How To Conduct A Third-Party Cyber Risk Assessment

As companies increasingly rely on third parties like vendors, service providers, contractors, and business partners for key functions, they also take on significant cybersecurity risks that these relationships introduce. Vendors frequently have remote access to internal systems, hold valuable data, and can have inferior security controls compared to yours – making them attractive targets for attackers. Recent high-profile breaches like Target, LinkedIn, and Equifax originated through third-party access. The impact of the cybersecurity breach on Target was such that it impacted 41 million company customers. Eventually, Target paid the largest settlement sum in history, amounting to $18.5 million.

Therefore, organizations must thoroughly assess and mitigate potential cyber risks from supplier, vendor, and partner connections. Instituting a comprehensive third-party risk management (TPRM) program allows you to continuously monitor the security of vendors and partners, enforce appropriate controls contractually, and minimize avenues for pivotal data, networks, and critical business functions to be compromised.

This blog covers techniques, best practices, and critical components organizations should implement when performing assessments of third-party cyber risk across their supplier ecosystem.

Define Assessment Scope, Criteria, and Risk Ratings

The first phase in designing your third-party cyber risk assessment program is determining its scope – which vendors and partners will you perform assessments on? It is prudent to assess all external parties that hold your sensitive customer, employee, or business data or have remote access paths into your corporate network.

Once you’ve categorized your vendors and partners into tiers by criticality and potential risk, you can develop standardized criteria that each assessment will evaluate them on. Customized questionnaires and document requests should gauge controls in areas like access management, data security and encryption, vulnerability prevention, inventory of assets, incident response processes, business continuity protections, and personnel security and accountability procedures in place.

Compile Information from Multiple Sources

There are a variety of third-party risk assessment techniques available to research a vendor’s security posture as part of a cyber risk assessment:

• Self-Assessment Questionnaires: Gather info directly with customized questions.
• On-Site Audits: Directly scan controls and processes in the environment.
• Documentation Reviews: Have the provider submit relevant compliance audits, architecture diagrams, and security policies.
• Automated Scanning: Identify vulnerabilities, misconfigurations, and exposed data via tools.

Combining these techniques creates a complete picture of the vendor’s controls and risk level. For example, combining a detailed policy and procedural questionnaire, an on-site penetration test in their environment provides both breadth and depth in the assessment process.

Create Action Plans for Continuous Improvement

Once assessments for each vendor are completed and risk ratings assigned based on your criteria, you can create action plans for the provider to remediate identified gaps or vulnerabilities on an ongoing timeline. Striking the right balance between AI and manual assessment processes ensures a thorough and nuanced understanding of risks. Remediation targets should be incorporated into contracts and service agreements.

Similarly, you can require evidence of improvements in process or automation of controls over periodic intervals through refreshed audit reports, automated scan results, or updated attestations. Action plans make cyber risk management an ongoing conversation rather than a point-in-time compliance checkbox.

Implement Continuous Monitoring of Security Posture

The cybersecurity risk assessment process continues after the initial review. Without ongoing monitoring and updated assessments, the posture of the third party may deteriorate over time or shift without your knowledge. Mandating refreshed assessments on at least an annual basis or requiring automated continuous monitoring for threats is key.

Including contractual language that grants oversight visibility via ongoing assessments and monitoring tools provides significant risk reduction, continuous monitoring capabilities also give you early warning to intervene with corrective actions if the vendor’s security indicators decline, according to Key Performance Indicators.

Align Vendor Controls to Internal Cybersecurity Maturity

To ensure success in managing third-party cyber risk in the long term, their security control objectives should closely align with your internal cybersecurity program maturity. Extend those same priorities to suppliers as you improve cyber resilience through new technology investments, process automation, and establish a cyber-aware culture.

If your internal security policies and controls need more maturity, get your house in order before declaring sweeping control requirements that vendors may outpace your teams in implementing. Prioritize bringing high-risk vendors up to that baseline first. Take a collaborative, continuous improvement-oriented approach focused on risk reduction rather than demanding contractual perfection.

Review and Update the Program

Finally, as you monitor third-party vendors for updated risk assessments, you must continuously mature and optimize your TPRM program. Review what partner types and risk areas are not adequately captured in assessments, evaluate if staff have the tools needed to make insightful vendor risk decisions, determine if new or emerging threat vectors require additional contract terms, and identify if the program has measurable ROI through the cost of breaches avoided. Programs that incorporate continuous feedback channels internally and with your vendors themselves evolve more effectively.

Conclusion

Managing third-party cyber risk requires commitment across functions like infosec, legal, procurement, and IT to define a comprehensive assessment and monitoring program. However, the business payoff in risk reduction over time through greater visibility and control over this pervasive attack vector is invaluable. Follow the steps outlined here to implement a robust assessment methodology, remediation processes, ongoing monitoring, and a continuous improvement mindset across your vendor partnerships.