When organizations examine their cybersecurity and breach response plans, third parties are often only a small part of that. At least, that is true, until they start reading the news. Breach after breach is the result of inadequate security at third-party service providers. Managing and monitoring the risks of third parties is critical to a privacy and security program. The Ponemon Institute has some grim statistics about the data risks in third party relationships in their survey data
- (Worldwide) 59% of respondents confirm that their organizations experienced a data breach caused by one of their third parties and 42% of respondents say they had such a data breach in the past 12 months. Additionally, 22%of respondents don’t know if they had a third-party data breach in the past 12 months.
- Only 29% of respondents say a third party would contact them about the data breach. A very small percentage (12%) are confident they would learn that their sensitive data was lost or stolen by a vendor.
Breaking Down The Business Risks Associated with Third Parties
Rapidly expanding data protection, privacy, and cybersecurity obligations (e.g. California Consumer Privacy Act (CCPA), GDPR, etc.) bring tremendous legal and financial exposure to any business processing personal or confidential enterprise data. For good reason; cybersecurity, regulation and compliance, and data privacy topped the list of CLO concerns for 2021. All too often, vendor management is an understated risk vector in plotting your data strategy, when in reality, doing business with outside vendors can be your largest data risk exposure.
The Ponemon study also found that 67% of respondents say the number of cybersecurity incidents involving vendors is increasing, but only 46% of respondents say managing outsourced relationship risks is a priority. This disparity likely accounts for the tragic number of successful intrusions via third parties. It also shows that establishing a specific and systematic effort to ensure the safety of your data with your third parties, and dedicating the appropriate personnel and resources to it needs to be a priority.
Organizations must have a process for vetting a third party’s data privacy and security controls. These controls must be evaluated against the privacy and regulatory compliance standards of your organizations. Any gaps should be addressed by the respective cyber security teams. This information must be maintained and constantly renewed to ensure safety and security. Without such a program, and organization will not have visibility into the risks third parties pose to their organization.
The Risks of Transferring & Accessing Data
Sending valuable data through unencrypted services (like a transfer service, or even regular email) can create data breach risks because hackers can more easily gain access to those systems. For example think of these two scenarios:
- If a third party has a data environment that lacks sufficient security, and is able to access your organizational data.
- A vendor using a low-security method for accessing client accounts (such as a default password). Depending on the system, that vendor may have total access to the client’s information in an unencrypted data environment—increasing the risks of a breach.
Despite this technical focus, it’s not just an IT problem. Effective risk management requires companies to have an understanding of the specific types of data shared, processed, or managed by each vendor. It can also include requiring your vendors to have certain security precautions in place at the time of contracting in order to properly protect certain sensitive or regulated data.
Before you determine the level of diligence required for each of your vendors, and therefore what risks they pose, you have to understand which elements of your data inventory each of your vendors are able to access. There are five major questions that are critical for every organization to ask regarding their third party vendors:
- Who are our vendors?
- Which ones touch our data?
- What specific data do they touch?
- What data is relevant to regulations?
- How are they protecting our data?
Third party vendors must validate their data security processes in order for your business to understand the risks of doing business with them. Organizations should require sufficient third party security processes in their contract and assume the liability of a data breach, owing to the weakness of their security with systems that connect to the business. But because it isn’t always possible to get everything in writing, leveraging an internal team to help manage third party risks can act as an additional layer of security.
There are some additional requirements when transferring data between privacy jurisdictions. The most well known of these is the Schrems II agreement, that determined that current US laws do not meet the standards of the EU privacy regulations. There is guidance from the Europe and Data Protection Board on specific actions that can be taken when transferring EU personal data to the US (or other non-qualifying country), but none of these have been tested in a regulatory action. In addition to Schrems II, there are other specific privacy regimes that change based on the locality of the data, or are subject to bilateral agreements such as the one between the U.S. and Australia.
Using In-House Teams to Manage and Mitigate Third Party Risks
Part of the trick to complying with data privacy regulations like the California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR) is demonstrating oversight and diligence of third parties. In order to prove oversight, it’s critical to use internal teams or assigned employees to track vendor risks and how they’re complying with those regulations.
Some legal departments who have already setup a process for managing third party data privacy risks start by first forming a data governance committee which helps ensure defensible practices are adhered to. Outside of the legal team, other members in such a committee would most likely stem from IT including enterprise applications, procurement team, the third-party vendor manager, and a compliance/information security officer. Having a very strong set of business leaders helps to manage data governance.
Data privacy software, sometimes called vendor risk profiling, is necessary to understanding how third parties may be using your company’s data via their policies and procedures. Vendor risk profiling specifically can help corporate legal departments do four things:
- Gain clear insight into the nature of an organization’s relationships with third parties
- Identify where vendors exceed organizational risk thresholds
- Start taking immediate remediation steps
- Access to the necessary reporting to conduct a privacy impact assessment
With the right technology and processes in place, in-house teams can play a key role in helping to manage business risks. An orchestrated, repeatable process that ensures diligence and defensibility will help in documenting these processes, while the technology drives the risk assessment. From there, it should be up to the vendor to ensure that they’re doing what they can to prevent breaches and other cybersecurity risks of their own.
Get a free tour of vendor risk profiling software, and see how your organization can rapidly and accurately profile all of your vendors to ensure compliance with the latest legal and regulatory obligations.