Third-Party Cyber Risk Management Falls Short

A new study conducted by Ponemon Institute and sponsored by global third-party cyber risk exchange CyberGRX, found a persistent theme still holds: “Organizations and third parties see their third-party cyber risk management (TPCRM) practices as important but ineffective.”

More than half (53 percent) of the 600 IT security professionals, who are all directly involved in managing their organizations’ TPCRM programs, reported a third-party data breach in the past two years, costing them on average of $7.5 million, yet find no changes in the TPCRM market in response.

EMA’s David Monahan

“The current state of third-party cyber risk management is failing,” said David Monahan, senior analyst, Enterprise Management Associates (EMA). “It is far too manual and therefore does not scale. To add to that, most of the programs rely on qualitative information that is often poorly verified. This generates a huge amount of labor for results that, as the research shows, hold little confidence on both the part of the target of evaluation and the recipient. We must move to a far more scalable and quantitative method of evaluation to reduce third-party cyberexposure and bring confidence back to this process.”

The retail sector reports the most third-party data breaches, while financial came in second. The technology and software sector was found to be most likely to have multiple third-party data breaches, and surprisingly, 41 percent said they still use manual procedures for third-party assessments. The health and pharma sector experienced the fewest such breaches and was far more likely to use a combination of tools to assess third-party cybersecurity practices.

Bottom line, the study found that “current practices and technologies used to support TPCRM and assess third parties are costly, inadequate and inefficient.”

The study identified three key ways to improve their TPCRM programs.

• Invest in better assessment and vetting tools which can increase effectiveness in TPCRM and decrease the cost of maintaining the program.
• Don’t apply the same approach to all third parties. Take the time to prioritize third parties and apply an appropriate level of due diligence to them. This will reduce costs and increase efficiencies in the long run.
• Centralize control over TPCRM budgets. Currently, TPCRM budgets are dispersed throughout the organization, which can make the allocation of resources inefficient because of competing interests.

MSSP Opportunities and Challenges

MSSPs can help their clients work through a checklist to strengthen and automate some processes in TPCRM. MSSPs can also look at consolidations among third-party providers as new opportunities to meet evolving cybersecurity needs in several sectors.

“Significant consolidation among [third-party service providers] caused large numbers of banks – especially community banks supervised by the FDIC – to rely on a few large service providers for core systems and operations support,” the FDIC Inspector General wrote. “As a result, a cybersecurity incident at one TSP has the potential to affect multiple financial institutions.”

While third-party risk is on the rise, so are MSSP opportunities to mitigate them for clients; however, failing to take proactive steps to improve these risks may lead to new liabilities for MSSPs, which are, after all, third parties themselves.