Securing the Digital Landscape: Organizations Must Address Third-Party Risk Head-On

Third-party collaboration has evolved into a necessity for most organizations in today’s market. However, the challenges of managing a third-party risk program can be overwhelming. Effective management of third-party risk requires a holistic approach that encompasses collaboration, risk assessment, and proactive risk mitigation strategies. Organizations must identify critical third parties, assess their security capabilities, and establish clear contractual agreements to ensure resilience and transparency. This can be achieved by establishing a third-party risk management (TPRM) program. Implementing an effective TPRM program empowers enterprises to select third parties that help them meet business objectives while protecting their data and driving compliance throughout the organization’s ecosystem.

Third-party collaboration has evolved into a necessity for most organizations in today’s market. However, the challenges of managing third-party risk programs can be overwhelming.

Regulatory Compliance Landscape

TPRM is required in many industries. Organizations managing sensitive and protected information are generally required to comply with one or more regulations. Lack of compliance can lead to regulatory fines and suspensions. Some examples of regulations, standards, and frameworks requiring the management of third-party risk include:

• The US State of California Consumer Privacy Act (CCPA)¹ —This act and the related regulations apply to companies that collect California resident consumer data. This act provides consumers with the right to know, delete, opt out, correct, and limit the use of information.
• The US Health Insurance Portability and Accountability Act (HIPAA)²—A federal law that applies to companies that collect patient health information (PHI). It is designed to protect PHI from being disclosed without the patient’s consent or knowledge.
• The HITRUST Common Security Framework (CSF)³—is a framework that captures a set of requirements across several standards and regulations to ensure risk management and regulatory compliance.
• The US State of Massachusetts Data Security Law⁴—Applicable to companies conducting business in the state of Massachusetts (MA). The law outlines what companies must do to prevent a data breach.
• International Organization for Standardization (ISO) standard ISO 27001⁵—A global standard designed to manage information security. It applies to any organization independent of the industry or location.
• The European Union (EU) General Data Protection Regulation (GDPR)⁶—Applies to companies that collect EU citizens' consumer data. GDPR requires organizations to focus on user data and provide transparency in how they are collecting, sharing, and using such data.
• The Payment Card Industry Data Security Standard (PCI DSS)⁷—Impacts all entities involved in payment card account processing.

Even with the available regulations, frameworks, and standards, effective risk management is still lagging, evidenced by the hundreds of data breaches and ransomware attacks that take place every year caused by ineffective control and security standards.⁸ The interconnected business landscape means that one enterprise’s data breach could become another organization's problem. The latest Change Healthcare data breach is a real-life example of that interconnectivity.⁹

TPRM Challenges and Solutions

Organizations often face difficulties establishing and maintaining a TPRM due to several internal challenges, including:

• Adoption—Due diligence delays business initiatives.
• Program effectiveness—Lengthy questionnaires are not acted upon by the due diligence teams.
• Scalability—The need for third-party services grows faster than internal program resources.
• Vendor management—Legacy vendors without contracts; Limited visibility into vendors' security risk.

Although third-party risk management programs are not foolproof, there are simple solutions that can help leaders sleep better at night, knowing they are proven to be effective at mitigating third-party risk.

The key to effective third-party risk management lies in data-driven due diligence and monitoring programs that seamlessly integrate with an organization’s resilience and enterprise risk management strategies. Data collected through a solid due diligence and monitoring program not only enhances risk management but can also become a strategic asset for organizations, ensuring informed decision-making and increased efficiency.

1. Due diligence and monitoring process considerations:

• Develop a cross-functional program with representation from various relevant teams in the organization. These teams include procurement, legal, security, privacy, audit, and compliance.
• Centralize the due diligence and monitoring process so that it is a one-stop shop for business owners, as seen in Figure 1.
• Define service level agreements (SLAs) for the process and monitor adherence to them. High-risk vendor reviews should take a bit longer than medium-risk vendor reviews. A well-managed process for a high-risk vendor should not take longer than 2-3 weeks.
• Focus the due diligence and monitoring process on vendors that interact with critical data—this will not be every vendor in the procurement system.
• Use a tiered risk approach. The risk level associated with the vendor should determine the review effort.
• In the early stages of the due diligence and monitoring program, establish concise compliance questionnaires. The size of the questionnaires should not exceed more than 60-70 questions to avoid making this process a “check-the-box” activity.
• Active third-party attestation reports, such as HITRUST or ISO 27001 certifications, can serve as a substitute for the due diligence questionnaire when assessing services within scope.

