second part of the process, the management of workflows in third-party risk.

Workflow management is a very important element of third-party risk. Understanding which risks are your highest, and therefore need to be addressed first is critical. Accidentally classifying a high risk as a low one could have a disproportionate impact on your business, so it is important to carefully review your criteria to make sure you are categorising risks correctly. It’s also important to understand that risk triaging isn’t static. Following completion of some of risk assessments, it may be found that a vendor or system initially classified as low risk has far more integration or connection to systems than initially identified and should therefore have their risk category upgraded. Managing risks in context and understanding the whole risk picture is essential to managing third-party risk as effectively as possible.

Finally, the most important step is bringing it all together. It’s easy to spend a great deal of money on managing third-party risk without seeing a great deal of return. Instead of just filling out questionnaires and recording the results, organizations should think about including further interviews and process reviews once they understand the full risk picture. Often, risks can be mitigated more effectively by better controlling access to data, rather than asking the third-party to manage the risk and creating a situation you don’t have control over. Taking a holistic view and understanding which data and systems are connected enables you to continually lower the risks from third-parties and, as a bonus, enables business agility. And having an information security or risk management team that enables business agility can ultimately make a huge difference to the success of the business.

Weekly Brief

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank