May 6, 2024
Cyber Risk

Third-party Risk Management: What is it and Why the Current Process is Broken

By Sachin Jha

CISOs and Third-Party Risk Management (TPRM) practitioners are anxious. Consider this: almost 60% of all data breaches originate from third-party sources. Gartner predicts that by 2025, 45% of organizations will have suffered a software supply chain attack, highlighting the escalating threats that need urgent and strategic responses.

As enterprises increasingly choose to buy rather than build, third-party technology, data, and services are becoming not just tools but integral components of business strategies. This shift has led to a scenario where vendors practically become extensions of the businesses themselves. Yet, despite clear awareness of the cybersecurity risks this entails, about 69% of enterprises still manually manage their Third-Party Risk Management (TPRM) programs. Moreover, 57% of these businesses rely on external Cybersecurity Risk Ratings to make critical TPRM decisions — even as experts point out significant operational challenges and question the reliability of these ratings. This stark contrast between dependency and risk management underscores why mastering TPRM is more crucial than ever in safeguarding our interconnected business operations.

CISOs voice their frustrations, echoing a common sentiment of vulnerability: "I don't know where my risk is - it is a blind spot," laments the CISO of a Fortune 100 Healthcare Provider. The sentiment is shared by a CISO at a Fortune 500 Technology Company, who admits, "I don't know what actions to take." Meanwhile, TPRM practitioners feel overwhelmed by the sheer scale of their responsibilities. "I am overwhelmed - thousands of third parties with a small team!" cries a practitioner, encapsulating the strain of modern risk management.

Decoding TPRM

What is Third-Party Risk Management (TPRM)?

Think of your business as a busy city that depends on various external services like electricity and transportation, much like companies rely on third-party vendors. Third-Party Risk Management (TPRM) is similar to city planning, ensuring these essential services run smoothly and not disrupt business operations. In corporate terms, TPRM involves identifying, assessing, monitoring, and mitigating risks from outside vendors and service providers whose actions can significantly impact a company's operations, security, and reputation.

Why is TPRM Crucial? A Look at Recent Events.

To grasp the vital role of effective TPRM, let's consider two recent, impactful incidents:

  1. UnitedHealth Group - February 2024
    • Overview: UnitedHealth's subsidiary, Change Healthcare, which processes almost half of all U.S. medical claims, suffered a severe ransomware attack.
    • Scope of Impact: The attack halted medical claim processing nationwide, affecting approximately 900,000 physicians, 33,000 pharmacies, and 5,500 hospitals. This disruption not only strained healthcare services but also exposed sensitive health data, underscoring a significant operational and security breakdown.
    • Lesson Highlighted: This incident vividly demonstrates the ripple effect that a cybersecurity breach at a third-party vendor can have across an entire sector—healthcare, in this instance—emphasizing the need for robust TPRM to safeguard essential services and sensitive data. Learn more on how you can avoid this with Safe.
  2. Okta - October 2023
    • Overview: A breach occurred at a healthcare vendor handling support services for Okta, leading to unauthorized access to personal and operational data.
    • Scope of Impact: Information for 5,000 Okta employees was exposed, including sensitive credentials and session tokens, which could potentially compromise client data and access.
    • Lesson Highlighted: This breach highlights the vulnerabilities associated with third-party vendors and the cascading effects on privacy, security, and trust. It stresses the importance of TPRM in protecting operational capabilities, maintaining customer trust, and compliance with privacy regulations.

The Conventional TPRM Approach

Traditionally, Third-Party Risk Management has somewhat mirrored that yearly medical check-up—necessary, yes, but hardly sufficient to catch everything. Companies typically conduct periodic audits, where they check in with their third-party partners maybe once or twice a year, ensuring that they comply with contractual obligations and industry standards. Between these audits? Well, it's often a case of 'out of sight, out of mind.'

Manual checks are a common feature of traditional TPRM processes. These involve teams of workers reviewing spreadsheets to ensure services comply with regulatory requirements. This method is not only time-consuming but also prone to errors. Despite some benefits, relying mainly on manual checks can lead to oversight and potential risks being missed, similar to not paying constant attention while driving.

Simplified TPRM Workflow in Large Enterprises

  1. Identification
    • Objective: Identify all third-party relationships that impact business operations.
    • Activities: Catalog vendors, suppliers, and service providers.
  2. Risk Assessment
    • Objective: Evaluate the potential risks associated with each third party.
    • Activities: Conduct security, financial, and compliance assessments.
  3. Due Diligence and Onboarding
    • Objective: Thoroughly vet third parties before formal engagement.
    • Activities: Verify credentials, conduct background checks, and integrate third parties into business systems.
  4. Contract Management
    • Objective: Establish clear and enforceable contracts.
    • Activities: Draft contracts with explicit terms for security, compliance, and performance expectations.
  5. Continuous Monitoring
    • Objective: Monitor third-party performance and compliance continuously.
    • Activities: Regular audits, performance reviews, and real-time monitoring of relevant metrics.
  6. Incident Management
    • Objective: Respond to and mitigate any issues arising from third-party interactions.
    • Activities: Implement incident response plans and corrective actions.
  7. Reporting and Review
    • Objective: Maintain transparency and improve third-party relationships.
    • Activities: Regular reporting on third-party performance and annual reviews of the TPRM process.
  8. Offboarding
    • Objective: Securely terminate third-party relationships when necessary.
    • Activities: Securely terminate third-party relationships when necessary.

