Low Risk Third-Party Cyber Assurance

As organizations outsource more and more functions to stay business competitive and to keep up with technological trends, third party portfolios are ballooning. Accordingly, for Third-Party Cybersecurity Risk Management programs to function in a sustainable way, they are finding it imperative to prioritize their focus. Only third parties which pose the most significant inherent risk, defined in an increasingly specific way to identify those which represent the highest negative impact potential, can be selected for manual assurance methods and techniques.

While this prioritization is a clear necessity, in practice organizations are finding that as an unintended consequence, their ‘Low’ risk third parties are riskier than they have been in the past. Until relatively recently, it was sustainable to only consider third parties as representing ‘Low’ cyber risk if their services involved no exchange or processing of organizational data. As data exchange and network connectivity have increasingly become the norm, this binary approach has become infeasible and there are now significant numbers of ‘Low’ risk third parties which do pose material cyber risk in the event of a breach.

Traditional Approaches

Utilizing legacy, questionnaire-based assessment techniques to attain visibility into this significant source of risk in a resource efficient way has proven to be a key challenge. Surveying a selection of the top global financial services organizations, those with the greatest regulatory and financial incentive to address this issue, shows that the industry has not settled on a standard. Instead, they have opted for one of two divergent alternatives. 

Some organizations are deciding not to attempt to prioritize effort, and require full due diligence assessment. Taking a similar approach as they do for their higher cyber risk third parties, third-party controls are manually reviewed and validated in a highly costly and resource intensive manner. Other organizations elect for a relatively lighter, attestation-based method, where third-party self-assessment of their control implementation is reviewed. While in this case the assurance approach does more closely mirror the level of risk, even despite a much lighter approach, organizations are finding it unsustainable. 

In either extreme, organizations are frustrated by the concessions they are having to make and are feeling burdened by constrained resources and limited visibility. Obtaining efficient and meaningful coverage across the population of Low cyber risk third parties will involve a combination of first-principles thinking, strategic Intelligent Automation deployment, and implementation of an integrated, data driven approach.

Managing Inherent Risk Through Contracting

The first and possibly most significant lever organizations have to manage third-party risk exposure is the contract. By setting clear guardrails and limitations around the scope of third-party services, what kind of data they will access, and how they will access it, significant portions of cyber risk impact can be eliminated. Because ‘Low’ cyber risk has often been conflated with ‘no’ cyber risk, opportunities to intentionally scope out risk here have frequently been overlooked.

For third parties providing higher cyber risk services, it can often be difficult to significantly reduce inherent risk through contracting without materially impacting the nature of services. However, in the case of Low risk third parties, there is often more room to maneuver, making sure third-party exchange and use of data is limited to what is necessary to perform their services. For this reason, a key first step in enabling risk management is ensuring business owners are aware of their responsibility for risks stemming from third parties and the critical role contracting plays in the process.

Additionally, it is important to reconsider the standard contractual provisions incorporated in all third-party agreements by default, including those posing Low cyber risk. As data exchange becomes increasingly a standard business necessity, data security and destruction agreements should be expected to become increasingly standard components of all third-party agreements. Furthermore, to increase the number of risk management options available, ‘right to audit’ provisions may be more generally applied, even if there is no intention of performing resource intensive security assessments of Low risk third parties.

Streamlined, Automated Risk Assessment

Performance of full security assessment of Low risk third parties has demonstrated to be far too resource intensive and costly for the risk management benefit. Even relatively lighter, attestation-based approaches have become unsustainable as the number of low-risk third parties increases. The conflict between these two alternatives reveals the clear opportunity for an automated solution as the middle way.

With the prevalence of Generative-AI, it has become commonplace to use technology to ingest information, summarize its meaning, and use it to enable automated decision making. While it takes Third-Party Security analysts significant time to read third-party assurance report information, map their contents to their organizational control framework, and summarize the resulting risk implications, Gen-AI can be used to perform this task in a streamlined, reliable, and consistent manner, virtually instantly.

This is becoming an increasingly popular application of Intelligent Automation across industry leading organizations in Third-Party Security, especially for Low risk third parties. Organizations which have implemented this use case are finding they can rely on the results of these assessments more than attestations, getting the value of closer to a full, control testing-style approach. Additionally, after the initial investment in implementation, resource investment and costs devoted to this component of the risk management process are shown to be significantly decreased, even compared with a ‘light,’ attestation-based process. This allows resources to be reallocated to focus on higher inherent risk third parties as well as other unknown risk areas.

Data-Driven Continuous Monitoring

Supplementing automated risk assessments, more comprehensive and continuous coverage can be obtained through the strategic use of Security Rating Service provider information. The perceived value of these services has largely centered around their application towards the continuous monitoring of higher risk third parties. However, usually these third parties organizations have the most inside insight into through standard risk assurance processes. Security Rating Service provider data can be potentially even more impactful when applied across the Low risk third party portfolio where visibility is much more limited. 

After establishing processes and procedures to ensure all Low risk third parties are effectively loaded onto these platforms during onboarding, targeted risk thresholds and alerts can be configured based on organizational risk appetite. The goal is not to use these tools to become overwhelmed by an abundance of data, but to be notified when it really matters – when there are sudden big shifts in third party risk posture, very low ratings, or significant breaches. Additionally, trends can be monitored and alerted upon to enable a proactive risk management approach. 

When an alert is received, it is often valuable to work with the vulnerable third-party to remediate the underlying issues identified. However, it is often also valuable to use these tools to prioritize further assurance as the vulnerabilities they identify can be indicative of broader systemic risk. Leading organizations in the use of these tools are finding it beneficial not to limit the alert response to addressing the specific findings identified by the platforms but using them as an impetus for more rigorous assessment. In this way, through automation and intelligent use of data, manual assessment processes are not being eliminated, but prioritized to where they can have the highest value while not overwhelming program capacity.