Recent incidents at Change Healthcare and CDK illustrate the significant impact third-party technologies and service providers can have on organizations when they face disruptions or failures. These events serve as reminders of the vulnerabilities inherent in an organization’s reliance on external partners.
The Corvus claims team has observed an increasing trend of incidents related to third-party breaches. In early 2023, around 15% of claims managed by Corvus were as a result of vendor breaches; by early 2024 this number had grown to around 29%.
This trend highlights the important role of Third-Party Risk Management (TPRM). While TPRM doesn’t eliminate the risks that third-party relationships pose completely, when done effectively, it helps organizations understand and manage these risks in order to maintain the integrity, security, and resilience of business operations.
TPRM is more than a checklist or security questionnaire; it’s a strategic approach that brings together departments across an enterprise to ensure that the risks inherent in third-party relationships do not compromise the operational effectiveness, security, compliance, or reputation of an organization. Each risk that a vendor brings will have unique characteristics, however, there are a few universal elements that support building a resilient TPRM strategy.
Develop a formal TPRM policy that defines how third-parties are identified, and how third-party risks are assessed, monitored, and managed. Ensure that this framework is aligned with the overall business strategy and risk appetite. The goal is to understand the risks third parties pose to an organization. This is not for when an incident might occur and the organization’s data is compromised, but also where working with the third party inadvertently introduces security risks to the organization (e.g., API connections, tools integrations, remote access, data transfer, etc.)
Before engaging with any vendor, perform due diligence that evaluates their security controls, compliance with applicable regulations, financial stability, and operational resilience. This process should be detailed and adapted to the level of risk that the vendor poses. The Cybersecurity and Infrastructure Security Agency (CISA) provides a detailed template that can be a useful reference.
Negotiate contracts that define security and compliance standards expected of vendors. Where feasible, include the right to audit and mechanisms for breach notification and remediation.
Coordinate with vendors to ensure that there are clear and tested plans in place for notifying and responding to security incidents. This collaboration is critical for quick and effective mitigation of any issues that might arise.
Ensure that relevant personnel within your organization are aware of the risks associated with third-party engagements and are trained on your TPRM policies and procedures. This includes teams across the different departments who interact with or manage vendor relationships.
As the organization starts building out the TPRM strategy, below are additional details and questions to consider.
Begin with understanding the nature of your relationship with the vendor. Determine why each vendor is necessary and how they interact with your organization’s systems and data. This clarity is the first step in pinpointing potential security risks.
Once the organization understands the nature of the relationship with the vendor and the potential risks involved, the next step is diving deep into the organization’s vendors’ security practices. The objective is to understand the vendor’s security policies, programs, and posture. The intent behind this is to determine whether they address the risks that you identified and are aligned with the risk that the vendor poses to your organization.
Does the vendor have a dedicated security team?
Does the vendor have established and documented security processes?
Does the vendor provide training and phishing simulations to their employees?
How does the vendor secure data at rest and in transit?
What data disposal measures are in place to prevent unauthorized access?
What is the vendor’s history with disruptions and how have they managed them?
Does the vendor have cyber insurance in place?
Does the vendor have Return to Objectives (RTO) and Return Point Objectives (RPO) in place?
Does the vendor have an Incident Response Plan and Business Continuity Plan in place? Do they test these plans (i.e., Tabletop exercises)?
Are vulnerability assessments and penetration tests conducted regularly?
How comprehensive is the vendor’s vulnerability management program?
Does the vendor have patching SLAs for vulnerabilities identified based on risk?
How does the vendor manage and secure user identities and access controls?
What mechanisms are in place to authenticate and authorize users?
Does the vendor have its own third-party risk management program in place? What does it look like?
How does the vendor manage and monitor its subcontractors?
What certifications or proof of compliance can the vendor provide?
Are there gaps in the vendor’s compliance that could expose you to risks?
Although not always feasible, where you can, you should ensure that the vendor contracts include clauses that hold them accountable for complying with industry standards and regulations. This includes data protection, confidentiality, security practices, reporting incidents and the right to perform audits.
A vendor’s risk profile can change. Based on the risk that the vendor poses to your business, you should monitor and assess the relationship with your vendors and their security posture to detect and respond to changes and potential vulnerabilities.
Ensure that your vendors’ incident response and business continuity plans align with your own to facilitate a coordinated response to any security incidents.
Building a TPRM strategy is not easy but the foundation does not require expensive tooling or complicated processes. Creating the foundation can start by taking a collaborative approach with engagement from procurement, finance, legal, security, compliance, IT, and business operations to outline the framework and implementation roadmap.
If you are a Corvus policyholder or broker partner and not sure how or where to start, email us to connect with our Risk Advisory team. Let Corvus be a resource in navigating cybersecurity challenges and strengthening your TPRM strategy.
This material is intended for general guidance and informational purposes only. This material is under no circumstances intended to be used or considered as specific insurance or information security advice. This material is not to be considered an objective or independent explanation of the matters contained herein.