5 Things to Know About Third-Party Cyber Risk

An emphasis on maintaining effective cybersecurity has increased in recent years, especially with the frequency of high-profile incidents in the news and regular notifications from service providers regarding exposure of customer information. Despite this enhanced understanding, organizations often overlook a common, yet more discrete issue – third-party cyber risk. “In the last several years, indirect attacks – successful breaches coming into an organization through third parties – have increased from 44% to 61%.”[i]

This issue is challenging to manage because multiple types of cyber risk can be introduced via third parties. Sharing information or data with a supplier can create exposure to vulnerabilities, especially if that entity does not have critical protections in place. Furthermore, any connected entity within an organization’s digital ecosystem presents an opportunity for a threat actor to maliciously leverage access to networks and launch a larger attack.

Addressing third-party cyber risk requires many functions within a company to be fully coordinated. It is a shared responsibility, and these threats should not be siloed into only one corporate department. Cybersecurity challenges impact all teams within an organization and developing an approach that addresses the issue holistically is vital to managing and mitigating risks stemming from third parties.

Cybersecurity Considerations

1. Determining cybersecurity maturity of third parties. Speed often takes priority over security, but taking the time to evaluate the cybersecurity programs of a potential vendor before going into business with them will pay off in the long run. Their risk and vulnerabilities immediately become yours once access is granted. For current vendors, organizations should determine if these entities are regularly assessing their cybersecurity, as well as evaluate if the existing level of access is appropriate. In other words, choose vendors that prioritize security and only grant them access to networks and information they need to perform their hired role.
2. Identifying critical vendors. For organizations that leverage multiple third parties, identifying which ones are critical to daily operations and/or have access to sensitive information and ensuring they are properly protected is essential. This triage will reduce downtime and damaging impacts during a cybersecurity incident by allowing organizations to develop tailored incident responses and business continuity plans that account for critical vendors.
3. Deciding how to treat third-party risk. If the risk level presented by a third party is outside the comfort level of an organization, establishing a remediation plan is vital. Third-party cyber risk should be handled in the same manner as traditional risks, e.g., financial or operational. Organizations must decide how to proceed by mitigating, eliminating, reducing, accepting, or transferring the risk.
4. Moving beyond compliance. While achieving compliance helps promote better cybersecurity practices, the speed at which cyber attacks move suggests that compliance may not be effective in keeping pace with new threat actor methods.[ii] Regulatory requirements serve more as a deterrent for poor behavior as opposed to developing a proactive approach to cybersecurity and one that promotes readiness and resilience. Organizations solely focused on compliance will continue to face significant third-party cyber risk.
5. Using available resources. If improvements to cybersecurity programs are identified, whether during an assessment prior to hiring a supplier or in review of an existing vendor’s practices, organizations should work with these interconnected entities to ensure they are maintaining proper security controls, policies, procedures, and tooling. Their risk should be viewed as your risk, so by shoring up vulnerabilities and weaknesses in their processes, your organization is improving its own protection as well.

Properly managing third-party cyber risk can seem daunting, especially for organizations that rely on multiple vendors for daily business operations. However, coordinating cybersecurity considerations into a holistic risk mitigation strategy will help reduce threats posed by connected entities and ultimately position the organization to improve prevention and response capabilities.

[i] “Global Cybersecurity Outlook 2022”, World Economic Forum (January 2022), https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2022.pdf.

[ii] Jordan Rae Kelly, “Will Proposed SEC Cybersecurity Disclosure Rules Enhance Defenses or Hamper Responses? There’s Still Time to Assess and Comment.”, Corporate Compliance Insights (April 6, 2022), https://www.corporatecomplianceinsights.com/sec-proposed-cybersecurity-consequences/.

Written by: Brian Hale

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.

FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.

FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2023 FTI Consulting, Inc. All rights reserved. fticonsulting.com