There is a fine line in a grey area between insider threats and external threats. While insider threats are posed by employees with direct access to internal networks, external threats are perpetrated by malicious cybercriminals lurking beyond the enterprise boundaries. On this fine line, however, stands a deadly combination of the two: third-party threats.

Third parties are entities that an enterprise works with directly, comprising upstream partners such as vendors or manufacturers, and downstream partners such as distributors and resellers. Despite being separate entities, they are often granted access to proprietary networks and data or are in direct custody of it, putting them in a prime position to jeopardise enterprise operations. According to our recent ‘Insider Threat Report 2022 – Singapore Edition’ [1], 80% of enterprises felt that the risk of insider attacks by third party vendors is increasing drastically.

Aimed at preventing this, Third Party Risk Management (TPRM) takes a holistic approach to identifying and minimising the risks associated with dealing with third parties. Not only does it address cybersecurity threats, but also operational, regulatory, financial and reputational risks. By continuously monitoring and analysing these, enterprises are able to make risk-informed decisions and improve their risk visibility.

The TPRM journey

With vendor relationships typically spanning many years and multiple operations, TPRM is required at every step of the vendor lifecycle. Procurement is where this begins – due diligence requires quick and easy access to data on shortlisted vendors and RFPs, including previous projects, financial information, industry recommendations and regulatory compliance. For example, a hospital seeking database solutions would need insights into which vendors are HIPAA-compliant.

While traditional risk management would end here, TPRM continues to evaluate risks as vendors are onboarded and granted entry into the enterprise systems they need. This requires procurement and IT teams to work together to establish access rules as well as automated processes for inventorying new vendors and collecting the necessary documentation such as supplier forms.

As projects roll on, monitoring the risk profiles of vendors is key to ensuring that enterprises are not caught by sudden breaches or disruptions. This involves calculating and re-calculating risk scores at regular intervals as well as assessing internal controls, based on customised assessments, external intelligence or evidence of renewed licenses or certifications. TPRM solutions such as Prevalent Third-Party Risk Management Platform use these risk scores to categorize vendors and recommend action plans for restoring their risk levels.

A key component of risk management is performance management – continuously evaluating the ability of third parties to meet project requirements and specified KPIs enables enterprises to better assess the impact of any shortfalls. For instance, a centralised platform for comparing SLAs with project performance allows vendor management teams to identify any deadline overruns that may disrupt operations or create additional costs.

Despite being the last step in the TPRM lifecycle, offboarding is considered a crucial juncture at which enterprises can safeguard their networks from post-contract risks. Whether it is initiated by partnership terminations or an unsatisfactory risk profile, TPRM ensures final obligations are met, access rules are revoked across all vendor endpoints and sensitive data is either recovered or destroyed.

Single pane of glass

Just two months ago, Twilio was hit by a data breach that quickly escalated into a global supply chain attack when clients such as Okta had their customer OTPs exposed. The far-reaching impact of third party risks not only highlights the importance of TPRM, but the need for an automated and unified TPRM solution. Our recent partnership with Prevalent aims to provide just this, by equipping enterprises with a single pane of glass SaaS solution that automates critical tasks required to select, onboard, manage and monitor third parties. With this, enterprises are able to better navigate their third party relationships and steer clear of third party disruptions and attacks. 

Sources:

[1] Insider Threat Report 2022 – Singapore Edition, Halodata, June 21, 2022,
https://halodata.asia/SG-insider-threat-report

Synopsis

This article discusses the topic of third party risk management (TPRM) and how enterprises can implement it across different phases of the vendor management lifecycle. It also explores key requirements for holistic TPRM and potential solutions that meet these needs.