Third-party breaches are a threat — and many companies aren't ready
Partnering with a third party often requires sharing confidential and sensitive information.
Insurance carriers and other financial services businesses are increasingly reliant on third-party administrators, particularly in this age of increased business-technology demands and consumer expectations.
The problem is, partnering with a third party often requires sharing confidential and sensitive information.
Too often, cybersecurity weakness is ignored when companies are looking to secure third-party business relationships.
“To stay ahead of (cyber) risk, companies and executives need to collaborate around plans for third-party detection and mitigation that support automated technology and strong governance,” Dov Goldman, vice president of Innovation and Alliances at the international compliance and risk management firm Opus, said in November 2018.
Opus teamed up with the Ponemon Institute late last year on the third annual “Data Risk in the Third-Party Ecosystem” study. The report found that 59% of respondent companies experienced a data breach caused by a third party or vendor.
Another 22% of respondents said they didn’t know if they had been impacted by a third-party data breach during the past year.
Ponemon’s study surveyed more than 1,000 chief information security officers from a variety of industries in the U.S. and U.K.
Best practices
The study included an analysis of organizations that have been able to avoid a third-party data breach in the past 12 months (36%) — or ever (32%).
Such high-performing firms implemented governance and IT security best practices that were strongly correlated with a reduced incidence of third-party data breaches.
These best practices included:
- Evaluation of the security and privacy practices of all third parties. Vigilant companies conduct regular audits and assessments to appraise security and data management practices of third parties.
- Keeping an inventory of all third parties with whom they share information. It’s important to track all third parties that have access to sensitive data and how many of these parties are sharing this data with others.
- Reviewing third-party management policies and programs often. The idea is to implement formal processes to regularly gauge security and privacy practices of third parties, particularly as they relate to new technologies and innovations like Internet of Things devices.
- Requiring third parties to provide notification when data is shared with others. High performers mandated that third parties provide information and transparency into their Nth party relationships prior to sharing sensitive data.
- Boards and executives maintained third-party oversight. Success often hinges on involving senior leadership and boards of directors in third-party risk management programs. High-level attention to third-party risk may increase the budget available to address these threats.
“While corporate executives understand the implications of a data breach or cyberattack to their business, far fewer are aware of the source of the attacks and the vulnerabilities that their organizations need to address to properly secure data,” said Dr. Larry Ponemon. “Considering the explosive growth of outsourced technology services and the rising the volume of third parties, companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.”
The problem escalates
More than half (53%) of U.S. companies experienced a cyber breach within the last year, according the 2019 Hiscox Cyber Readiness Report. And nearly half of those (43%) had more than one cybersecurity incident within the last year.
The Ponemon Institute study revealed that companies in the U.S. are more likely than those in the U.K. to say they’d experienced a third-party breach, at 61%. According to the report, that’s a 5% increase from 2017 and a 12% increase from 2016.
More than 75% of all respondents said third-party data breach incidents are on the rise.
“It’s growing,” said Lee Kirschbaum, the senior vice president and head of product, marketing and alliances for Opus. “It’s not getting better, it’s getting worse, especially in the U.S.”
Only 16% of respondents said that their companies are “highly effective in mitigating third-party risks.” Nearly two-thirds of companies don’t keep a comprehensive inventory of third parties. Most respondents cited lack of centralized control, lack of resources and the complexity of third-party relationships as the reason for not keeping a comprehensive inventory.
Curbing third-party breaches
Less than half of all companies surveyed for the Ponemon Institute’s third annual “Data Risk in the Third-Party Ecosystem” study, which was conducted in conjunction with Opus, the global compliance and risk-management company, said that managing third-party relationship risks is effective and a priority within their organization.
Only 37% indicated they have sufficient resources to manage third-party relationships and only 35% rated their third-party risk management program as highly effective. More than half of companies do not know if their organizations’ vendor safeguards are enough to prevent a breach.
“The third-party ecosystem is ideal for [hackers] looking to infiltrate an organization, and the risk only grows as these networks become larger and more complex,” said Opus Vice President of Innovation & Alliances Dov Goldman.
Mitigating the risk
Most respondents said their company’s management of third-party risks is not effective or a priority, that they don’t have sufficient resources to manage those relationships, and that they’re unaware of whether vendors are doing enough to prevent a breach.
Some companies, however, have been effective at preventing third-party breaches from impacting them.
Ponemon’s study highlighted tactics those organizations have used to stay protected.
“A takeaway for me was that so many companies just weren’t doing [best practices],” Kirschbaum said. “I don’t think it’s obvious to the market.”
An abridged version of this story first published in Corporate Counsel. National Underwriter Managing Editor Elana Ashanti Jefferson also contributed to this report.
See also: