It is safe to say that almost every organization, from any industry, leverages third parties to enhance their capabilities, cost-efficiency, innovation, and even to transfer the risks. The process of an organization delivering its product to consumers involves its third parties and dependencies that constitute its supply chain.
Any lapses in this supply chain that allow vulnerability exploitation can result in disruption of the supply chain. A data breach due to a third party can occur when accessing sensitive information to support business processes and a third party follows poor security practices. A well-known example of this is the 2018 Marriott International data breach that occurred due to a compromised third party that was no longer in use. More recently, in 2023, UScellular reported a data breach that exposed the private information of roughly 5 million customers as the criminals targeted a “former third-party vendor” to access the records.
An effective and robust third-party onboarding process, combined with thorough due diligence that addresses cyber risks, particularly for information security and technology services, can be achieved by implementing the following measures:
- Comprehensive Risk Assessment: Develop and adopt an assessment questionnaire with a focus on technical and privacy controls that map to industry-specific regulations and guidelines. It is essential to align the responses from this questionnaire to a risk score that can be relied upon to make onboarding decisions.
- Verify Attestation and Certifications: It is imperative to verify third-party compliance with applicable regulations, industry standards and attestations. This is usually performed by reviewing the reports submitted and ensuring that supplied information is tied to the prospective third-party and not a service provider that they use primarily to support their business. For example, if an organization engages a third party for Software as a Service (SaaS), and uses a cloud service provider (CSP) to keep their application running, the attestations and certifications submitted should tie to the third party and not the CSP.
- Contract Management: In addition to following a contract lifecycle management process, contractual provisions that protect the company should be incorporated, such as an agreed business purpose, financial cost, liabilities, right to audit, SLAs, monitoring and communication mechanisms, and right to termination.
- Monitoring and Reporting: Defining the Key Performance Indicators (KPIs) with the third party should be monitored on a specific frequency with appropriate stakeholders and any violations should be reported and addressed until mitigated.
- Incident Management and Response: Clearly outline responsibilities for incident response, related timelines, a severity rating, escalation mechanisms, and any additional relevant requirements that enable minimizing the potential disruption and maintaining operational resiliency.
While there are effective measures taken to establish governance around third-party onboarding, quite often the cyberrisks associated with the offboarding process are overlooked. The following are best practices to manage them:
- Access Termination: In addition to terminating and verifying physical access, it is crucial to verify if the access to the system or APIs (Application Programming Interfaces) has been revoked and changes are logged in an internal tool. This step will minimize the risks of leaking any sensitive data to a terminated third party.
- Data Lifecycle Management: Establish or follow through a process that allows the organization to control the data lifecycle. Depending on regulatory and business requirements, processes should be in place to securely reacquire or delete data from an offboarding third party and obtain a certificate of data deletion for record purposes.
- Update the Third Party Records Database: Document the reason for termination, attach or link the contracts, KPIs, and financial transactions, and follow a rating system that will allow the organization to decide on future engagement.
- Log Retention: Depending on financial viability, and regulatory and business requirements, third-party logs should be retained for a certain period. This can be valuable in determining if a data breach occurs after termination.
- Monitoring and Notification Mechanism: Even though the third party is terminated, it is important to outline provisions in contracts for incident notification after termination. Continue to monitor them for potential future risks, and maintain a cordial relationship with the terminated third party to ensure communications lines are not blocked.
To mitigate the technology and information security risks associated with terminating a third party, organizations can take proactive steps to develop cybersecurity strategies to protect themselves from regulatory, financial, operational and compliance risks. In addition to implementing controls and solutions that minimize cybersecurity risks, it’s imperative to foster a culture that involves employees in protecting sensitive data and continuously updating security measures to counter cyberthreats.
Author’s note: The opinions expressed are the author’s own views and do not necessarily represent those of the organization or of the certification bodies she is affiliated with.