Corvus Insights Blog | Smart Cyber Insurance

How To Build a Third-Party Risk Management (TPRM) Program

Written by Sagar Shah | 07.22.24

Recent incidents at Change Healthcare and CDK illustrate the significant impact third-party technologies and service providers can have on organizations when they face disruptions or failures. These events serve as reminders of the vulnerabilities inherent in an organization’s reliance on external partners. 

The Corvus claims team has observed an increasing trend of incidents related to third-party breaches. In early 2023, around 15% of claims managed by Corvus were as a result of vendor breaches; by early 2024 this number had grown to around 29%.

This trend highlights the important role of Third-Party Risk Management (TPRM). While TPRM doesn’t eliminate the risks that third-party relationships pose completely, when done effectively, it helps organizations understand and manage these risks in order to maintain the integrity, security, and resilience of business operations.

What is Third-Party Risk Management (TPRM)?

TPRM is more than a checklist or security questionnaire; it’s a strategic approach that brings together departments across an enterprise to ensure that the risks inherent in third-party relationships do not compromise the operational effectiveness, security, compliance, or reputation of an organization. Each risk that a vendor brings will have unique characteristics, however, there are a few universal elements that support building a resilient TPRM strategy.

Building out your TPRM program

 

Here are 5 steps an organization can take to start building a TPRM strategy:

 

1. Establish a TPRM Framework

Develop a formal TPRM policy that defines how third-parties are identified, and how third-party risks are assessed, monitored, and managed. Ensure that this framework is aligned with the overall business strategy and risk appetite. The goal is to understand the risks third parties pose to an organization. This is not for when an incident might occur and the organization’s data is compromised, but also where working with the third party inadvertently introduces security risks to the organization (e.g., API connections, tools integrations, remote access, data transfer, etc.)

2. Conduct Due Diligence

Before engaging with any vendor, perform due diligence that evaluates their security controls, compliance with applicable regulations, financial stability, and operational resilience. This process should be detailed and adapted to the level of risk that the vendor poses. The Cybersecurity and Infrastructure Security Agency (CISA) provides a detailed template that can be a useful reference.

3. Implement Strong Contractual Controls

Negotiate contracts that define security and compliance standards expected of vendors. Where feasible, include the right to audit and mechanisms for breach notification and remediation.

4. Plan for Incident Response

Coordinate with vendors to ensure that there are clear and tested plans in place for notifying and responding to security incidents. This collaboration is critical for quick and effective mitigation of any issues that might arise.

5. Educate and Train Your Team

Ensure that relevant personnel within your organization are aware of the risks associated with third-party engagements and are trained on your TPRM policies and procedures. This includes teams across the different departments who interact with or manage vendor relationships.

Detailed Considerations on your TPRM Build-out Strategy

As the organization starts building out the TPRM strategy, below are additional details and questions to consider.

Pinpoint and Prioritize

Begin with understanding the nature of your relationship with the vendor. Determine why each vendor is necessary and how they interact with your organization’s systems and data. This clarity is the first step in pinpointing potential security risks.

Stop and Consider
  • What services is the vendor providing? Is this service critical to business operations?
  • What data is being shared? Is sensitive data being shared? How is data being shared?
  • How do they connect with your systems? Which systems? Are these critical systems to the business? Do these systems store sensitive data?
  • What impact would the business face if the vendor’s system went down? Would the impact be financial, reputational, etc.?
  • How could a breach at the vendor impact your business? Would sensitive data be potentially impacted? What regulatory or financial considerations would need to be considered?

Conduct Security Due Diligence

Once the organization understands the nature of the relationship with the vendor and the potential risks involved, the next step is diving deep into the organization’s vendors’ security practices. The objective is to understand the vendor’s security policies, programs, and posture. The intent behind this is to determine whether they address the risks that you identified and are aligned with the risk that the vendor poses to your organization.

 

When evaluating vendors, the risks posed can vary depending on the relationship, but key areas to review include:

 

Security Program Maturity

Determine if the vendor demonstrates a strong commitment to security, evidenced by training, regular updates, and a clear security roadmap.
  • Does the vendor have a dedicated security team?

  • Does the vendor have established and documented security processes?

  • Does the vendor provide training and phishing simulations to their employees?

Data Management

Ensure that the vendor has effective data management practices in place, including data encryption, storage, processing, and disposal.
  • How does the vendor secure data at rest and in transit?

  • What data disposal measures are in place to prevent unauthorized access?

Operational Resilience

Understand the vendor’s ability to maintain critical operations during and after a disruption. This includes their incident response, business continuity, and disaster recovery processes.
  • What is the vendor’s history with disruptions and how have they managed them?

  • Does the vendor have cyber insurance in place?

  • Does the vendor have Return to Objectives (RTO) and Return Point Objectives (RPO) in place?

  • Does the vendor have an Incident Response Plan and Business Continuity Plan in place? Do they test these plans (i.e., Tabletop exercises)?

Vulnerability Management

Assess that vendors have processes in place to effectively identify, evaluate, and mitigate vulnerabilities in their systems and software.
  • Are vulnerability assessments and penetration tests conducted regularly?

  • How comprehensive is the vendor’s vulnerability management program?

  • Does the vendor have patching SLAs for vulnerabilities identified based on risk?

Identity and Access Management (IAM)

Do the vendor’s IAM practices adhere to the principle of least privilege and effectively manage user access and authentication?
  • How does the vendor manage and secure user identities and access controls?

  • What mechanisms are in place to authenticate and authorize users?

Subcontractor and Fourth Party Vendor Oversight

Assess the practices that the vendor has on their vendors and subcontractors, ensuring that they extend their security standards down the supply chain.
  • Does the vendor have its own third-party risk management program in place? What does it look like?

  • How does the vendor manage and monitor its subcontractors?

Regulatory Compliance

Confirm that vendors adhere to relevant legal and industry standards, especially those around data protection and privacy.
  • What certifications or proof of compliance can the vendor provide?

  • Are there gaps in the vendor’s compliance that could expose you to risks?

Contractual Safeguards

Although not always feasible, where you can, you should ensure that the vendor contracts include clauses that hold them accountable for complying with industry standards and regulations. This includes data protection, confidentiality, security practices, reporting incidents and the right to perform audits.

Stop and Consider
  • Does your contract identify who to report security failures or breaches to?
  • Do you outline when to report failures/breaches and how often updates should be provided? What information should be shared?
  • Do your contracts include terms that hold your vendors accountable?
  • Are penalties in place for non-compliance?
  • Do you include confidentiality provisions outside of an NDA?

Ongoing Monitoring

A vendor’s risk profile can change. Based on the risk that the vendor poses to your business, you should monitor and assess the relationship with your vendors and their security posture to detect and respond to changes and potential vulnerabilities.

Stop and Consider
  • How frequently do you review your vendors’ security practices?
  • Has the relationship with the vendor changed (e.g., different services being provided, data being shared, or systems connected)?
  • Does the organization have tools and processes for monitoring vendor compliance in real-time?

Incident Response Alignment

Ensure that your vendors’ incident response and business continuity plans align with your own to facilitate a coordinated response to any security incidents.

Stop and Consider
  • Are your vendors’ response plans tested and reviewed annually?
  • Does the vendor have a process in place to notify you timely of any security incidents?
  • How quickly can a vendor respond to and recover from a security incident?

Start Strategizing Today!

Building a TPRM strategy is not easy but the foundation does not require expensive tooling or complicated processes. Creating the foundation can start by taking a collaborative approach with engagement from procurement, finance, legal, security, compliance, IT, and business operations to outline the framework and implementation roadmap. 

If you are a Corvus policyholder or broker partner and not sure how or where to start, email us to connect with our Risk Advisory team. Let Corvus be a resource in navigating cybersecurity challenges and strengthening your TPRM strategy.

 

This material is intended for general guidance and informational purposes only. This material is under no circumstances intended to be used or considered as specific insurance or information security advice. This material  is not to be considered an objective or independent explanation of the matters contained herein.