Like beauty, risk is in the eye of the beholder, and business risk is no exception. While some organizations perceive risk as a potential hazard or negative consequence of uncertainty that should be avoided at all costs, others recognize that with risk comes significant opportunities for innovation, sustained growth, and competitive advantage. The difference between the two had to do with the firm’s ability to identify and analyze risks and decide which risk is worth taking. A prime example of this internal tug-of-war between risk and opportunity that plays out on the corporate stage is the strategy around third-party business relationships.
By Alla Valente, Senior Research Analyst, Forrester
Firms are increasingly outsourcing core and non-core systems, business processes, and data processing to third-party service providers. With the widespread adoption of software-as-a-service (SaaS) technologies, even among industries like financial services that traditionally wanted control and autonomy, build vs. buy is less of a debate than it was just five years ago. As firms respond to changing market dynamics, global economic uncertainty, new “digital-first” competitors, and changing customer expectations, outsourcing helps firms focus on core competencies, increase innovation, reduce costs, and improve speed-to-market. It also introduces a variety of risks into the organization ranging from inconvenient (delay in delivery) to irreversible (large-scale data breach) to immeasurable (theft of intellectual property)1.
The Complexities and Consequences from Third-party Relationships Are Increasing
When we think of third-party relationships, we think of the direct supply chain of vendors, suppliers, and cloud providers. But the digital transformation taking place in businesses across all industries outsourcing business processes include sales, marketing, creative, social media, public relations, and others.
What adds to the complexity of the third-party ecosystem is that although companies have limited or no control over how third parties secure their technology infrastructure, their applications, or their data, they’re fully responsible for security, privacy, or regulatory missteps that occur during the relationship. As a result, companies are on the hook financially for fines, penalties, or revenue loss and risk their reputation when events lead to negative publicity, business disruption, or impact the customer experience. According to Ponemon Institute, third-party breaches account for over half of all data breaches in the U.S.2
It’s not surprising that breaches caused by third parties are among the most highly publicized. Some of the most notorious data breaches in recent times have occurred as a result of the organizations’ vendors. The 2013 Target breach caused by stolen credentials from HVAC vendor Fazio Mechanical Equipment continues to serve as a cautionary tale of vendor risk. In 2019, Facebook experienced a third-party app breach – the first from a digital media company, Cultura Colectiva, that exposed over 540 million records on a publicly accessible server3. In 2020, Bank of America was breached via the U.S. Small Business Administration (SBA) Platform for Paycheck Protection Program (PPP)4.
Unfortunately, cyberattacks caused by third parties are also among the costliest. A January 2020 Ponemon Institute report indicates that 53% of organizations have experienced at least one data breach caused by a third party in the last two years. And that, on average, the data breach costs $7.5 million to remediate5.
Compliance-Based Approach Fails to Capture Strategic Value
Even as regulatory compliance requirements seem to be expanding year over year, and despite the increased complexity of firms’ third-party ecosystems, little has changed in how organizations approach third-party risk management. Why? A few reasons.
1. Risk and compliance management is considered a cost center. Cost centers like accounting, human resources, and customer service contribute to a company’s profitability indirectly by creating efficiency or enhancing product value – they are not perceived as contributing directly to revenue and are not involved in setting strategy. Despite what we know about third-party risk directly impacting revenue, customer retention, brand reputation, and company valuation, many firms still perceive risk management as a regulator-imposed check-box bureaucracy that takes time, requires resources, and budget away from revenue-generating projects. A Forrester survey reveals security decision-makers believe risk management efforts increase costs (25%), tend to reduce performance (20%), and are misaligned with business objectives (19%)6.
2. Regulations vary by risk domain, region, and sector. Compliance terminology can be confusing. Although often used interchangeably, “regulations” and “standards” mean very different things. Regulations are mandatory requirements by federal or regulatory bodies and are enforceable by law. Standards, on the other hand, are guidelines or protocols that are meant to ensure consistency, quality, or safety. For context, HIPAA is a healthcare regulation that protects the privacy and confidentiality of personal health information (PHI) even when a breach occurs because of a third-party relationship. HIPAA penalties are enforced by the U.S. HHS’ Office of Civil Rights.
On the other hand, PCI is a data security standard for organizations that handle major credit cards such as Visa, American Express, and Mastercard. These organizations aren’t forced to implement PCI’s recommended policies, procedures, and controls. However, if they wish to continue to offer this payment option to their customers, they will follow the guidance.
Currently, there are no global standards for third-party risk management that address all risk domains. Instead, companies are bound by a combination of requirements and standards that are based on industry (financial services, healthcare, medical devices, energy), risk domain (privacy, financial fraud, geopolitical sanctions, health, and safety), and others. This lack of consistency results in a disparity across the maturity and effectiveness of third-party risk management programs. Mature programs have made a concerted effort to centralize risk management so that an approved pool of third parties exists for the entire organization. They put in the energy to make their program more robust and proactive. Others will take a reactive approach with inconsistent or insufficient evaluation or treat compliance as an exercise to acquire signatures on contracts that legally obligate the third party to adhere to security and privacy practices.
