SEI Investments, Maine State Police and Atrium Health do not have a lot in common, but one thing they do have is that this summer, they all suffered a cyberattack due to a breach of a third party. Additionally, all three must meet different compliance requirements (SEC, Criminal Justice Information Services (CJIS), and the Health Insurance Portability and Accountability Act (HIPPA), respectively) that include aspects of third-party cyber risk management. The issue of third-party cyber security is becoming increasingly important to regulators as more and more breaches are becoming linked to the expansion of the digital supply chain. However, it is one of the lowest areas of maturity, as seen in the hundreds of assessments performed by Kroll CyberClarity360, which saw that out of about 300 firms assessed, less than 30% had a mature program.
Why is it that an area that has been linked to so many breaches continues to be an area of struggle? First, third-party cyber risk management is challenging both organizationally and technically. On the organizational level, the primary organization usually cannot force changes with its third party, and internal stakeholders may limit the amount of pressure that is placed on third parties for cyber-specific reasons. Technologically, how an organization collects, validates and analyzes information is also limited as resources are prioritized for internal cyber security efforts. Many organizations still use spreadsheet-based questionnaires, and few have either the tools or personnel in place to properly review them. Yet, regulators continue to push entities to consider third parties’ cyber security posture as seriously as they consider their own. So, how can organizations quickly and objectively increase their insight into their vendor ecosystem?
The most discrete method is to leverage what is called “outside-in” or “cyber risk rating” tools and data sets. This view is focused on how the entities appear, as it sounds, from the outside. These services will pull data from publicly accessible areas of the internet, such as the entity’s public-facing websites, the domain registration records and databases of compromised and exposed records. Some of the more comprehensive ones will offer comparisons to others by the industry sector for benchmarking. By utilizing this type of data, you can have an objective, discrete and external view of an entity’s cyber risk exposure potential. To analogize to a less technical process, think of what an assessor might review for a homeowner considering refinancing. By looking at the publicly listed information on the home, the land survey, and comparing it to recently sold homes, they can provide an accurate price to assess the house. Like the property assessment, the information isn’t 100% accurate and misses other values such as internal upgrades or features that may drive the actual value higher or lower. This type of review is an excellent starting point for all third parties as it gives you a consistent baseline and a real sense of the overall cyber risk exposure.
How does this help meet compliance requirements? First and foremost, nearly all compliance standards and laws that focus on cyber security are built around the concept of “reasonableness,” which is still mostly undefined but has generally been seen as “What would be a reasonable approach to cyber risk for an organization like this?” For some organizations, outside-in data could be sufficient for them to meet their regulatory burden and show a level of due diligence that the information they are sharing is going into the right hands. For other organizations, especially larger ones, this could be seen as a reasonable first step to organize and prioritize their third-party cyber risk management program.
Second, some compliance requirements explicitly call for continually reviewing or monitoring third-party cyber risk, making it significantly easier to leverage outside-in tools. SEC guidance calls for “continuous oversight, and monitoring must be done to ensure the vendor is upholding its end of the contract and to identify any changes that may affect the initial risk rating.” The Office of the Comptroller of the Currency states, “Ongoing monitoring for the duration of the third-party relationship is an essential component of the bank’s risk management process.” This ongoing requirement is new for cyber risk. Still, it has been a part of other fraud and due diligence compliance efforts previously, so there is a history of this level of focus. One can reasonably expect other compliance regimes to require it.
Finally, privacy regulations have also made it clear that the requirement to protect information does not stop at the enterprise's doors and extend to the third parties that also handle protected information. The GDPR states, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject.” This means that the original organization is only as compliant as its third parties. If an organization were to leverage outside-in tools, it would be better positioned to understand if there were potential weaknesses or risks in its vendor ecosystem.
Third-party cyber risk management for many organizations may be a challenge, but it is one that they must confront, either to meet regulations or to avoid being on the next round of headlines for data breaches.
However, there are tools that can help an organization start or significantly augment a program leveraging outside-in data, and Kroll CyberClarity360 Express is one such tool. This solution leverages cutting-edge analytics tools and data sources to objectively examine external IT infrastructure for cyber hygiene, and identify At-Risk Digital Identities commonly used by malicious actors to access sensitive business information systems. It is further refined by expert analysis, the wisdom gained from nearly 1,000 third-party cyber risk assessments and prioritized based on current threat analysis.
We encourage you to consider reviewing our recent webinar on the Kroll CyberClarity360 Express solution or review one of our case studies on its use or reach out to us for more information. Ultimately, every organization is only as strong as the weakest link in its digital supply chain. The cost of a data breach far exceeds reasonable investments in understanding and improving your third-party cyber ecosystem.