Third-Party Cyber Risk: Managing IT, Compliance and Data Risk Throughout the Vendor Lifecycle

Identifying Third-Party Cyber Risk During Sourcing and Selection

Some degree of third-party cyber risk will be present with almost any vendor you do business with, even those with extremely minimal access to IT infrastructure or sensitive data. However, identifying vendors that expose your organization to unnecessarily high levels of cyber risk is critical to reducing the chances of a data breach or security incident further down the line. Here are a few questions to ask potential vendors, particularly those that have high profiled risk.

• Does the organization have a formalized cybersecurity program aligned with a known cybersecurity framework such as NIST CSF or ISO 27001?

• Has an outside auditor or party validated that the security program is fully compliant with the standard?

• Is the organization already fully compliant with applicable legal requirements to work with your organization’s data? (e.g., HIPAA, GDPR, CCPA)

• Has the organization ever been fined for a cybersecurity compliance violation?

• What is the organization’s reliance on 4th or Nth parties?

• Does the organization have a history of data breaches or publicized security incidents?

• Is the organization located in a country that may force them to disclose sensitive corporate data contrary due to contractual obligations?

Mitigating Third-Party Cyber Risk During Intake and Onboarding

Identifying vendors that pose an acceptable degree of risk is only the beginning. Intake and onboarding is a crucial phase to enable both risk identification and reduction opportunities throughout the lifecycle of the contract.

Write Cybersecurity into the Contract

Include specific data storage and cybersecurity requirements in your contract with the vendor based on compliance needs and profiled risk. Standardized clauses should cover when and how the vendor can share data with their third parties (i.e., your fourth parties). In addition, consider adding requirements to the SLA regarding encryption standards, identity and access management, and data retention.

Score Inherent Risk

Inherent risk scoring is critical to adequately managing third-party cyber risk. As mentioned above, an organization's inherent risk is the risk they pose prior to the implementation of specific controls required by your organization. Below are a few tips you can use to enhance your inherent risk scoring approach:

Don’t Take a One-Size Fits All Approach: Inherent risk scoring should be based on an organization's profiled risk. Vendors should be tiered based on the data and infrastructure that they have access to. Failure to appropriately tier vendors leads to wasted effort focusing due diligence on the wrong vendors, while those that may pose substantial organizational risk don’t receive enough attention.

Consider Vendor Location When Scoring Inherent Cyber Risk: Vendors based in specific locations may be partially owned or under specific data sharing requirements by governments, which may supersede the vendors' contractual obligations to your organization. Carefully consider vendor location and regional politics when determining the amount of inherent risk that a vendor poses.

Bonus Tip: Using a dedicated third-party risk management solution can enable you to tier vendors based on custom-built criteria.

Identify Fourth and Nth Party Vendors

If the vendor you are onboarding has a high degree of inherent risk based on their data and IT access, it may be worth examining their extended supply chain. Pay particular attention to organizations that work on their IT infrastructure or have access to data that they store. Understanding fourth and Nth party usage helps to inform your overall vendor risk management program, as well as to focus your third-party monitoring approach throughout the contract lifecycle.

Assessing and Remediating Third-Party Cybersecurity Risks

Assessing and remediating cybersecurity risks emanating from third parties is crucial to your broader TPRM program. Here are a few tips you can use when assessing and requesting remediation from vendors:

Map Compliance Requirements to Vendor Controls

If you have obligations under HIPAA, GDPR, NYDFS or other regulations, you must ensure that the vendor meets necessary controls based on the type of data they are handling. Utilizing third-party risk management software like Prevalent can make this step dramatically faster by automatically mapping cybersecurity frameworks used by the vendor to your organization's compliance requirements.

Don’t Be Afraid to Ask for New Controls or Outside Audits

If the organization hasn’t had an outside organization certify that they are compliant with a well-known cybersecurity standard, don’t be afraid to request that they undergo an audit based on a framework (or compliance requirement that your organization falls under). It’s far better to lose a potential contract than to find out later that their self-certification of HIPAA compliance was exaggerated and your organization is liable for a breach as a result.

Understand Processes Around Fourth and Nth Party Data Sharing

You should have a general idea of what outside organizations your vendor is using based on their answers during the intake and onboarding phase. As your organization conducts its formal vendor risk assessment, request the specific policies and procedures your vendor has for sharing data or access with fourth parties. If they don’t have formalized policies and procedures, request that they create them.

Regularly Assess and Remediate Risk

Risk isn’t static. The cyber risk that a vendor poses to your organization will likely change significantly throughout the contract lifecycle. Scope creep can result in vendors taking on additional jobs as they earn trust, which can also allow them to access additional resources that weren’t accounted for in the initial risk assessment. As the contract with the organization evolves, regularly reassess vendor risk to ensure that residual risk remains within acceptable parameters.

Utilize a Shared Library

To accommodate resource constraints, many organizations – especially those with a solid vendor tiering plan – choose to leverage completed content already submitted and shared within an industry exchange. These vendor exchanges are self-fulfilling prophecies – the more vendors that participate, the greater the overlap with other enterprises. This speeds the risk identification and mitigation processes and minimizes the time required to spend collecting data.

Continuous Monitoring for Third-Party Cyber Risk

Even if you regularly conduct risk assessments to monitor for third-party risk, rapid changes to a vendor's risk profile can slip by. Continuously monitoring for changes to your contractor's cybersecurity posture is critical to effectively managing third-party cyber risk. Here is a brief list of sources worth monitoring throughout the vendor lifecycle to ensure you don’t miss a significant security event.

