The surprising thing about data breaches is that they no longer surprise us. We now expect businesses to get hacked. A popular ride-hailing app, international airline, and world-renowned brewing company all experienced significant data breaches tied to third-parties in the first four months of 2023, and they’re not the only ones.
Hackers are sticking to their 2022 playbook as they target third parties with access to sensitive company information and more vulnerable security protocols. By compromising the weakest link in an organization’s supply chain, cyber criminals gain access to a wealth of critical information that can hinder the operations of the extended enterprise. This strategy led to 63 third-party data breaches last year, cascading into 298 data breaches across impacted organizations. And, thanks to a breakdown in supply chain visibility and third-party transparency, these incidents went undisclosed for an average of 108 days.
New Cybersecurity Regulatory Proposals Target the Third-Party Risks Lurking in the Dark
Bad actors can - and will - exploit vulnerabilities without adequate visibility into extended supply chains and third-party ecosystems. Cyber threats such as distributed denial of service (DDoS), intellectual property (IP) theft, malware, and ransomware pose a persistent and increasing cybersecurity risk to organizations and their suppliers. Economic uncertainty and insecurity, Russia’s war on Ukraine, or China’s ongoing espionage and IP theft have caused some of these incidents of blackmail and extortion, and we can expect more of the same.
The recent rise in cyber attacks has prompted proposed cybersecurity regulations worldwide. In the U.S, public companies await the Securities and Exchange Commission’s final rule, which will clarify whether they must publicly disclose cyber incidents within four business days and submit an annual report on their corporate boards’ cybersecurity expertise. The SEC further expanded its proposal to address cyber risks in the U.S. securities market last month.
Meanwhile, in Europe, organizations in critical sectors, such as pharmaceuticals, transportation, energy, and more, await major changes to cyber incident reporting requirements. By 2024, hundreds of companies working out of Europe’s major ports must comply with fundamental security measures and cyber incident reporting requirements largely for the first time. Non-compliance will result in a fine of up to 10 million euros or 2% of global revenue.
While these global regulations represent a critical next step in tackling today’s cybersecurity threats, identifying breaches and maintaining compliance will require greater supplier visibility unseen in enterprise supply chains today. A recent McKinsey survey found that 45% of respondents either had no visibility into their upstream supply chain or could only see as far as their first tier supplier. To effectively prevent or mitigate third-party data breaches and other cyber incidents, businesses must have a holistic view of every vendor's security risks and operational procedures, as well as a consistent incident reporting framework.
Illuminating the Path to Cyber Resilience with Effective Third-Party Risk Management
Already, there are methods and solutions available to drive greater supplier visibility and transparency to comply with new legislation and detect, deter, and mitigate evolving cyber risks. Business leaders looking to improve their third-party risk management strategies should:
1. Assess the maturity of current risk management practices: Many organizations still rely on outdated, manual processes and systems, such as spreadsheets or emails to manage their third parties and risks. Disparate systems and the use of manual tools create inefficiencies in supplier onboarding, risk assessments, and risk mitigation processes. With today’s heightened cyber threats and hacker sophistication, businesses must take a more integrated approach to third-party risk management and maintain a single organizational-wide inventory of their supplier relationships and risk profiles.
2. Develop a framework to ensure supply chain security and integrity: Companies must perform initial due diligence to identify potential risks before contracting with a new vendor; however, on-going due diligence throughout the relationship is just as important. Business leaders must institute an always-on, continuous risk-monitoring strategy to account for changes in risk throughout the scope of the relationship, immediately identify critical risks, and take corrective measures to mitigate threats and liabilities.
3. Take a risk intelligence approach to cybersecurity: Relying on self-reported, lengthy surveys can lead to inaccurate third-party information, supplier fatigue, slow or no response. Companies should pair cyber risk ratings tools, like Black Kite or SecurityScorecard, with third-party risk management solutions to augment security assessments, gather information to prioritize which third-parties to work with on risk remediation and continuously monitor third-parties’ external security posture.
4. Put cybersecurity in the context of unified risk management: Cybersecurity is only one of the many risk domains that organizations have to manage. Other risk domains include ESG, anti-bribery and corruption, ethics, financial risks, and industry-specific compliance issues. Business leaders must look at every type of risk that each of their third-parties brings to proactively address any and all threats to their organization.
Taking shortcuts on third-party risk management is not worth the risk. Just one data breach or regulatory violation can cripple an organization’s operations, cause significant revenue loss, and severely damage its reputation in the eyes of its customers, vendors, and the general public.
Business leaders must think big, start small, and grow fast to build a TPRM program that can detect and protect a business from cyber incidents and ensure the security and integrity of their operations. Start by identifying your business objectives, determining which cross-functional roles are needed, and developing a roadmap with a clear outline of each implementation phase. Then, equip your team with blueprints that map the technologies, integrations, and business processes required for each risk domain and set clear metrics to assess the success and progressive business value of your TPRM program.