A continuous monitoring cybersecurity strategy for third-party risk management (TPRM) goes a long way toward proactively identifying vulnerabilities posed by external sources. At Compliance Week’s virtual Cyber Risk & Data Privacy Summit on Wednesday, a panel of cybersecurity experts shared leading practices.
Rudy Patel, head of TPRM at financial services firm Mizuho Americas, said any outsourcing of operations, application development, or any other services brings with it third-party risk and raises many questions.
“How do we know the third party’s environment is secure? How do you get comfort the information you entrusted to that third party is secure? How do you know its security program hasn’t lapsed from the time you’ve done an assessment to present?” Patel asked.
Moreover, “Cybersecurity has a tendency of cascading and triggering other risks,” said Nasser Fattah, senior advisor at Shared Assessments, a member-driven consortium that delivers secure and resilient third-party partnerships. A ransomware attack, for example, can create an enterprise-wide system outage, which can then interfere with business continuity.
Such concerns speak to the importance of a cybersecurity monitoring strategy.
“A cybersecurity monitoring strategy is critical to identifying precursors to an attack,” said Brian Peister, cyber and IT TPRM global officer at U.S. bank BNY Mellon. Continuous monitoring “keeps your vendors honest about keeping their performance honest against contractual obligations and service-level agreements,” he said.
A TPRM continuous monitoring cybersecurity strategy shifts the conversation from a reactive approach to a proactive one as it concerns third-party risks, Peister added. It also helps in prioritizing resources and vendor due diligence efforts.
Third-party contracts: One leading practice is to “embed cybersecurity requirements into your contractual obligations, which forces the contractor to be compliant with any service-level agreements,” Peister said. He recommended baking in cybersecurity requirements throughout the vendor lifecycle, “from precontract negotiations through when offboarding the vendor.” Failing to do so will result in the vendor getting off free from mitigating any vulnerability, “and then your organization is at risk,” he said.
Patel added to that point: “My stance has been that, as long as the third party has my data, I want to make sure it’s protected. Unless the exit is thought through precontract, or during the contract, it becomes nearly impossible to perform those assessments.”
“A cybersecurity monitoring strategy is critical to identifying precursors to an attack.”
Brian Peister, Cyber and IT TPRM Global Officer, BNY Mellon
Where many companies are migrating to cloud environments, embedding cybersecurity requirements into exit contracts is especially important as it applies to data destruction, Peister said. In the exit contract, make clear to the vendor that you will retain all data and that any data stored in a cloud environment will be destroyed based on National Institute of Standards and Technology (NIST) guidelines, for example.
“We will actually get proof of that,” Peister said of BNY Mellon’s practices. “We will get a screenshot of the data destruction from the vendor.”
While right-to-audit clauses are common, notification clauses in the event of a security vulnerability are not. Yet, it’s good practice to put into a contract that the organization be immediately notified in the event of a cyber incident, Fattah said, in which the third party must confirm, “‘Yes, we were inflicted,’ or ‘No, we were not inflicted.’”
Technology adoption: Commercially available software will only show the externally facing environment of a third party’s security posture, which could be helpful when conducting periodic risk assessments and reassessments, Patel said.
For example, if a patching vulnerability is identified, maybe focus on that during an assessment or reassessment. Commercially available software gives insight into how the third party’s security program is evolving, Patel said. It can also aid in monitoring the security posture of fourth and fifth parties, he said.
“Most of these practices are for an advanced third-party risk management program,” Peister said. “It’s a long journey. It could take a big organization up to three to five years to implement these practices.”
Threat intelligence: A final consideration toward implementing a robust TPRM continuous monitoring cybersecurity strategy that can help ease the journey is to utilize cyber threat intelligence. For example, Fattah said, if the organization notices one of its vendors keeps popping up in dark web or deep web conversations about ransomware, led by a notorious ransomware criminal organization, what might the organization garner from that threat intelligence?
“Bad actors will take advantage of anything they can to get into your network,” Fattah said. So, it behooves the organization to also try to understand what that threat intelligence is telling them in terms of potential cybersecurity risks a vendor might pose and how to have conversations with that supplier, he said.
“Lastly, take advantage of open-source intelligence,” Fattah added. “There is good information out there, why not take advantage of it?”