Time to get creative about third-party cyber risk

Corporates have begun to use third-party services and technology more often as they transform their businesses in the digital age, RSA said during a webinar this week.

“One of the interesting byproducts of digital transformation is the accelerated adoption of third party services. That enables and empowers organisations to more rapidly adopt digital techniques and transform their organisations,” said Sam O’Brien, a director at RSA Archer.

The Covid-19 crisis has led “to some very rapid decisioning around how we use third parties”, O’Brien said. “Look at conferencing technologies, like Zoom, for example,” he added. “The rate of adoption is happening very very quickly.”

While digital transformation has many benefits, companies will be increasingly exposed to cyber risks as they extend their business relationships and work with new digital partners.

“That adoption is leading to decisions that need to be made even faster,” O’Brien added. He said some security concerns were at risk of being “looked over”, “in the interests of keeping people working”.

“It’s underpinning pure business operations and pure business continuity,” O’Brien said.

O’Brien added: “Research from the Ponemon Institute from 2018 shows that 59% of data breaches are actually due to third party compromises of some kind. While the level of risk organisations face has been increasing, the level of third party risk is accelerating.

“Digital transformation has been taken a step further due to the pandemic response. That level of third party risk is accelerating,” he added.

“In the world we’re working in right now, it can be impossible to undertake the traditional best security best-practice activities we want to do, like conduct on-site assessments. So we have to get creative about how we manage third-party cybersecurity risk,” O’Brien said.

RSA Archer has teamed up with third-party cyber risk specialists RiskRecon, giving its clients access to RiskRecon’s in-depth third-party vendor risk assessments.

The two companies believe their platform can bolster risk managers’ in their efforts to detect and monitor third-party cyber risks.

RiskRecon captures up-to-date information on third-party cyber risks. The firm provides risk monitoring and detection services, allowing companies to question their third parties on cyber concerns.

The RiskRecon service offers visible and actionable risk information on third-party cyber risks.

“We build a full picture of what a third-party’s risk profile looks like,” said Mike Parra, senior adviser at RiskRecon. “We can understand what the subsidiaries are, the domains they use, and do an assessment through direct observation.”

Third-parties are ranked based on high to low vulnerability scores, allowing organisations to raise concerns about third-party cyber risks.

“You can create a risk profile for vendors, share information and engage them in the reduction of their own risk. You can pinpoint areas of concern and escalate issues,” Parra added.

RSA’s O’Brien said the information could help risk and insurance managers “provide insight into the nitty-gritty and present that in a business context”.