Has the Digital Journey Added to the Risk of Using Third Parties?

In the swiftly advancing digital world, the role of third-party risk management (TPRM) has gained unprecedented importance. Recently, there have been year-over-year increases in the number of breaches caused by third parties, with large volumes of information being exposed. This influx in breaches can be seen within organizations across industries, such as financial, telecommunications, entertainment and leisure, and even fast-food outlets.

The digital journey refers to the path that an organization takes as they integrate technology into their business strategy, with no organization being immune to the impact that technology has on their business.¹ This digital journey undertaken by organizations worldwide has undoubtedly sparked a wave of innovation, yet it has also introduced unprecedented risk. The widespread vulnerability introduced by third parties underscores the need for organizations across all industries to prioritize cybersecurity measures and invest in advanced protection systems.

The question is, why are organizations using more third parties than before?

One reason may be that organizations are focusing more on their core offerings and making use of third parties to provide support services. This includes the use of cloud facilities, which indicates how organizations relate to a variety of third parties and even fourth parties, across the globe, where information is being accessed, shared, received, and stored.

There have been year-over-year increaes in the number of breaches caused by third parties, with large volumes of information being exposed.

As the digital terrain evolves, the reliance on third-party entities increases, presenting organizations with an increasingly complex array of challenges. These challenges encompass a diversity of risk types, which include the ambiguity surrounding the ownership of TPRM, the common tendency to underestimate the balance between cost and effort, and limitations in internal capacity.

It is worth taking a deeper dive into the multifaceted challenges that organizations frequently encounter on their TPRM journey:

• Various risk types–While these various risk types may have always existed in an organization, there is still a need for organizations to view more than just cybersecurity, privacy, or cloud risk that third parties pose. Organizations should also consider compliance, operational, reputational, and financial risk, which allows for a holistic view of a third party (i.e. centralised risk profile/inherent view of a third party with specific detailed due diligence assessments profile based on risk type).
• Ownership of TPRM–Due to the various risk landscapes that exist and the different stakeholders involved, there is often a question of who should own third-party risk management in an organization and which model to select (centralized, decentralized, hybrid). As we progress further into the future of data security, it is important to have a holistic view of third parties and the potential risk involved. Thus, it would make the most sense to grant ownership to an area that has the most central view, such as the procurement or supply chain departments.
• Cost vs effort underestimation–When an organization starts its TPRM journey, there is often a preconceived notion of how much an effective TPRM program costs. Items that are frequently underestimated include the number of third parties, the number of systems from which information is collected, the use of similar third parties with different services, and even automation. Each of these carries additional challenges on its own and adds to the cost and effort of running an effective TPRM program. While it can be a daunting task to unpack a full TPRM journey, it is worth understanding each of the items above through a high-level assessment and/or workshops with stakeholders within the organization. In addition, a risk-based approach² to developing the project plan (i.e. 3 year plan) with associated estimated costs must be adopted by the organization, in order to overcome this challenge.
• Internal capacity–Individuals who possess a deep understanding of third-party entities and the associated risk are often already operating at full capacity and may not have the time to take on additional responsibilities such as managing third parties, which includes the reviewing of third-party due diligence assessments and being involved in the tracking of risk mitigation items identified. Furthermore, in the context of a centralized model (or center of excellence),³ these individuals may not necessarily have expertise across all risk areas, leading to gaps in both knowledge and security. These gaps can be mitigated by ensuring that there is subject matter expertise from each area (i.e. privacy, cybersecurity, etc.), and the relevant training within the center of excellence, however this may come at a cost.

What Does the Future of TPRM Look Like?

Though the digital landscape is rife with challenges, it also provides opportunities to improve the management of third-party risk. These improvements include:

• Integration with existing systems–Provison of additional information or triggers that contribute to a risk area. An example of this would be an integration with the procurement system to the TPRM system - as soon as a third party is added to the procurement system, it would trigger a notification to the TPRM system that a new third party was added and the remainder of the TPRM steps would need to be followed.
• Integration with dedicated platforms for external scanning of assets–Could be achieved by integrating the TPRM system with platforms that provide technical cybersecurity ratings which passively evaluates third parties and does not touch their systems or network assets.⁴ The rating is used together with the due diligence assessment and adds an additional lens on how a third party is assessed.
• Artificial intelligence and chatbots–Utilize machine reading and interactive communication to enable and reduce time during due diligence processes for third parties. A policy could be submitted by a third party as evidence in relation to a particular control, and through an AI reader, the policy is deemed acceptable or not and returns information about the policy, which aids the individual performing the review (thus reducing time for the third party and the reviewer).

These improvements can help benefit the organization by having real-time data (not relying on human intervention), using automated information, and placing less reliance on a third party completing an assessment, therefore creating more agility when addressing TPRM.

Building a Successful TPRM Program

As information evolves and the methods of data sharing and storage transform, it is crucial for organizations to understand the associated risk when utilizing third-party services. As TPRM progresses and organizations look to build or mature a successful and comprehensive TPRM program, some initiatives that can be adopted include:

• Creating awareness of TPRM at a board level
• Applying a centralized supply chain view when looking at TPRM. This includes involving other risk areas such as compliance, cybersecurity, privacy, operational, reputational, etc.
• dentifying the right model that works for the organization, be it centralized, decentralized, hybrid
• Budgeting for realistic costs while including the right resourcing model
• Joining the digital journey by automating TPRM from the beginning and utilising integration, externals scans, and AI

Conclusion

As the digital terrain evolves and the reliance on third-party entities escalates, organizations are faced with unprecedented risk that require a formal TPRM program.

This article presents solutions to overcome challenges such as the ownership of TPRM in an organization. It provides opportunities to improve the management of third-party risk using technologies to integrate and become more agile when addressing TPRM.

While the mercurial nature of the digital landscape and its associated risk have amplified the uncertainties of engaging with third parties, it has simultaneously sparked a surge of inventive strategies to enhance the governance of such risk. Therefore, it is important to embrace these strategies, as they provide a robust framework for mitigating risk and ensuring successful third-party engagements.

Endnotes

¹ Mobius Consulting, Securing Digital Trust, 2023
² Putrus, R.; “A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance,” ISACA^®, 12 September 2017
³ Catalant, “Everything You Need to Know About Centers of Excellence”, 9 July 2021
⁴ Blackkite, “Technical Cyber Security Rating”, 27 April 2021

Candice Jackson, CDPSE, CIPP/E, CGEIT, CRISC, CISA

Is a principal consultant at Mobius Consulting South Africa. She has twelve years of IT consulting experience in governance, information privacy, and third-party risk management domains.

She has a passion for solving problems and thinking innovatively. When third-party risk management (TPRM) was a very new topic she pioneered the thinking in this area. By leveraging lessons and industry experience, she has and still is identifying improved ways of running third-party implementation programs at small, medium, and large organizations. She continuously looks for innovation in TPRM and how this can be performed in a practical way leveraging existing business capabilities and using technology where it would be most efficient and effective.