NAFFS Staff Report

There are four phases of a third-party risk management approach, Phil Jones, senior director of the cybersecurity and risk management consulting arm of Mazars USA, told attendees of the 103rd Annual NAFFS Convention. In his role, Jones helps companies identify their risk exposure, take steps to manage that risk and then perform internal risk remediation to assure the company's data is safe.

The first phase, he said, is understanding your operations' dependencies with third parties (customers, suppliers, vendors.) Next is thorough internal and external risk assessments and, finally, the ongoing risk management. 

Jones said developing requirements on interconnectivity with your customer/supplier/third-party vendor should help prevent problems and operational risk can be minimized through contracts that define responsibilities for security. “Operations will be at higher risk if the third parties' interconnectivity is weak,” Jones said. “Risk remediation requirements will need to take into consideration both your company and the customer.”

When drawing up these contractual relationships, it’s essential, Jones said, to understand your dependencies. He said a company must ask what the primary and support business functions are. It’s necessary, he said, to determine which technology and data are required to support the primary business function. “The same hard look must be given to your service providers or suppliers,” he said. “Which of the functions are offloaded to your service provider? These are the critical pieces to secure.” From there, he said, you look at which technology your third party is managing; if it’s critical to your operations, it requires additional protections.

When determining your acceptable risk and financial commitment to data security and privacy, it’s important to ask the questions that will help determine the necessity of security controls. What would happen if this primary or support function went down? Would effects be minimal, with perhaps some lost productivity? Or would there be a direct impact and resulting loss of revenue? The answers will determine the strength of language in the contract and the funding allotted for the security. 

Contracts, he said, must assure the appropriate confidentiality and integrity of information shared. All companies face the challenges of keeping up with regulatory compliance, so knowing which data is being shared and how it’s protected is important, Jones said. “What happens if it’s lost? Is the data encrypted? Establishing rules and controls internally inside your company is necessary before putting requirements externally on your service providers. Are they doing some compensating controls? You need assurances that if they’re managing part of your business, it's done at an appropriate security level.” If operating in the cloud, for example, adding a firewall or two-factor authentication likely would be helpful, Jones said.

The fourth and final phase of the process is the ongoing risk management, something Jones insisted should be done annually. He reminded attendees about the first step of understanding dependencies. “But even before that”, he said, “you must understand your operations. When you share data with a customer/supplier/third party vendor, you must validate that only necessary data is shared and periodically recheck it’s required for the supplier.”

Jones reiterated the importance of managing some of these risks from the beginning of the relationship with the third party through a written contract. He suggested adding language to increase transparency and security. For example, he said, one might need to add a clause that provides for notification if the vendor or third-party provider is broken in to. 

Jones referred to the company's "total risk" throughout his presentation. He said this is calculated by adding your risk to that of your vendor. “Once you have that calculation, you can manage the risk by requiring the vendor to upgrade its environment as part of the contract, thereby reducing your portion of the risk,” he said. 

Jones cautioned attendees to avoid spending the bulk of their security budgets on low-impact risk areas. Protecting the privacy and the continuity of IT operations must also be taken into consideration. Still, if it does not carry that high-impact risk, it shouldn't be a huge chunk of the budget, he said. 

Jones closed with a checklist he uses with his clients before they enter into an agreement with a third-party provider. First, he said, you need to have a good hold on your overall risk. The suppliers' security measures, or lack thereof, can mean a lack of security for your company assets and information.

Next, he said, is the compliance piece. He suggested developing a series of risk-based questions to ask of suppliers to complete. “You must ask about their controls. Are they certified to a regulation or standard? Are they regularly conducting audits? If so, what were the recent findings? Do they have a SOC2? Are they NIST Cybersecurity Framework (CSF) or ISO 27001 certified? Are they having regular pen tests? If so, make it known that you require one annually, which will be part of their costs of doing business with you.” The answers to these questions, he said, will help determine the contract's language to keep your information safe.