/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow Us/dq/media/media_files/XlBE2VJaiX5x15WtMtEF.png)
Third-party risk in cybersecurity means that a company might have security problems because of the other companies it works with. This can happen if these other companies see or use the company's private information or computer systems. This can lead to bad things like stolen information or harmful software getting into the company's systems. When a company works with other companies (third parties), it can have problems with cybersecurity. These problems can be harmful, like losing important information, having issues with how the company works, or damaging the company's reputation.
This can happen to any company, but it's mainly a problem for companies that:
-
Depend on other companies to do their everyday work
-
Share secret information with other companies
-
Need other companies to provide specific things or services
In light of third-party risk in cybersecurity, DataQuest had an opportunity to interview the director of the digital trust, KPMG Shilpa Rastogi. She helped us understand that third-party risk management (TPRM) allows companies to check and control the risks of working with other companies (third parties). It can be complex, but frameworks and best practices can help organisations build effective TPRM programs.
The importance of third-party cyber risk management to the overall safety record of an organisation
Director- Digital Trust KPMG Shilpa Rastogi says, "Cyber attacks continue to rank in the top 10 risks enumerated by organisations. Most enterprises, therefore, are committed to safeguarding their organisations from cyber security threats". However, due to increasing cyber threats and the sophistication of attacks, 27.2 percent of CEOs globally need to prepare. One of the underlying reasons for this concern is that the surface area or attacks are much more significant due to interconnected business and supply chains. 87% of Fortune 1000 Companies Three were affected by substantial cyber incidents at a third party in the past 12 months. She says you may often have heard the comment, "It's not a matter of if but when," associated with cybersecurity. So, while an enterprise may continue to monitor and reduce its cyber security posture, a lack of focus on the cyber security posture of its third parties can threaten its safety.
Here is how organisations efficiently determine the most critical third parties among hundreds of possible connections in cyber risk management
Organisations are constantly under pressure from stakeholders to optimise their resources for maximum returns. With some global organisations having an active vendor base of upwards of 10,000, the cost of compliance and risk management is exorbitant. One way in which this can be approached is by profiling your third parties based on the criticality of their services to your organisation, whether that service is subject to regulatory scrutiny and if the third party connects to your organisation's network/infrastructure/applications or has access/processes/transmits confidential information including personally identifiable information. This profiling can help an organisation determine where to focus from a third-party cyber risk management, often bringing down this list to up to 50% of the vendor base. Further, the third parties can be graded into risk levels from this remaining population to prioritise and influence oversight an organisation wants to keep.
DataQuest asked, "How are automation and technology used to manage cyber risks posed by third parties?"
Technology can be used as an enabler for an organisation, not only to support an efficient third-party risk management framework but also to support decision-making within an organisation. Technology can help keep your database on third-party relationships up to date and current. This can serve as a guiding principle for your organisational resources and decision-making. Some insights a vendor inventory can enable - how much effort is necessary to identify and manage those third parties, whether you are buying too little from a large vendor pool, thus not leveraging volume discounts, are there vendors on your list that you no longer have active contracts with you, or are you buying large quantities from only a few vendors and are exposed to severe concentration risk. In addition to vendor inventory, technology can also support the profiling basis of an organisation's risk appetite, perform due diligence on third parties, identify fourth parties, assess dependencies on the supply chain, measure and reduce risk exposure, link procurement, contracting and risk management related processes.
Is senior management sponsorship and commitment crucial for effective third-party cyber risk management?
Implementing any enterprise-level framework requires commitment and resources. Further, managing third-party cybersecurity risks requires collaboration across organisations' procurement, line functions, legal, finance, and risk functions. With support from Senior Management,
organisations can focus on streamlining processes that require the functions above to collaborate and exchange information. With the right tone at the top, resources and tools – the Third Party Risk Management Framework can help protect businesses and optimise onboarding time, thus positively enhancing business engagement and user experience, says Shilpa.
A complete approach to third-party cyber risk management: KPMG
DataQuest asked, "How can companies provide a complete approach to third-party cyber risk management by promoting collaboration amongst risk SMEs, contract managers, vendors, and other stakeholders?"
Director- Digital Trust KPMG Shilpa Rastogi says "Most organisations fail to invest in building strategic partnerships with their third parties and view third-party risk management as a burden where tactical tasks must be completed periodically to demonstrate adherence to Board and Regulators, where applicable." Shilpa says, "In my view, third-party risk management protects consumer interests and those of organisations and their third parties." The framework can also strengthen cyber security along the supply chain, showcasing your commitment to your clients and improving your cyber security practices. Demonstrating cybersecurity practices aligned with industry-leading practices can be used as a competitive advantage to gain consumer trust in the market.
Read More:
Quantum computing and cybersecurity: Navigating future of cloud protection
Tata Communications and Palo Alto Networks Partner on Cybersecurity