The recent ransomware attack on Change Healthcare, operator of the biggest medical claims processor in the US, was a nightmare scenario of third-party risk. Medical practices serving 131 million patients were cut off from revenue for two weeks or more, driving many close to financial collapse. In the same period, Bank of America and American Express reported breaches at third-party vendors.
We are in the middle of a crisis over third-party risk, and it’s time for a rethink and a reset of third-party cyber risk management (AKA vendor risk management or supply chain risk management).
Pankaj Goyal is Director, Standards and Research, for the FAIR Institute.
A 2023 RSA Conference survey of Fortune 1000 CISO’s found that 87% of the companies were affected by a significant cyber incident at a third party in the past 12 months. And the attack surface is only increasing with the interdependencies of the modern economy.
Large pharmaceutical companies might have ties to tens of thousands of third parties and an incalculable number of fourth and fifth parties. The companies must manage risk for third parties within their IT infrastructure (an MSSP, for instance) and outside (a drug testing lab handling proprietary data, for instance).
Organizations are faced with trying to control at arm’s length:
>>How data flows to vendor organizations and back
>>How vendors manage access
>>Their behavior – do employees click on phishing emails, etc.
The possibility of backdoors and blind spots within infrastructure grows. Throw in the complexity of a third party merging or acquiring another entity with a new IT environment.
Third Party Risk Management Is Failing
To cope with this compounding problem, cyber teams use tools with some serious limitations:
>>Questionnaires, point-in-time surveys that are labor-intensive, may take weeks to get back from the vendor, and then there’s no guarantee of accuracy.
>>Outside-in scans that may generate a lot of false positives and aren’t based on risks.
Risk managers often make a rough effort at ranking third parties for risk exposure, but just based on size of the vendor.
The reality is that cyber teams are at a fundamental disadvantage in a typical vendor relationship. They can insist on a right to audit clause, but generally will lack leverage to influence the third party after the initial contract is signed.
A FAIR Approach to Third Party Risk Management
The FAIR Institute is developing a solution to the puzzle of third-party risk with an extension to the FAIR model: the FAIR Third Party Assessment Model (FAIR-TAM).
3 Key Principles of FAIR-TAM:
1. Risk-based prioritization
Instead of prioritizing on the size of the contract or the vendor, prioritize based on a FAIR assessment of the risk the vendor poses to your organization as a first party. That risk can be analyzed using the FAIR Materiality Assessment Model (FAIR-MAM) based on data access, server access or revenue access.
2. Comprehensive, continuous monitoring
Instead of questionnaires or outside-in scans, use inside-out telemetry from first and third parties as they access your network, reporting on a continuous basis. With the FAIR Controls Analytics Model (FAIR-CAM), you can gauge the breach likelihood for these actors.
3. Actionable Mitigations
CISOs complain that “I don’t control third parties so all I can do is the basic compliance stuff.” But to paraphrase quantitative risk management guru Douglas Hubbard, you have more controls than you think and you should use them on the vendors on your network -- call it zero trust for third party risk management.
Finally, what’s needed is a new model for an old paradigm – rethink the adversarial vendor-client relationship and move toward active collaboration, open dialogue and sharing of data with third parties. With that goal in mind, join us at the FAIR Institute as we develop FAIR-TAM through our Supply Chain Risk Workgroup – we welcome your participation in this important effort. Join the FAIR Institute!