Based on the due diligence results, incorporate key security, resilience, and audit terms in the contract phase of the process.

Figure 1—Centralized Third-Party Risk Management Program

2. Other considerations to build a complete third-party risk management program:

1. Business Continuity Planning (BCP)
   • Tie the vendor due diligence stage with the disaster recovery and BCP program to identify all new vendors that might impact the program.
   • Capture vendors’ recovery point objective (RTO) and recovery time objective (RPO) commitments before signing any contract.¹⁰
2. Monitoring
   • Consider quarterly performance monitoring.
   • Implement an annual compliance review.
3. Enterprise Risk Management
   • After the due diligence and monitoring phases, tie the third-party observations and remediations to the risk register to keep the risk profile up to date.
   • The risk data will help predict which third parties to engage and retain in the supply chain database.
4. Reporting
   • Regular reporting should not be ignored. It is important to formalize reporting on several key performance indicators (KPIs) as well as outline progress, current and ongoing risk, and flag any pertinent issues to management and the board of directors.

In addition to the consideration listed above, there are several supporting frameworks and tools that can assist organizations with building a TPRM program:

• NIST Special Publication (SP) 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations¹¹—This program helps organizations manage the increasing risk of supply chain compromise related to cybersecurity.
• NIST IR 8374 Ransomware Risk Management: A Cybersecurity Framework Profile¹²— This framework can be used as a guide by organizations to manage the risk of ransomware events.
• Committee of Sponsoring Organizations (COSO) Enterprise Risk Framework (ERM)¹³—This guidance provides a framework for organizations to establish a comprehensive risk management program that should include TPRM processes.
• Shared Assessments Standardized Information Gathering (SIG) Questionnaire¹⁴—This questionnaire is a paid service that provides organizations with a set of questions that can be used during the due diligence and monitoring process.

It Is Not Too Late

In conclusion, it is never too late to get started with a TPRM program. The considerations described above are critical to building simple TPRM programs and to address several common program challenges:

• Adoption—Leadership support combined with well-defined program SLAs.
• Program effectiveness—Customized questionnaires that are actionable and apply to your business.
• Scalability—Streamline key processes and look to automate them.
• Vendor management—Identify legacy critical vendors and perform due diligence. Update contract terms.

The simplicity of the program is important to improve organization adoption and support. As a result, enterprises can strike a healthy balance between regulatory compliance, resilience, and business owner satisfaction.

Endnotes

¹ California Department of Justice, California Consumer Privacy Act, 2024
² Cdc.gov, Health Insurance Portability and Accountability Act of 1996 (HIPAA), 1996
³ HITRUST, The HITRUST Framework
⁴ Mass.gov, ”Obligations Under the Data Security Regulations and Breach Notification Law”
⁵ ISO, ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, 2022
⁶ GDPR.EU, “What is GDPR, the EU’s New Data Protection Law?,” 7 November 2018
⁷ Security Standards Council, The Payment Card Industry Data Security Standard (PCI DSS)
⁸ Madnick, S.; ”Why Data Breaches Spiked in 2023,” Harvard Business Review, 19 February 2024
⁹ U.S Department of Health and Human Services, HHS Statement Regarding the Cyberattack on Change Healthcare, 5 March 2024
¹⁰ Liuzzo, M.; Bovey K.; “RPO and RTO: What’s the Difference?,” Veeam, 2 February 2024
¹¹ National Institute of Standards and Technology, Cybersecurity Supply Chain Risk Management C-SCRUM, 2022
¹² National Institute of Standards and Technology, NIST IR 8374 Ransomware Risk Management: A Cybersecurity Framework Profile, USA, 2022
¹³ Committee of Sponsoring Organizations, Enterprise Risk Framework (ERM)
¹⁴ Shared Assessments, Standardized Information Gathering (SIG) Questionnaire

Dorina Hamzo

Is the founder and CEO of AdviseUp Consulting LLC which offers audit, risk, and compliance services. Before that, she held the VP, chief audit, and risk officer role in several Fortune 500 companies with a global presence. She has authored publications in the Internal Auditor magazine and AuditBoard.