Why is the current process broken?

As we explore the landscape of Third-Party Risk Management (TPRM), several challenges emerge that underscore the need for a shift in how businesses approach these crucial processes. Let's dive into these challenges:

Challenge #1: Misguided Tiering and Incomplete Inventory of Third Parties

  • Current State: Third parties are often ranked based on contract value rather than actual risk and struggle to maintain a complete inventory.
  • Problem: A report by Barracuda highlights a critical issue: many organizations do not maintain a complete inventory of third parties that have access to sensitive or confidential data. This oversight and a limited understanding of which third-party vendors represent the highest risk can result in significant vulnerabilities and oversight.

Challenge #2: Lack of Automation and Scalability

  • Current State: While many firms believe they have robust third-party risk programs, the reality often paints a different picture.
  • Problem: Managing thousands of third-party relationships with a limited team can be overwhelming. Without automation, scaling the TPRM processes to handle increasing third-party numbers becomes an uphill battle, leaving teams stretched thin and risks unmanaged.

Challenge #3: Inadequate Prioritization

  • Current State: It's common practice to collect findings from all third parties without a clear strategy for action.
  • Problem: This results in a mountain of data with little guidance on prioritizing risks. Organizations struggle to identify which issues to tackle first, which can delay response times and increase exposure to potential threats.

Challenge #4: Manual and Resource-Intensive Processes

  • Current State: TPRM teams spend considerable time manually analyzing data from various third parties.
  • Problem: The reliance on manual processes slows down the risk assessment and increases the likelihood of errors. This labor-intensive approach is inefficient and can lead to inconsistent risk management practices across the enterprise.

Challenge #5: Prohibitive Costs

  • Current State: Many organizations use multiple solutions to manage third-party risks, each adding to the overall cost.
  • Problem: The cost-per-vendor pricing model makes conducting thorough risk analyses for all third parties financially unsustainable, especially as the number of third-party relationships grows. This financial burden can lead to gaps in risk coverage and uneven risk management efforts across the board.

While traditional TPRM methods have served their purpose in the past, they are increasingly mismatched with the realities of modern business dynamics. The manual nature of traditional practices, the inadequacy of infrequent inspections, and the confusion caused by tool disarray collectively contribute to a TPRM approach that is often reactive, inefficient, and fragmented. As we move forward, addressing these flaws will be crucial in developing more robust, proactive, and integrated TPRM strategies.

Case Study

The Okta's 2022 data breach case study is a profound example of how traditional Third-Party Risk Management (TPRM) methods can fail, particularly when relying heavily on Security Rating Services (SRS). The incident involved a breach at Sitel, a vendor for Okta, initially undetected due to reliance on outward-facing security assessments that gave Sitel a high cybersecurity score.

Breakdown of the Incident:

  1. Outside-In Security Assessment Misleads: Sitel's outside-in cybersecurity score was high, suggesting a robust security posture. However, this rating failed to account for internal vulnerabilities, such as those on the employee's compromised device that led to the breach.
  2. Lack of Real-Time Monitoring: The breach was characterized by a lack of real-time internal monitoring that could have detected unusual activities following the compromise of Sitel's employee's device. Traditional SRS did not provide this level of insight, leading to a delayed response.
  3. Inadequate Internal Controls: The reliance on external assessments meant that internal controls and potential insider threats within Sitel were overlooked. This oversight allowed the breach to occur and go undetected long enough to cause significant damage.

Why the Current Process is Broken:

  • Overreliance on Incomplete Data: Traditional reliance on SRS and periodic audits provides incomplete risk pictures. These methods often miss critical vulnerabilities, especially those related to internal processes and human factors within third-party organizations.
  • Reactive Rather Than Proactive: Many existing TPRM processes are inherently reactive. They lack the capability to predict potential risks based on real-time data, relying instead on retrospective analyses that may not effectively prevent breaches.
  • Lack of Integration and Contextualization: Current TPRM practices often fail to integrate and contextualize risk data across different assessment tools, leading to a fragmented understanding of third-party risk landscapes.

Time To Adopt A Risk-Driven Approach to TPRM

The traditional methods of Third-Party Risk Management have shown their limitations in today's dynamic business environment. Ignoring the critical gaps in these practices—such as overreliance on incomplete data, the reactive nature of risk management, and the lack of integrated risk assessment tools—can expose organizations to significant security breaches, operational disruptions, and compliance failures.

The highlighted issues underscore the urgent need for enterprises to evolve their TPRM strategies beyond the conventional approaches. It's not just about patching up vulnerabilities but transforming how we perceive and manage these third-party relationships from reactive to proactive, ensuring that risk management keeps pace with the complexity and speed of modern threats.

Stay tuned for Part 2 of our TPRM series, where we will delve deeper into the approaches and solutions necessary for businesses to mend the broken processes and effectively secure their ecosystems against third-party risks.