Third-Party Risk Management: A Globally Accepted Approach

By Nikhil Singhvi S Cyber Technology Risk Consultant, Grant Thornton Bharat LLP

Today, organizations rely upon third-party service providers to deliver a wide range of services, which may include processing credit card data, billing for medical services, cloud hosting services, software as a service (SaaS), platform as a service (PaaS), etc.—almost anything can be outsourced in today’s extensive market.

The use of a third-party service provider may reduce management’s direct control over the activities at hand, but it simultaneously increases the need for oversight of those activities from start to finish. Without proper third-party risk management (TPRM), third parties may cause harm to their client’s customers, operations, reputation and—ultimately—their financial viability.

Global Outsourced Market:

Source: https://www.statista.com/statistics/189788/global-outsourcing-market-size/

Let’s look at some third-party-related data breaches and their consequences.

Major Supermarket

A major supermarket chain in the U.S. faced a cyber-attack in November 2013 that resulted in the theft of 70 million records, including details of their shoppers’ addresses and phone numbers, and the theft of 40 million debit and credit card details.
The initial intrusion into its systems was traced back to network credentials stolen from a third-party vendor, followed by a malware-laced email phishing attack sent to employees of that vendor organization.

It is estimated that the organization could be facing losses in excess of $400 million as a result of this breach, including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for Payment Card Industry (PCI) non-compliance; and direct customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach.

Infrastructure company fine under FCPA

A non-U.S. headquartered multinational corporation, with interests in electricity generation and transmission as well as rail transport, was fined $772 million USD in December 2014 for violations against the Foreign Corrupt Practice Act (FCPA). This was a result of the inappropriate conduct of third parties as well as ineffective due diligence and corporate control over said third parties.

Bank fined £1.9 million in May 2019 as FCA and PRA focus on outsourcing failures

A small retail bank offering financial services, including prepaid card and charge card programs in the UK and Europe, suffered a TPRM-related incident in 2015. The bank’s card services are provided with the assistance of a third-party card processor. This third-party processor carries out services that are critical to the operation of the card program (e.g., authorizing and processing card transactions).

The third-party processor suffered an incident on Christmas Eve 2015, following a technology malfunction. The incident had widespread impact, with the third party not being able to provide authorization and processing services for more than eight hours. During this period, 3,367 customers were unable to use their prepaid cards and charge cards. In total, the card processor was unable to authorize 5,356 card transactions at ATM machines, point of sale terminals, and online.

The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) noted that the outsourcing agreement between the bank and their third party was not fit for disruptive events occurrence. Also criticized was the inadequate oversight and governance of the bank’s outsourcing arrangements.

Risk Landscape

Though the third-party threat landscape is broad, it is still finite. Proper planning will determine what risks play an important role in your organization and what mitigating controls are required. There are various types of risk an organization is exposed to:

Geographical Risk
Reputational Risk
Financial Risk
Digital Risk
Regulatory Risk
Security and Privacy Risk
Operational Risk
Strategic Risk
Business Continuity and Resiliency Risk

Third-Party Lifecycle

chart showing Lifecycle of Third Party

Strategy & Planning: Develop sourcing strategy, determine and define needs, consider cost/benefits.
Evaluate & Select: Perform a risk assessment to identify risk and perform due diligence.
Contract & On-board: Define contract terms; incorporate risk, compliance, performance requirement, and time frame.
Manage & Monitor: Monitor relationship and performance on a periodic basis and communicate to each and every vendor accordingly.
Terminate, Off-board, or Renew: End of contract, relationship or renewal.

HITRUST: A Unique Approach to Information Risk Management and Compliance

There are many standards which we can use as a basis for implementing and complying with Vendor Risk Management controls, such as:

NIST,
ISO 27001, and
COBIT

However, HITRUST has developed a variety of unique programs and solutions which can be leveraged by organizations of any size or complexity to aid in managing third-party risk, including:

The HITRUST Assessment XChange™, and
The HITRUST Third-Party Assurance Program.

The HITRUST Assessment XChange

The HITRUST Assessment XChange (the XChange) is a third-party risk management solution that is both comprehensive and modular, incorporating the three vital components of people, process, and technology. The XChange team streamlines and simplifies the process of managing and maintaining risk assessment and compliance information from third parties. Just a few benefits of using the XChange include:

Effectively engaging third parties and identifying the appropriate individual(s) responsible for responding to risk assessments and compliance information requests,
Educating third parties on TPRM processes and communicating expectations and requirements,
Facilitating real-time engagement between organizations and their third-party community via the XChange Manager portal,
Providing a consistent and transparent reporting mechanism that is backed by HITRUST’s Third-Party Risk Management Methodology, and
Facilitating the electronic delivery of completed risk assessments into an organization’s existing GRC or VRM platforms.

HITRUST Third-Party Assurance Program

The HITRUST Third-Party Assurance Program helps organizations streamline their third-party risk management processes by applying the HITRUST CSF® framework, which includes multiple standards, frameworks, and globally accepted best practices. An increasing number of organizations are now requiring their third parties to undergo a HITRUST assessment. By doing so, these organizations are reducing or eliminating their proprietary information security questionnaires and on-site audits for those third parties. Benefits of adopting a “One Framework, One Assessment” approach include:

Cost and time savings,
An always-evolving approach, found in the HITRUST TPRM Methodology, and
A comprehensive framework that enables evidence of compliance with multiple frameworks, regulations, and best practices.

With increases in reliance on third-party services, the need to manage third-party risk is greater than ever—and only becoming more prevalent. HITRUST can help ensure that your organization’s TPRM efforts are effective by offering streamlined solutions that help you obtain vital assurances of compliance and risk management from your third parties. For more information, visit our webpage or speak with a HITRUST professional by reaching out to info@hitrustalliance.net.

About the Author

Nikhil is a Certified CSF Practitioner and an Associate CISSP, CISM, and PCIP Qualified professional. He comes with experience in IT Risk Advisory and Cybersecurity, With rich domestic and international experience in areas of HITRUST Assessment, SOC 2 Audits, ISO 27001 Audit, Cyber Security maturity Assessments, IT General Controls reviews, and Information Security assessment. He has been working on BFSI and TMT vertical. He has a unique ability to bring both creativity and discipline to finding solutions for even the most complex challenges his clients face.