Third-Party Risk Management: Not Really a Party!

#ThirdParty #Risk #Management #Party

Jason Stockinger, Director, Global Information Security at Royal Caribbean Group

Jason Stockinger, Director, Global Information Security at Royal Caribbean Group

Unless you’ve been hiding in a cave for the last 15 years, you have observed that we’ve been inundated with many thoughts and opinions around Third-Party Risk Management (TPRM or supply chain risk, depending on your industry). Is the amount of effort that we put into conducting due care and diligence around TPRM really exposing real business risk and reward? If you’ve got that top tech job, do you really feel that you’ve got all the data to provide to the business to sway decisions in this space? Is the TRPM team making a difference?

It’s not a secret that every technology vendor in TPRM will claim that they’ve got the silver bullet, and all you need to do is sign up for their service, and they will spit out a report for you. They will claim that they have more vendors, suppliers, or third parties signed up to their process than the competition and that their proprietary solution can solve your TPRM woes. We all know that until every business signs up for a standardized way of communicating this to one another and being able to protect it from bad actors, there is no silver bullet.  

Another problem is that not all due diligence is created equal. We all are familiar with auditing standards such as SSAE SOC-type audits as well as PCI and ISO certifications, data privacy-based validations, and NIST assessments, to name a few. These reports are rarely scoped for individual business engagement and are meant to be a global way for companies to demonstrate compliance. They also cost companies to perform and TPRM teams end up looking for what is missing or fail to evaluate the reports to match the business case. We end up creating our own questionnaires to ensure we get all the answers we need.  

Regulators and even third parties that you are in business with are demanding that TPRM be a requirement. 

This is something that is not going away anytime soon and should be summarized to the Board of Directors and investors.  

But does this requirement and our compliance reduce risk? Are we making a difference or is this just a blocker to business? If you were to run scenario testing on your TPRM program to historical breaches of data (such as OKTA, MOVEit, DollarTree, AT&T, LinkedIn, etc.), would you pass the test? If we were to ask the folks close to these breaches if this is important, I’m sure we would hear a resounding “YES!!!” as it hit these folks financially and temporarily hurt their reputations.  

“Vendor owners want as much information going into a deal as possible and this program could be the difference in making decisions. “

There are hundreds of controls that third parties should put into place to ensure that breaches can’t and don’t happen, they are still occurring at an increasing rate. Suppliers still fail to meet SLAs and hurt business reputation and delivery models. It is important to have the right level of indemnity in your contractual language with a third party while still maintaining operational SLAs to meet the demands of your business.  

There are a few questions that every C-Level should be asking of their TPRM program:

What does the TPRM universe look like? It’s hard to have a good program unless you’ve taken steps to understand what third parties are relevant to your program and how deep that relationship extends. 

1. Are you looking at the third parties of your third parties (4th or Nth Parties) as well? What is relevant to your TPRM program?  

2. What is assessed in our TPRM program? If you have not scoped in the relevant elements to your relationship with your third parties, can you really quantify the risk/reward?

3. Are we covered from a contractual standpoint? Sometimes the last line of defense to protect your business is affirmative and agreed to contractual language that can indemnify losses. It is important to ensure liability is properly applied.

4. How and to whom is the TPRM risk/reward reported? Are third-party owners aware of the risk at the right time in the engagement? Is there more risk than reward?

In conclusion, TPRM is a requirement for any Information Security program. There is an argument to be made that it doesn’t materially reduce risk or even detect breaches. It can, and frequently does, create business value in the partnerships that should exist. Vendor owners want as much information going into a deal as possible and this program could be the difference in making decisions.