The FAIR Institute recently introduced the FAIR Third Party Assessment Model (FAIR-TAM™), a new addition to the FAIR family of standards and models, created to shine light on the big blind-spot in cyber security, the loss exposure lurking unseen among supply chain partners or vendors.
How critical is third party risk management (TPRM)? Look at the recent ransomware attack that shut down UnitedHealth Group’s Change Healthcare, the principal payments platform for medical insurance in the US, quickly driving healthcare providers to the brink of financial failure.
FAIR-TAM guides cyber risk managers to the most effective mix of best practices and controls for TPRM. But the reality is, most organizations are starting at rock bottom, relying on sending security questionnaires to vendors that are soon outdated or running outside-in scans of a vendor’s controls stack, incomplete views that are more noise than signal…or prioritizing for TPRM just based on size of the vendor contract, not the risk. Adopting FAIR-TAM will be a ride up a maturity curve – requiring growing a program, not just buying products.
Join the FAIR Institute! Be part of the community that is driving risk management forward. A General Membership is free.
The Maturity Curve - Up from “Don’t Know” to Effective TPRM
We’ve seen clients pass through these stages on their way to management of 3rd parties that achieves the goals of FAIR-TAM: TPRM that is risk-based, comprehensive, and leading to actionable mitigations.
“Don’t know”Well, it’s a start: organizations at this stage just build a minimum awareness by creating a basic directory of vendors from procurement records. Large companies can have hundreds or thousands of third parties, so this is no trivial task.
“Let’s be compliant”Always a good starting point but never sufficient for true risk management: Organizations here can demand in contracts that third parties demonstrate ISO or SOC2 compliance and might even be able to negotiate some rights of inspection of the vendor’s processes. Also at this stage could be the outside-in scans of web-facing controls. Like all compliance-based risk management, these measures just infer that risk is being managed without a quantitative assessment. But at least they can identify the “bad apples” that are failing risk management 101 – and offer a legal shield if your organization must demonstrate due diligence on TPRM.
“Risk light”We’re getting there…Organizations in this phase are asking the right questions: “How should I tier my third parties based on risk to my business?” “Which are the riskiest?” But the tools in their kit, questionnaires for the supply chain partner or vendor to answer about security practices, too often take weeks or months to come back and then be processed by the first party, meaning they are way out of date for the fast-changing cyber risk landscape.
“Risk is managed!”Now, we’re confidently answering the right questions.
“How can I protect my business?”
“How can I get adequate data from my riskiest third parties?”
“How can I scale my program?”
“How do I communicate my TPRM program performance?”
We are following these best practices...
Treat third parties as part of your attack surface and apply zero trust principles and controls to the third parties that connect most to your network or data or impact your revenue. A corollary: Assess first- and third-party risk and controls together as one continuum. Use FAIR-CAM, the FAIR Controls Analytics Model to gauge the strength of your controls.
Automate questionnaire ingestion – with as many third parties as you are likely to have, look for a solution with AI that can dramatically shorten your reaction time from recognizing risk to acting to mitigate.
Inside-out, real-time assessment of critical third parties. Outside-in scans are insufficient. You can achieve inside-out in a non-intrusive way through read-only API access into your cybersecurity technology stack. and truly understand the risk posture of your supply chain actors.
Looking forward…don’t waste a good crisis
With so much attention focused on the UnitedHealth cautionary tale of TPRM gone bad, this could be a great time to push for implementing FAIR-TAM at your organization – and moving toward a more proactive, risk-based approach in general.
Learn more:
Blog post: The 3rd Party Risk Crisis – a FAIR Solution
FAIR Conference Video: Third Party Risk Management: Time to Rethink?