Dark Web Forums

When targeting large organizations, malicious actors will often coordinate and plan attacks on forums only accessible to authorized users using the TOR network. Monitoring dark web forums for mentions of third- and fourth-party vendors can enable you to rapidly identify potential cyberattacks that are in motion or have been executed against third parties.

Dark Web Marketplaces

Dark Web marketplaces like the Genesis Market sell botnets containing browser fingerprints that can be used by malicious actors to bypass 2FA and other controls. Monitoring these marketplaces can enable rapid identification if third-party access is for sale, alerting you to a potential data breach in progress. In addition, malicious actors often sell account access and stolen credentials on dark web marketplaces. These can then be used by other malicious actors to facilitate account takeover and phishing attacks. Monitoring these marketplaces can help you to better understand vendor cyber risk. Some questions to ask:

• Are credentials associated with the vendor or its solutions for sale on the Dark Web?

• Are there any botnets for sale that contain subdomains that would indicate that the victim is an employee of a vendor?

• Has the vendor already identified credentials for sale or is their external risk posture largely unknown to them?

Pastebin & Clearweb Sites

Not all data leaks and stolen accounts are on the Dark Web. In many cases, employees will accidentally leak third-party data that will appear on Pastebin and other public forums. To compound these challenges, malicious actors have also been known to dump files containing thousands of credentials on public access forums. Monitoring Pastebin and other public forums for proprietary information, stolen third-party credentials, and other sensitive data is a key part of conducting continuous third-party monitoring.

Vulnerability Databases

Vulnerability databases, such as the MITRE CVE database, can help your organization to identify exposures in software developed or used by your third-party vendors. Utilizing third-party risk management software can enable you to automatically identify third- and fourth-party software vendors with potential vulnerabilities.

Data Breach Databases

Another important part of third-party cyber risk monitoring is searching for vendors in databases of reported data breaches, like those from Privacy Rights Clearinghouse and the State of California. Even a limited-scope data breach should prompt you to assess the risk to any data shared with the third party. It may also call for a review of applicable regulatory compliance requirements.

Automating the Monitoring Process

Third-party risk monitoring software can help to automate the process of identifying and quantifying vendor cyber risks. For instance, our risk monitoring solution enables you to reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.

Third-Party Cyber Risk & Service Level Agreements

Successfully managing SLAs across departments and vendors is crucial to effectively managing third-party cyber risk. Vendors need to be regularly assessed to ensure that compliance requirements are being met, and that additional compliance burdens haven’t been incurred through scope increases. Here are a few key considerations for third-party cyber risk management when managing SLAs.

Automate Where Possible

Manually reviewing hundreds of contracts across dozens of departments and potentially thousands of vendors is challenging to say the least. Using third-party risk management software can enable you to automate key elements of SLA management with built in workflow and remediation.

Write Cybersecurity into the SLA

Ensure that good cyber practices are written into the service level agreement. Specific considerations around data handling, contractor security requirements, staffing background checks, and other provisions can help ensure that third-parties are utilizing effective risk reduction techniques while providing services.

Offboarding, Termination & Mitigating Third-Party Cyber Risk

Not all data breaches happen during a contract. Offboarding and termination represent the final, critical stage in mitigating cyber risk posed by third parties. Many organizations with a lack of maturity in offboarding end up leaving vendors with access to critical data, accounts, and IT infrastructure. Below are a few best practices to use when offboarding vendors.

Keep Compliance in Focus

Ensuring compliance with applicable laws and regulations is key to successfully offboarding vendors. Assess your organization's compliance requirements and ensure that vendor offboarding, data deletion, and validation are all performed in accordance with applicable laws and regulations.

Third-party risk management platforms will have built-in reporting that aligns with these regulatory obligations, which can simplify the compliance process. Many organizations assume that data destruction has occurred upon the contract ending. Take the time to manually validate that all sensitive, proprietary, and regulated data in the vendor's possession has been destroyed.

Validate That Access Has Been Revoked

Keeping up with vendor access, particularly vendors that work across multiple departments, can be difficult. However, it is imperative that you take the time to manually check each department and ensure the vendor has been fully and successfully offboarded across the organization. Leaving a vendor with access to IT infrastructure, accounts, or sensitive information can leave you vulnerable to a data breach or compliance violation months or even years down the road.

Don't Forget Physical Infrastructure

Many organizations rightfully focus on ensuring that vendors no longer have access to cloud servers, databases and SaaS applications. But it’s almost as imperative to not lose sight of the physical security of IT infrastructure and assets. Failing to revoke credentials or inform security teams that a vendor is being offboarded can result in security lapses, and potential breaches should an employee of a third-party vendor act in bad faith.

Managing Third-Party Cybersecurity Risk Throughout the Vendor Risk Lifecycle

Successfully mitigating third-party cybersecurity risk to an acceptable level throughout the vendor risk lifecycle can be daunting. Third-party data breaches continue to mount as new vulnerabilities surface and as attack techniques evolving. Recent events such as the war in Ukraine and heightened geopolitical instability have compounded these risks.

Utilizing a third-party risk management solution can dramatically reduce the effort required to successfully mitigate risks stemming from third-party IT access. The Prevalent Third-Party Risk Management Platform makes navigating the vendor lifecycle dramatically easier. Learn more about our approach by reading our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or request a demo today.