3rd Party Vendor Security Risk Assessment

Organizations are associated largely with 3^rd parties for several complex services which support their ecosystems. Due to this ecosystem, success of the organizations is directly proportional to the governance risk & compliance of 3^rd parties. This means a lack of appropriate security controls within third parties will adversely impact the business.

Some Facts –

• “The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop. According to a study by KPMG, 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years.”
• “A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report released Wednesday from Security Scorecard and the Cyentia Institute. 
• Third-party vendors are five times more likely to exhibit poor security, the report found. Half of the organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches. 
• The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5.”

Some of the costliest data breaches begin with third parties. Data, being the most critical asset for organizations, face specific problems of managing confidentiality, integrity, availability & privacy cyber risks of data which flows across third parties (service providers and subcontractors). As the data is processed, stored, or transmitted by third parties, it changes ownership multiple times, often containing information directly identifying their business/customers and travels throughout the ecosystem. Being the custodians, third parties shall have responsible security protocols that will best protect the organizations from Reputational, Operational, Regulation & Financial Risks.

Lack of Access Management – Granting excessive privileges leads to Privilege Creep.

Lack of Patch management – Missing on applying system & software security patches.

Lack of Security Testing – Lack of security testing involving dynamic & static testing.

Lack of Secure Design – Lots of vendors lack secure design of infrastructures & applications.

Lack of Incident Detection & Response – Inconsistency in SIEM & Log management activities

Lack of Business Continuity & Disaster Recovery Plan – No plans exist for few vendors. Inconsistent or insufficient tested plans.

The scope of 3^rd Party Vendor comprises of multiple complex domains to provide services.

The AML-CFT Law¹ defines money laundering as engaging in any of the following acts wilfully, knowing that the funds are the proceeds of a felony or a misdemeanour (i.e., a predicate offense): 

The services can be categorized and properly assessed to evaluate the upstream & downstream of data handled by a 3^rd party.

Few actions to limit risks:

1. Agreeing on mutual non-disclosure agreement (MNDA) with proper data disclosure clauses.
2. Agreeing on Data Processing & Handling agreements defining data transfer, access, deletion, processing boundaries.
3. Agreeing on conducting regular gap assessment for 3^rd parties based on industry standards like ISO27001, HIPAA, NIST, COBIT.
4. Agreeing on conducting regular Vulnerability Assessment & Penetration testing.
5. Agreeing on implementing/following organization’s security controls.
6. Agreeing on implementing & maintaining security certifications like ISO 27001, ISO 27701, PCI DSS, HIPAA, SOC 1, SOC2, NIST etc.

1. Lack of contractual agreement around security testing, data processing & data handling.
2. Lack of understanding types of data that will be accessed, transferred, stored, or processed by the 3^rd party vendors.
3. Lack of Escrow agreement for organizations using 3^rd party software.
4. Lack of Business Impact Assessment on 3^rd party services.

At AKW Consultants, we specialize in cyber security and IT solutions designed to safeguard your business from emerging threats. Carrying out 3rd party risk assessments is our forte. Contact us to learn more about how we can protect your business in the digital age: info@akwconsultants.com