Consortium of Leading Cyber Technology and Insurance Providers Announce the Launch of SafeHouseInitiative.org
January 17, 2023
No Comments
Menu
In the modern business landscape, outsourcing to third-party vendors has become a staple strategy for organizations seeking to streamline operations, reduce costs, and focus on core competencies. Engaging third parties can offer significant benefits, but it comes with an array of risks that tend to be underestimated or misunderstood. This misconception arises from the belief that third-party experts will inherently manage every aspect of the outsourced function with the same dedication and diligence as if it were in-house. In reality, managing third-party risk is a crucial responsibility that organizations must shoulder to safeguard their interests.
The assumption that third-party vendors will handle business continuity planning (BCP), software patching and updates, employee management, and performance management among other things is optimistic and ignores the layered complexity of risk management. This is particularly poignant when reflecting on early career experiences, where one might presume that outsourcing absolves them from ongoing oversight responsibilities. However, as seasoned professionals understand, delegation does not mean abdication. A robust third-party risk management (TPRM) program is essential to maintain the integrity, security, and efficiency of outsourced operations.
A comprehensive TPRM program consists of several key components:
At the outset, organizations must identify potential vendors through a structured process that ensures the third party aligns with the organization’s strategic objectives and value system.
A thorough due diligence process is conducted to scrutinize a vendor’s capabilities, compliance with relevant regulations, and risk profile. This crucial step often suffers from lax attention, leading to a surface-level understanding of potential risks.
Once risks are identified, the organization must decide whether to accept, mitigate, or, in limited cases, transfer these risks, potentially in the contract execution phase.
With a clear understanding of the risks involved, organizations can negotiate contracts that reflect their risk appetite, detailing mitigation and transfer strategies where possible.
Regular monitoring of third-party performance against agreed benchmarks and re-assessment of risks is essential to adjust the risk management strategies as needed.
Finally, the process must also encompass the systematic disengagement from third-party relationships, ensuring all risks are adequately closed out, and sensitive information and assets are secured.
Focusing on due diligence and ongoing monitoring, there are several categories of risk an organization must consider:
Vendors must uphold standards that won’t tarnish the hiring organization’s reputation. Adverse associations can have lasting impacts, as evidenced by controversies involving Bud Light and UFC, Kanye West and Adidas, or more recently American Express with their fine from the Office of the Comptroller of the currency for inadequate controls over a third-party vendor.
Third-parties should have the financial stability and compliance postures to prevent issues that could lead to lost revenue or regulatory penalties, as highlighted by Metropolitan Commercial Bank’s (MCB) improper oversight of a third-party program manager used for COVID-19 prepaid cards. This led to MCB being non-compliant with Bank Secrecy Act (BSA) requirements, along with a $15 million fine.
Organizations should plan for scenarios where vendors may become unable to perform contracted services. An example of this risk materializing is the case of Pano Logic, a company that abruptly ceased operations, leaving clients without support.
The IT infrastructure and security policies of third-party vendors must align with the organization’s standards. Vendor-related data breaches, such as the 2013 Target hack initiated through a third-party HVAC subcontractor, underscore this necessity.
In concluding, several best practices should guide the TPRM process:
Undoubtedly, the journey of managing third-party risk is intricate and demands an unyielding commitment to vigilance. Organizations must build and maintain robust TPRM programs that not only consider immediate risks but also the ever-evolving landscape of threats that may emerge in the partnerships they cultivate. In doing so, they navigate the perilous seas of outsourcing, fortified with the strength to turn third-party engagements into opportunities, rather than liabilities.
