The National Basketball Association (NBA) has begun notifying individuals that their personal data was stolen in a data breach at a third-party service provider. The NBA claims that impacted information includes names and email addresses, but no other types of personal information were accessed.
Since it is currently March Madness
here in the U.S., and continuing the basketball theme, this post will review seven plays to keep your third-party risk management team from lobbing “air balls” against third-party data breach threats.
#1. Build a Winning Culture
Every coach will tell you that establishing a winning culture from the beginning is essential to long-term team and organizational success. The same is true for your third-party risk management program. Start with the right foundation, including defining:
- Clear roles and responsibilities (e.g., RACI) for teams across the organization
- Risikoeinstufung und Schwellenwerte auf der Grundlage der Risikotoleranz Ihres Unternehmens
- Third, fourth and Nth parties in scope
- Bewertungs- und Überwachungsmethoden auf der Grundlage der Kritikalität von Dritten
- Key performance indicators (KPIs) and key risk indicators (KRIs) to measure vendors against
- Richtlinien, Standards, Systeme und Prozesse zum Schutz von Daten
- Einhaltung von Vorschriften und vertraglichen Berichterstattungsanforderungen in Bezug auf Service-Levels
- Anforderungen an die Reaktion auf Vorfälle
- Stakeholder reporting
- Strategien zur Risikominderung und -behebung
Championships are won during practice, so continually test and improve your organization’s TPRM processes to keep pace with changing threats.
#2. Draft the Right Players for Your Team and Set Contractual Expectations
Effective team building begins with drafting or trading for the right players, or signing free agents that align with your team’s culture. In third-party risk management, that means sourcing and selecting vendors that represent the least risk exposure to your company’s operations.
As part of your vendor selection process, compare and monitor important vendor risk information such as demographics, fourth-party technologies in use, ESG scores, recent business and reputational insights, data breach history, and financial performance. This will enable you to select vendors that are not only fit for purpose but also a fit for your organization’s risk appetite.
To maximize vendor performance, build measurable and enforceable key performance indicators into the vendor contract. This will make contract renewal discussions more transparent.
#3. Know Your Opponent
In the game of basketball, knowing your opponent means studying film before the game, understanding player-by-player matchups, and choosing the right starting five players to maximize your chances of a win. In third-party risk management, knowing your opponent is more difficult as they are unseen until they strike. That’s why it is essential to understand your vendor’s risk exposure to cybersecurity risks as these gaps are where the opponent will target.
Start by assessing selected third parties based on criticality or the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:
- Art des für die Validierung der Kontrollen erforderlichen Inhalts
- Kritische Bedeutung für die Unternehmensleistung und den Betrieb
- Standort(e) und damit verbundene rechtliche oder regulatorische Erwägungen
- Grad der Abhängigkeit von vierten Parteien (zur Vermeidung von Konzentrationsrisiken)
- Erfahrung mit operativen oder kundenorientierten Prozessen
- Interaktion mit geschützten Daten
- Finanzieller Status und Gesundheit
- Reputation
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further due diligence; and determine the scope of ongoing assessments and continuous monitoring.
#4. Diagram Effective Plays and Respond Aggressively
Successful basketball teams play their game but constantly adjust their approach to improve their chances of winning. Agility is key here, and in third-party risk management that means continually assessing risks and responding to third-party vendor incidents accordingly.
Key components of an effective third-party incident response program include:
- Automated event and incident management questionnaires to determine risk exposure
- Festgelegte Risikoverantwortliche mit automatischer Erinnerungsfunktion, um die Erhebungen im Zeitplan zu halten
- Proactive vendor reporting to accelerate risk response
- Workflow rules to trigger actions on risks according to their potential impact to the business
- Anleitung von eingebauten Sanierungsempfehlungen zur Risikominderung
- Integrierte Berichtsvorlagen
- Daten- und Beziehungsmapping zur Identifizierung von Beziehungen zwischen Ihrem Unternehmen und Dritten, um Informationspfade zu visualisieren und gefährdete Daten zu ermitteln
Standardizing on a risk response framework will improve team performance by aligning around a singe set of expectations.
#5. Maintain Possession
In college basketball, the possession arrow is used to determine which team will gain possession in situations where definitive control of the ball is not clear. For third-party risk management teams, we extend that definition to include the possession of data – sometimes you have it, and sometimes a third, fourth or Nth party has it.
To limit your risk exposure to data security incidents in your extended vendor ecosystem, identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map will depict information paths and dependencies that could expose your environment to risk.
Once this is determined, conduct data security and privacy assessment. Key considerations should include:
- Privacy Impact Assessments to uncover at-risk business data and where personally identifiable information (PII) exists, where it is shared, and who has access
- Control mapping and reporting against privacy regulations
- Continuous vendor data breach monitoring – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications
- Enforcing contractual data protection provisions from the beginning of the relationship
Knowing who has the ball (or in this case the data) is the first step to improving third-party incident response.
#6. Avoid Fouls
Nothing can alter a basketball team’s momentum more than a mis-timed foul. For third-party risk management teams, fouls can mean a damaging compliance violation. To efficiently demonstrate compliance and avoid fines, automate the collection of vendor risk information; quantify risks; offer remediations to vendors (or require compensating controls); and map results to established IT security controls frameworks such as ISO 27001, NIST, and others. A proactive view into vendor security practices can help your team get ahead of potential compliance fouls and speed reporting during audits.
#7. Know When to Trade Up
When the losses pile up or when team chemistry is suffering it may be time to change the lineup, and that could mean a trade. For third-party risk management teams, this means constantly monitoring contractual performance and offboarding vendors when KPIs, KRIs or SLAs are missed.
When a termination is required, leverage automation and workflows to:
- Perform a final review of the contract
- Settle any outstanding invoices
- Revoke access to IT infrastructure, data and physical buildings
- Review data privacy and information security compliance
- Update your vendor management database
- Continuously monitoring vendors for potential future risks
Performing these tasks will reduce your organization’s post-contract risk exposure.
Next Steps to Mitigate Third-Party Data Breach Risks
If a cybersecurity incident such as the NBA data breach occurred in your vendor ecosystem, would your organization be able to quickly understand its implications to your business and activate its own incident response plan? Consider running these seven plays to improve your team’s performance, download the third-party incident response checklist, or contact us to schedule a personalized demonstration today.
Anmerkung der Redaktion: Dieser Beitrag wurde ursprünglich veröffentlicht auf Prävalent.net. Im Oktober 2024 übernahm Mitratech das KI-gestützte Risikomanagement für Dritte, Prevalent. Der Inhalt wurde seitdem aktualisiert und enthält nun Informationen, die auf unser Produktangebot, regulatorische Änderungen und Compliance abgestimmt sind.