3. Compliance focuses on non-strategic value. With no value-added, risk and compliance activities is a utility. That is a necessary process but not essential to the value creation of the business. The real problem is not the value of compliance but the lack of value in legal compliance tasks. A study in The Harvard Business Review reveals that auditors spent only 6% of their time analyzing strategic risks, but that the likelihood that strategic business risk failure would lead to significant losses in market value was 86%. Instead, organizations spent 94% of their time on operational, financial, legal, and compliance risks that collectively represent only 14% of value loss for the organization7. Risk and compliance are resource-intensive processes, yet most organizations lack the confidence that their efforts are highly effective. In contrast, some firms are overconfident in their ability to manage risks. Often, these firms have the technology but lack the ability to contextualize or operationalize risk analysis in business decisions or strategy. These two extremes will gravitate to being over-exposed or over-insured.
Risk Mitigation Strategies to Consider
Strategy #1: Understand who your third parties are and inventory all relationships, regardless of criticality or size of the engagement. Update your firms’ nomenclature beyond traditional vendor and supplier to also include subcontractors, data processors, service providers, resellers, affiliates, and non-traditional third-party relationships that meet the following criteria: i. Access or connect directly to your network; ii. Transmit, store, or process data that’s considered identifiable; and/or iii. Have access to sensitive, financial, IP, or otherwise proprietary data. Next, create an inventory of all third-party relationships. It’s critical you track which of your third parties have access to sensitive or identifiable information and whether any of your third parties are sharing your data with their third parties (your fourth parties). Currently, 65% of organizations don’t inventory or are unsure if their company inventories third parties8. Because of the COVID-19 pandemic, we are witnessing the damage created by not accounting for third-party risks through the disruption and systemic breakdown of most global supply chains.
Strategy #2: Manage risk throughout the lifecycle of the relationship. While there are no universally acknowledged guidelines for managing third-party risk, the Office of the Comptroller of the Currency (OCC), the regulating and supervising body for national, federal, and agencies of foreign banks in the U.S. released a bulletin with “guidelines” for effective third-party risk management practices that has been adopted as a best practice even by firms outside the OCC’s regulatory authority9. The guideline is a misnomer because the OCC has the power and authority to enforce and penalize those banks that don’t comply. OCC Bulletin 2013-29, and later updates, recommend that risk management activities are performed throughout the lifecycle of the relationship / contractual period, which include: i. Planning; ii. Due diligence and third-party selection; iii. Contract management; iv. Ongoing monitoring; and v. Termination. What’s notable is the notion that each stage of the relationship introduces new and different types of risks and the notion that third parties are not static, and their risk profile can change over time.
For many, risk evaluation is a process commencing at the onset of the relationship but rarely reviewed thereafter. Like all corporate entities, the risk level of a third-party organization is a dynamic reflection of global policy, financial markets, and sophistication of external adversaries and insider threats. For firms to maintain oversight and identify potential risks in time to mitigate them, it is critical they have in place a robust third-party risk management program and process that encompasses all aspects of risk, and the many stages of the lifecycle that a third-party relationship will transition through.
Strategy #3: Technology without process won’t make you compliant, but a process without automation can’t scale. As organizations grow, their third-party network becomes more complex, disparate, and global, and third-party risk management must become more mature and proactive. Third-party risk platform technology provides the automation and efficiency to support the additional risk identification, assessment, and analysis required for risk management and compliance. Even as many organizations today focus third-party risk efforts on streamlining due diligence and improving the efficiency of onboarding, the changing regulatory landscape, and new and emerging risks will require them to continuously monitor, and, if necessary, reassess the risks at different points throughout the relationship.
This story first appeared in the November 2020 issue of CISO MAG.
1 and 10 – Forrester’s Now Tech: Third-Party Risk Management Technology, Q3 2020
2 – “Cost of Third-Party Cybersecurity Risk Management” Ponemon Institute, LLC
6- Forrester, Business Technographics Global Security Survey, 2019
8 – “Data Risk in the Third-Party Ecosystem, Second Annual Study” Ponemon Institute, LLC
About the Author
Alla Valente is a Senior Research Analyst at Forrester, serving security and risk professionals. She covers governance, risk, and compliance (GRC) strategy, best practices, and technology, with a special focus on third-party risk management, procurement, and supplier risk management, and enterprise and cybersecurity risk management frameworks such as ISO 31000, ISO 27000, and NIST Cybersecurity Framework (CSF). She also assists with coverage of key regulatory compliance issues and technology; risk management, ethics, and trust in digital transformation; and achieving operational resilience.
Valente’s 20 years of B2B marketing experience includes marketing leadership and strategy, product marketing, and digital and customer marketing at privately held and publicly traded firms. Her risk management experience comes from marketing and customer advocate roles at RapidRatings, Rsam (now Galvanize), and BPS (now Resolver), where she helped launch and market successful software-as-a-service offerings and optimized the marketing mix to increase sales. She oversaw all aspects of brand development and rebrand, messaging, go-to-market activities, digital marketing, lead generation, and marketing communications. In these roles, she also ran key customer initiatives including communities, events, advisory boards, and value-add programs.
Valente holds a BA in English from Hofstra University and is currently studying business analytics at Harvard.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.