Companies often work with a large number of service providers in order to be able to concentrate on their core business or save costs. For this to succeed, companies must grant their service providers access (digital and analog) to their company assets. This opening up to service providers is not without risk, as an information security breach at the service provider can quickly lead to damage within the company. To address this risk appropriately, companies need to introduce effective third party risk management (TPRM). In our series of articles "Information security in third party risk management", we explain the basics of effective TPRM, common stumbling blocks and possible solutions.
Vendor, service provider or third party? What exactly are third parties?
It does not matter which term you use in your company. All of them describe companies, organizations or individuals with whom your company has entered or intends to enter into a contractual business relationship for the provision of a defined service, and TPRM covers the entire life cycle of this business relationship, from initiation to termination. This means, among other things, that a risk assessment should take place before the contract is concluded.
Please note: Subcontractors of such third parties, i.e. fourth parties, must also be considered in the TPRM.
Why are there particular risks involved in working with third parties?
In order to work effectively with a third party, the commissioning company usually has to grant the service provider access to certain company assets so that the service can be provided at all. For example, a company is looking for a SaaS solution to manage HR data. In order to use the functions of the SaaS solution, the personnel data must be imported. This means that the information is no longer held by the company, but has been outsourced to the operator of the SaaS solution. The high level of protection required for this sensitive data has not changed as a result of the outsourcing, but the responsibility for implementing appropriate protective measures lies with the service provider. The company, in turn, must ensure that the service provider fulfills this responsibility in the interests of the company and identify the weak points where this is not the case (= risk).
What risks arise from relationships with third parties?
Sharing and passing on information to third parties is an essential part of daily work in many companies. However, every time information is shared, there is an increased risk that the confidentiality, integrity or availability of this shared information may be breached. Such risks can be business-critical, as they can have financial, legal, operational, strategic or devastating reputational implications.
The example of one of the most serious ransomware attacks in history in the summer of 2021, which affected the American meat producer JBS and the Swedish supermarket chain Coop, among others, shows the serious consequences a successful attack on third parties can have for companies. The attackers used a supposed update of the VSA software from the manufacturer Kaseya, which is used for remote access, patch management, inventory and backup, including for checkout systems worldwide, as a gateway. Instead of the update, however, Kaseya customers were infected with ransomware in July 2021, which encrypted their systems. The attackers demanded a ransom of millions for the recovery. According to Kaseya CEO Fred Voccola, up to 1,500 companies worldwide are said to have been affected by the attack. However, as many of Kaseya's customers are themselves service providers for other companies, the number of unreported cases is likely to be even higher. This domino effect makes attacks on the supply chain particularly dangerous.
Source (in German): https://www.verfassungsschutz.de/SharedDocs/hintergruende/DE/wirtschafts-wissenschaftsschutz/lieferkettensicherheit.html
What is a Third Party Risk Management Program?
Risks that arise for companies from relationships with third parties must be effectively identified, assessed and managed just like all other risks. However, companies often use more services through third parties than they could assess individually - leaving risks unrecognized or untreated. In particular, if their suppliers or service providers in turn pass the information on to their own service providers, transparency and control over this information decreases further: the risks are multiplied in the supply chain.
So the more third-party relationships your company has, the greater the need for a structured TPRM program that allows you to identify all services that pose an information risk to your company and prioritize and address the risks appropriately.
For this very reason, more and more directives and regulations, such as DORA, NIS-2 or BAIT, contain requirements for Third Party Risk Management. For example, the NIS-2 directive states:
Addressing risks stemming from an entity’s supply chain and its relationship with its suppliers [...] is particularly important given the prevalence of incidents where entities have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third-party products and services. NIS-2 (85)
Source: https://eur-lex.europa.eu/eli/dir/2022/2555/oj?locale=en#
Outlook
An effective TPRM is not only a necessity, but also an opportunity to make your company safer, more efficient and more competitive. Building and improving an effective TPRM program is a continuous process. The upcoming parts of this blog series will therefore focus on the most important aspects and steps of a TPRM program. If you would like to learn more, we invite you to read our blog series on building, improving and evaluating a Third Party Risk Management program and developing your own TPRM strategy.
Do you need assistance?
Do you need support in setting up your third-party risk management program? Our experts are happy to help.
