Third-party risk management: Supporting incident response and rising regulations

  • October 13, 2023

Hurricane season starts in the summer, when many are enjoying the beaches and warmer water. The summer heat that warms the oceans also provides optimal conditions for low-pressure systems to develop into stronger tropical storms and eventually hurricanes. Data breaches are similar. Unsuspecting low-pressure environments due to a lack of oversight or poor third-party controls, create a vulnerability that bad actors exploit.

Exploiting a vulnerability is like a tropical storm: little harm is done up front and the event can dissipate quickly. However, cyberstorm hurricanes form and intensify when exploitation of a vulnerability leads to damage in the form of ransomware, personal information sold on the black market and an organization’s reputational damage.

Much like interconnected ocean currents feed the growth of hurricanes, interconnected business ecosystems create an environment for bad actors to gain unauthorized access to integrated networks. These are an unfortunate norm that can create widespread impacts in the digital world.

Integrated networks normally connect through an organization’s third, fourth or nth-degree parties and are typically the target for digital threats. With reliance on external vendors for cybersecurity as the common trend, this reinforces that third-party risk management is a core component to an organization’s success.

Data breaches, like hurricanes, are inevitable in even the most secure environments. Organizations can establish a comprehensive approach to mitigating cybersecurity risk that integrates third-party due diligence, ongoing monitoring and incident response into their risk management strategy. Such a strategy also requires continuous vigilance to create a robust line of defense against threats.

Establish due diligence best practices

Preventing third-party data breaches begins with due diligence in the onboarding process. Holistic risk screening tools, like questionnaires, interviews, industry-specific assessments and onsite audits, support the risk rating calculation of a potential third party.

Once due diligence is completed, establish domain-specific monitoring processes to identify when a third-party incident occurs and any potential negative impacts. Third Party Risk Management (TPRM) platforms, supported through procurement or as a stand-alone solution, are the building blocks of the ongoing monitoring processes by automating information processing and workflows. Such technology accelerators provide valuable third-party insight and allow organizations to respond swiftly to unwelcome news.

Organizations must have a clear understanding of how third parties conduct due diligence on their own vendor networks to make sure comprehensive risk management across the third-party lifecycle. Vendors at all levels should be carefully documented, and organizations must also confirm these vendors have established their own robust risk management frameworks to protect against external threats.

The role of ongoing monitoring

In a constantly evolving cybersecurity landscape, regular ongoing monitoring is a necessity to ensure third-party policies, procedures and security infrastructure align with the organization's requirements. Reassess third parties routinely based on the third-party’s inherent risk rating. Review changes in critical IT infrastructure, data management policies and cybersecurity practices to identify vulnerabilities and ensure they meet current standards.

Paying close attention to industry news and current events can help firms draw connections between major incidents and their own third-parties. Use media screening and business intelligence tools to help identify linkages between significant events and outsourced activities.

Incident response planning is critical

In case of a cybersecurity incident, have a detailed and thorough incident response protocol prepared. Replicate avenues for reporting and escalation hierarchies established in Business Continuity Plans (BCP) by clearly communicating requirements and documenting processes across the organization. This may include regulatory requirements for disclosure of security breaches.

Incident response best practices include establishing preventative measures such as routine patching, software updates and network monitoring. Most importantly, simplifying collaboration and communication throughout the supply chain helps organizations respond quickly when breaches occur.

The rise of heightened regulations

In response to the increasing frequency and impact of cybersecurity incidents, the SEC has adopted rules to standardize the disclosure of cybersecurity practices and material incidents. The latest adopted rules, which went into effect on August 26, require public companies to disclose cybersecurity risk strategies annually and disclose material incidents within four days of their discovery.

This recent change highlights the importance of open communication in incident response strategies, and organizations will need to include these adopted rules and procedures as part of annual reporting and incident response protocols.

The SEC has also increased the scrutiny of leadership in assessing and managing material risks. Combined with joint guidance from the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board (FRB), the responsibility of organizational leadership to drive risk mitigation efforts is more vital than ever.

CEOs and other executives are responsible for setting the tone of business direction and operational goals, which means they must proactively engage stakeholders in risk mitigation discussions and foster a culture of awareness and accountability to create cohesion throughout the due diligence, monitoring and incident response processes.

To successfully address the growing overlap between cybersecurity and third-party risk and protect the organization’s operational, reputational and financial interests, active engagement from leadership is essential.

Shore up your third-party risk management

The rapid increase in cybersecurity incidents underscores the need for rigorous due diligence, continuous vigilance and collaborative efforts to safeguard sensitive data. As regulatory and public scrutiny tightens, organizations have a compelling reason to invest in robust third-party risk management frameworks.

By learning from past incidents and integrating proactive risk assessments, continuous monitoring and well-defined incident response plans, businesses can navigate the intricate web of third-party relationships with confidence.

Contact us now to find out more information about how our third-party risk management solutions and partnerships can help your organization stay resilient against data breaches and cyberattacks.

Subscribe to our blog

Robert Jones.jpg
Robert Jones

Robert is a Senior Manager with NTT DATA’s Risk and Compliance Practice. He is a seasoned risk professional known for strategic thinking and ability to optimize operational efficiency. With more than 20 years of experience in finance, compensation, and payables, Robert has served clients in the banking, real-estate, technology, construction, city government, higher education, and manufacturing industries.

Jessica Teeter

Jessica is a Senior Consultant with NTT DATA’s Risk and Compliance Practice. She holds a degree in international business and global supply chain and operations management from the University of South Carolina. Jessica has extensive experience in process optimization, third-party risk management and financial compliance and has served several clients across the banking, financial services, and healthcare industries.


Related Blog Posts