As TPRM or third-party risk management grows in importance, so does cybersecurity risk assessment as part of it. The latest Assessment of Business Cyber Risk (ABC) report from the US Chamber of Commerce and FICO discusses four steps for improving third-party cybersecurity risk management. These steps can help businesses in the US and other countries not only meet regulatory compliance requirements but ensure they understand and can manage the risk of their vendor and partner networks.
Let’s take a look at these four steps.
Step One: Build a framework for vendor categorization
Effective supply chain risk management requires managers of third-party risk to define business requirements, business relationships, and risk factors in order to generate a framework for vendor categorization. This framework will normally take into account how a vendor is utilized by the organization as well as factors inherent to the supplier.
The purpose of categorization is to decide which vendors require a deeper assessment based on their role in the evaluating organization’s business, and the size and criticality of the relationship (e.g., a catering contractor for a local office party versus a business partner that impacts every customer).
To determine the criticality of a vendor, supply chain risk managers might consider:
- What is the nature of the supplier relationship (i.e., what services are being supplied)?
- Is this a new relationship or an established one?
- What is the size of the supplier relationship?
- What is the financial strength of the supplier?
- Where does the vendor operate (e.g., regions, cloud)?
- What data is shared with the supplier?
- Which certifications and standards are maintained by the supplier?
- Are there alternative suppliers, and how quickly could they be engaged
- if necessary?
- Would there be compliance exposure in the event of a breach at the supplier?
- How is the supplier insured?
Step Two: Develop workflow to address the intersection of risk and criticality
On the basis of the categorization, tools like the FICO® Cyber Risk Score can be used to group organizations into portfolios where cyber risk and vendor impact/criticality can be considered together. Once suppliers are assigned to a portfolio, risk managers are able to develop the strategy and workflow for vendor engagement and undertake a risk- and impact-appropriate set of actions for remediation, improvement, or supplier replacement.
The first step is determining whether additional information is needed to assess cyber risk. Here, the firm may elect to set a score threshold — or a set of thresholds based on categorization and impact — to determine whether additional data is required. The next step may be to review adjacent risk elements, such as financial stability, in order to understand the overall health of the business and how this may impact cyber risk.
For each of the elements of a supply-chain risk workflow, the organization must determine thresholds for risk — absolute or within a benchmark category — based on their business requirements and risk appetite. With respect to cyber risk specifically, decisions and actions may include:
- Perform regular and recurring on-site audits
- Collect additional data via a detailed cybersecurity questionnaire to better understand:
- Processes
- Infrastructure
- Skills and organizational structures
- Mitigating controls
- Obtain evidence of ongoing compliance with standards (e.g., Service Organization Controls reports)
- Prescribe actions for remediation
- Determine when risk—absolute or relative—is too high, and institute steps to engage alternative suppliers
- Promote awareness by inviting the vendor to review their FICO® Cyber Risk Score or other cyber assessment tool
By setting appropriate thresholds based upon risk and criticality, an organization may deploy its limited risk assessment and risk management resources where they are most needed.
Step Three: Continuously monitor high-impact suppliers
Based on the combination of criticality and risk, managers of third-party risk should establish a cadence for reviewing critical information. This may include a full reassessment of high-impact suppliers on an annual basis, or it may involve a less-frequent full-scale review, supplemented by continuous monitoring of key risk assessment inputs such as financial health and cybersecurity performance.
Tools such as the ABC National Risk Score in the US, which provides a general rating of cyber risk for benchmarking, and the FICO® Cyber Risk Score, which provides company- specific metrics, may be leveraged in combination to provide a directionally correct view of relative risk. To better mitigate risk, firms are increasingly leaning on cyber scoring and/or cyber rating services to track overall risk as well as observable — and potentially actionable — conditions and behaviors that contribute to that risk.
Step Four: Ensure appropriate risk transfer
Comprehensive vendor risk management programs frequently include insurance-based risk transfer. A simple approach to risk transfer considers the intersection of supplier risk and criticality, and imposes insurance requirements on those suppliers whose combination of risk and criticality requires additional protection.
The amount of coverage that a vendor is required to carry can be ascertained in part based on information collected in the vendor categorization process, including information such as the amount and type of data shared with the supplier. Estimates of the cost “per record” for a breach vary widely, ranging from $100 per record to $350 per record, depending on the nature of the data.
Depending on business requirements, some classes of vendors may be required to carry specific breach coverage as a part of the vendor risk management program. Firms may require that they be named as additional insureds in supplier policies for those coverage areas.
Cyber insurance is a rapidly growing area of specialty coverage for carriers. The Cyber Insurance Market Report, published by Allied Market Research, forecasts that the global market for cyber risk coverage is expected to garner $14 billion by 2022, registering a CAGR of nearly 28% during the period 2016-2022. Another reason to consider your firm’s risk relative to the ABC National Risk Score is that brokers, carriers, and reinsurers also increasingly leverage standardized cyber breach risk quantification metrics as an additional tool for underwriting and pricing cyber breach insurance.
To learn more about your organization’s specific security performance, register for a free subscription at http://cyberscore.fico.com. And follow me on Twitter @dougoclare.
