In today’s business landscape, it is nearly impossible to work alone. You have to collaborate with clients, vendors, suppliers, specialists, and plenty of other partners all considered third parties to your organization. As a result, partner organizations have access to sensitive and confidential data about your company and your customers, or they support a critical business process. Your organization needs to understand and manage the risk exposure that these third parties present.
Traditionally, security teams have tried to understand ongoing third-party risk by using annual security assessments. However, this method poses several challenges to security teams.
Assessments are time-consuming. With some questionnaires approaching thousands of questions, and many organizations working with hundreds or thousands of third parties, assessments can take a great deal of resources to put together, fill out, review, and analyze once they are returned.
Due diligence isn’t enough. One-time due diligence when onboarding third parties is not sufficient for mitigating enterprise risk. Security and risks change quickly. In between assessments, potentially major security incidents or changes to security posture may happen without your knowledge. For example, if a third party was assessed pre-COVID, their environment and operations may look drastically different in a matter of months, as employees work from home and potentially expand remote access to data globally.
Assessments are only as good as the person filling them out. What guarantee do you have that the assessment has been filled out accurately, honestly, and objectively?
This does not mean that assessments or due diligence are a thing of the past.
Cybersecurity assessments are an essential part of any third-party risk management (TPRM) initiatives, and required by any integrated risk management program. Think of these assessments as the inside-out view of vendor cybersecurity risk: They help you understand the overall maturity of the third party’s cybersecurity program and identify gaps in program design or execution.
But accurate assessments still require us to continuously and passively monitor third parties throughout the life of the vendor relationship. Continuous monitoring can supplement a strong TPRM assessment program by providing ongoing indicators of a third party’s security posture. In that way, continuous monitoring can become the eyes and ears of a mature TPRM program by constantly evaluating critical information to help the organization make informed decisions.
Continuous monitoring is exactly what it sounds like. You identify key risks your organization needs to monitor and manage regarding third parties, and track them continuously, often in real-time. Continuous monitoring gives the organization visibility into the ongoing risk posture of third parties, so risks and vulnerabilities can be identified as soon as they happen, or even before they occur.
Some of the risks that should be incorporated into a continuous monitoring program include:
- Data security operations
- Data security environment
- Network security
- Fourth parties
5 Benefits of Continuous Cybersecurity Monitoring of Third-party Risks
1. Mitigate Third-Party Risk Exposure
Continuous monitoring gives you timely insight into your third parties’ security posture. Actions, such as a change in security rating or an applicable regulatory change, can trigger the need for an assessment, instead of a calendar date. This ensures that the assessment is triggered by the need to actually conduct one and potentially prevents unacceptable risk from being introduced into the third-party environment simply because it isn’t time for reassessment yet.
2. Increase Effective Resource Allocation
Third-party risk assessments provide visibility into potential issues. The assessment can be scoped to focus on areas with significant issues or changes. This can save significant time and resources, especially if you work with hundreds or thousands of third parties.
3. Reduce Time and Cost of Assessments
How often should you assess your third parties? Criticality is often the key factor. If you risk rank third parties, which mature programs do, continuous monitoring can help set efficient reassessment schedules. Some critical third parties may need to be assessed every few months if they have a significant change to security posture; while a low-risk third party with no change to their rating or risk vectors might need to be reassessed once every few years. This can significantly reduce the amount of work in the pipeline for your security team, as well as reduce risk to the organization.
4. Identify Objective Risks
Monitoring third-party cybersecurity postures can also add valuable objective context to assessments from vendors. Are they really patching regularly? Do they regularly scan for malware?
5. Reduce Potential Breaches
By analyzing for potential vulnerabilities and reporting them within the platform, cybersecurity teams can quickly gather accurate, current information during an assessment. Additionally, timely analysis allows the team to control thresholds and configure alerts based on the organization's risk tolerance and critically identified issues, such as a newly exposed database or a security breach, so you can act quickly to avoid costs and limit reputational damage.
5 Steps to Prepare for Continuous Monitoring in Your TPRM Program
The benefits of continuous monitoring an organization’s third-party risk program are clear - but how is this accomplished?
Step 1: Identify and Create Policies and Procedures
Before your organization sets up its continuous monitoring mechanisms, first consider the third-party risks you most want to monitor. Start by identifying the risk levers that expose the business to the biggest or most-likely losses. In March 2020, the Office of the Comptroller of the Currency published “Third Party Relationships: Frequently Asked Questions,” which is an excellent guide; the OCC is the United States’ top regulator of community banks.
Step 2: Map Risk Data to Internal Controls
Organizations should take the opportunity to look at their third-party assessment questions and procedures that already exist, and map those to risk data to gain an integrated understanding of the risk posed by each third party.
The mapping process should determine:
- Which third parties and suppliers should be covered by monitoring
- What data should be collected
- How the data triggers a further investigation
- What the remediation actions look like
- The frequency with which data should be analyzed (daily, weekly, monthly)
Step 3: Run a Pilot Program with a Few Vendors
Rather than rolling out continuous monitoring across all third parties at once, consider starting a pilot program with a select group of vendors for one or two business quarters. These vendors can help identify an efficient workflow for responding to remediation requests, and clarify company expectations of third parties.
Step 4: Formalize the Program
Before your organization rolls out continuous monitoring across all third parties, start having conversations with them to set expectations. Be upfront about what the continuous governance model looks like and what it means for them as a supplier.
Explain how continuous monitoring tools collect data, and what certain findings will require them to remediate to maintain good standing as a supplier.
The global pandemic, social unrest, and other factors have made businesses more reliant than ever on third-party relationships. In an unpredictable third-party ecosystem, manual assessments do not capture the true scope of cybersecurity risk to businesses. Continuous monitoring increases the operational efficiency and effectiveness of a third-party risk management program, which has become essential in our risk-prone “new normal.”
Learn how your company can improve its risk and compliance program with ongoing monitoring.