Why Third-Party Monitoring Should Include Cyber and Business Risks

In study after study, third-party risk management teams say they are primarily concerned with the impact of third-party security incidents on their company’s operations. Therefore, continuously monitoring for cyber signals – such as activity in dark web criminal and special access forums, onion pages, and paste sites for leaked credentials, as well as public security communities, threat feeds, code repositories, and vulnerability databases – is a must-have capability for understanding the third-party risks posed to your organization.

However, companies often overlook how the possible knock-on effects of business, financial, or reputational risks may impact a third-party vendor’s compliance posture or security hygiene. In this post, we examine the top 14 business insights that can predict a potential third-party security problem, and how a combined approach to assessments and continuous monitoring works effectively to reduce third-party risk.

Top 14 Common Business Insights for Third-Party Cybersecurity Risk Management

Negative news about a vendor, such as financial problems, data breaches, or regulatory violations, can serve as an early warning of potential security risks. By monitoring such news, cybersecurity professionals can take proactive measures to assess and mitigate the impact on their organization's security posture. Here are 14 news topics to monitor as part of your TPRM program:

Financial Instability

Significant changes in a vendor’s financial performance, such as unexpected losses, revenue declines, bankruptcy filings, or accounting irregularities may indicate resource constraints that could impact their ability to invest in cybersecurity controls or result in cost-cutting measures that compromise security or increase the likelihood of insider threats.

Layoffs and Labor Disputes

Layoffs and labor disputes can create distractions and disruptions within an organization, diverting attention and resources away from cybersecurity efforts. This can result in gaps in security monitoring, delayed incident response, and overall decreased resilience to cyber-attacks.

Layoffs or labor disputes may also result in reduced staffing levels or the departure of skilled cybersecurity professionals, leaving organizations understaffed and lacking essential expertise to manage security effectively. This can increase the risk of security incidents going undetected or unresolved, making the organization more vulnerable to cyber threats.

Insider Threats

Disgruntled employees who feel unfairly treated or are facing job loss may pose an increased risk of becoming insider threats. They may retaliate by stealing sensitive data, sabotaging systems, or engaging in other malicious activities that could compromise cybersecurity.

Social Engineering Attacks

Employees are susceptible to social engineering attacks, such as phishing or pretexting. Attackers may exploit their emotional state or financial concerns to trick them into disclosing sensitive information, clicking on malicious links, or performing unauthorized actions that compromise security.

Mergers & Acquisitions

Monitoring vendor merger and acquisition (M&A) activity is crucial. Changes in ownership or corporate strategy can impact cybersecurity, such as changing security policies, infrastructure integration challenges, or exposures to new risks from acquired entities.

System Outages and Downtime

Unexpected system outages or downtime can be indicators of compromise, such as denial-of-service (DDoS) attacks, ransomware incidents, or infrastructure failures. Monitoring system availability and performance metrics and staying abreast of critical outages helps identify and mitigate potential cyber threats affecting critical services and infrastructure.

Regulatory Violations

Regulatory violations, such as non-compliance with data protection laws or industry standards, can indicate a lack of commitment to security and privacy best practices. Non-compliance may result in fines, legal penalties, and loss of trust from clients who rely on the vendor to handle their sensitive data securely.

Incident Response

Negative news about security incidents can highlight the vendor's handling of security incidents, such as delayed or inadequate responses, and raise concerns about their ability to effectively detect, mitigate, and recover from cyber threats. A poorly executed incident response can exacerbate the impact of security incidents and erode trust in the vendor's ability to protect client data.

Data Breaches

Sometimes media outlets highlight incidents before a company has formally disclosed that a data breach has occurred. This can enable a team to proactively reach out to vendors and/or suppliers directly impacted or susceptible to a software supply chain attack.

Involvement in Cyber Espionage or State-Sponsored Hacking

If a vendor is found to be associated with or sanctioned for involvement in cyber espionage or state-sponsored hacking activities, it can indicate significant security risks. Such actions may compromise the confidentiality, integrity, and availability of data and systems, posing threats to the vendor's clients and partners.

Sanctions

Negative news related to violations of export controls or technology transfer regulations indicates potential weaknesses in the vendor's compliance and risk management practices. These violations may involve the unauthorized transfer of sensitive technologies or intellectual property to sanctioned companies or individuals, opening the door to security breaches and regulatory penalties. Common sanctions lists include those maintained by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury and the UK Sanctions List.

Ultimate Business Owner

If the vendor has business relationships or partnerships with entities known for engaging in malicious cyber activities or supporting cyber adversaries, it can raise red flags about the security risks associated with those connections. Such ties may expose the vendor and its clients to espionage, sabotage, or other cyber threats. The Specially Designated Nationals (SDN) and Blocked Persons list, published by the U.S. Department of the Treasury, contains a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries.

Targets for Cyber Attacks

Politically exposed persons (PEPs) are often high-profile targets for cyber-attacks due to their access to sensitive information and their potential to influence political or economic decisions. Cybercriminals may target PEPs with phishing attacks, malware campaigns, or other tactics to gain unauthorized access to their systems, steal sensitive data, or compromise their communications. Several government agencies, regulatory bodies, and information libraries such as the FFIEC and LexisNexis maintain PEP lists to counter such activity.

Geopolitical Developments and Political Instability

Tracking geopolitical tensions, international conflicts, trade disputes, and political instability helps organizations assess geopolitical risks, market volatility, and regulatory changes that may impact global operations, supply chains, and investment strategies. Geopolitical events can also increase cybersecurity risks, such as state-sponsored cyber-attacks or espionage activities.