Do Not Ignore: Three Critical Triggers for Third-Party Reassessment
Third-party risk assessment is an essential component of any comprehensive cybersecurity strategy. By now, the majority of customer organizations employ some sort of risk assessment prior to or as part of onboarding. But it’s not one and done—a mature risk assessment program should never be static.
While many companies follow a standard schedule that can vary by organization, we also see clients categorize their third parties according to the criticality to their business and use that as the main driver of their assessment schedule:
RISK TIER 1 (Mission Critical) – Assess annually or more frequently as preferred
RISK TIER 2 (High Critical) – Assess every 18 months or more frequently
RISK TIER 3 (Medium Critical) – Assess every 24 months or more frequently
RISK TIER 4 (Low Critical) – Assess every 36 months or more frequently
However, during times when material changes or events occur, a company should deviate from its standard schedule. In particular, there are three types of changes that should automatically trigger your team to launch a third-party reassessment initiative whenever they occur.
1. Data breach.
A breach is typically a company-specific event, so approach it directly with the third-party who is impacted. For example, if you are using a cloud-based platform-as-a-service and the platform provider suffers a breach, immediate reassessment of that provider is necessary. Require that they provide information on how the breach occurred. Was any of your company’s data involved? What remedial action has the third-party taken? Have they made permanent changes to their cyber-defensive posture? You may also need to explore the breach’s ripple effects through the third-party’s own supply chain, in case your data was shared with others down the line.
2. Regulatory Change.
If your industry is experiencing regulatory changes, make sure that you update your third-parties on any new rules to which your company is subject, and test your data controls around those changes. While new regulations issued by state-level authorities are non-negotiable, they typically provide lead time of months to more than a year for you to prepare.
Given rampant cyber and data privacy threats, new regulations are coming more frequently. A recent example is the New York State Department of Financial Services 23 NYCRR 500 which imposed new cybersecurity requirements on financial services companies. And just this month, the new California Consumer Protection Act (CCPA) went into effect. CCPA guidelines put data protection responsibility on the company that owns (collects) consumer data for its own business purposes, but also imposes penalties on its third-parties that may be in violation. Consequently the data owner needs to stringently test its controls on all suppliers that may have access to that data.
Beyond regulations, your industry may be experiencing change through the emergence of new best practices. For example, NERC CIP-013, was specifically designed to address how utility companies should evaluate their supply chains in today's environment. Advise your third-parties regarding these new practices, and set the requirement that your those companies will need to adopt them within a reasonable amount of time. You don’t want to be the company that falls behind and becomes an easy target for attackers—or becomes the poster child for the regulators.
3. Material change.
There may be other material, market-changing events that impact security or even the normal course of business in your and/or your third-parties’ environment. The current pandemic is a perfect example.
The rapid emergence of COVID-19 very quickly forced a large portion of the workforce into a remote work situation, where many remain to this day. Changing how millions of people work should trigger a reassessment of every third-party that may be accessing data in some form or manner, even if they completed an annual assessment just prior to the lockdown.
There are new critical questions to ask: how are they protecting data in a work-from-home environment where cyber threats have skyrocketed? What new cloud-based platforms might they have adopted, and how are those secured? What new systems have they put in place? How is their business outlook impacted – are they solvent? Is their workforce healthy? Do they retain the capacity to deliver on their contractual obligations to you? It is reasonable to expect that their turnaround time for reassessment may be a bit longer, but the effort still needs to be made.
While a global pandemic is a rare circumstance, there may be other material events that affect third-parties’ performance – disruption to the supply of raw goods, recessions, international trade issues, and any other number of things. Don’t discount their potential impact on your business.
In fact, one critical change that may be often overlooked is the change in scope of services a third-party is providing. Each risk assessment is viewed through the lens of the data criticality and transfer mechanism. Risk assessments are not one-size-fits-all, so require a level of adaptability. This means if a third-party was approved for one service or product, that is not necessarily an overarching approval extending to others. Large corporations that provide different products will have access to various types of data, so any change in the scope of work should be accompanied with a new assessment.
Bottom line, effective risk management requires continual monitoring of your entire third-party portfolio. It involves the continual review and tracking of your own internal policies, industry best practices, and other macro forces that are beyond your control. Regularly incorporating all of those into your downstream third-party evaluation process will keep your organization much better prepared to navigate the disruptions that every business will inevitably face.