In today's business world, IT risk plays an important role. Every business executive understands Risk and the need to balance "risk and reward" effectively; and have a good handle on risks viz., credit risk, operation risk and market risk among others. In many instances this is even strengthened by regulatory requirements. Still most business fail to measure IT Risk appropriately, some entirely fail to incorporate Third party IT risk.
In an era, where cyber-attacks are imminent, it is increasingly important for businesses to understand their IT Risk, and specifically Third Party Risk. According to a recent report by Booz Allen Hamilton, third parties were the number-one security risk to financial services firms in 2015.
Some businesses are making an effort to review their 3rd party agreements, and include cyber security requirements and annual reviews into their contracts, but is this enough?
Third party security risk management requires regular reassessments to ensure security, privacy and compliance is in order. Though most vendors prefer multi-year agreements, but risk assessments should be an annual practice. Maintain a quality IT risk assessment questionnaire to elicit responses from your third parties. As a best practice you should also reassess risk and security posture, whenever the contracts are updated or changed. A key point worthy of mention here is to pay attention to the tone of the responses, rather than just content alone. Your questionnaire should elicit responses and possibly discussions from the service provider and should not be a simple binary "Yes"/"No" checklist.
Now this could be burdensome for many organizations. In such cases, you may be able to lean on MSSPs to engage resources for this effort. Independent third party certifications like SSAE 16, SOC1 and SOC2 or ISO 27001 may be of value too. "SecurityScoreCard.com" is also a good resource. Don't forget to ask for evidence of a recent DR/BCP test, incident response test and Risk Assessment reports. Keeping track of these results and documenting them year over year, will go a long way in helping track the provider’s progress over time.
Communication processes or "who notifies who, of what, when and how" is very important. Lay down clear guidelines about data ownership, breach notifications and subpoenas, and responsibilities of either party. Understand where the hand-offs occur and who are responsible. Prefer titles to names.
Businesses are constantly changing and evolving, so should the relationship with your third parties. Third party due diligence will help maintain a healthy relationship with your third parties, and with a good understanding of security risks, your business can innovate, grow and reach its business goals.