The National Basketball Association (NBA) has begun notifying individuals that their personal data was stolen in a data breach at a third-party service provider. The NBA claims that impacted information includes names and email addresses, but no other types of personal information were accessed.
Since it is currently March Madness
here in the U.S., and continuing the basketball theme, this post will review seven plays to keep your third-party risk management team from lobbing “air balls” against third-party data breach threats.
#1. Build a Winning Culture
Every coach will tell you that establishing a winning culture from the beginning is essential to long-term team and organizational success. The same is true for your third-party risk management program. Start with the right foundation, including defining:
- Clear roles and responsibilities (e.g., RACI) for teams across the organization
- Puntuación y umbrales de riesgo basados en la tolerancia al riesgo de su organización
- Third, fourth and Nth parties in scope
- Metodologías de evaluación y supervisión basadas en la criticidad de terceros
- Key performance indicators (KPIs) and key risk indicators (KRIs) to measure vendors against
- Políticas, normas, sistemas y procesos para proteger los datos
- Cumplimiento y presentación de informes contractuales sobre los niveles de servicio
- Requisitos de respuesta a incidentes
- Stakeholder reporting
- Estrategias de mitigación y corrección de riesgos
Championships are won during practice, so continually test and improve your organization’s TPRM processes to keep pace with changing threats.
#2. Draft the Right Players for Your Team and Set Contractual Expectations
Effective team building begins with drafting or trading for the right players, or signing free agents that align with your team’s culture. In third-party risk management, that means sourcing and selecting vendors that represent the least risk exposure to your company’s operations.
As part of your vendor selection process, compare and monitor important vendor risk information such as demographics, fourth-party technologies in use, ESG scores, recent business and reputational insights, data breach history, and financial performance. This will enable you to select vendors that are not only fit for purpose but also a fit for your organization’s risk appetite.
To maximize vendor performance, build measurable and enforceable key performance indicators into the vendor contract. This will make contract renewal discussions more transparent.
#3. Know Your Opponent
In the game of basketball, knowing your opponent means studying film before the game, understanding player-by-player matchups, and choosing the right starting five players to maximize your chances of a win. In third-party risk management, knowing your opponent is more difficult as they are unseen until they strike. That’s why it is essential to understand your vendor’s risk exposure to cybersecurity risks as these gaps are where the opponent will target.
Start by assessing selected third parties based on criticality or the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:
- Tipo de contenido necesario para validar los controles
- Importancia crítica para el rendimiento y las operaciones de la empresa
- Ubicación(es) y consideraciones legales o reglamentarias relacionadas
- Nivel de dependencia de cuartas partes (para evitar el riesgo de concentración)
- Experiencia en procesos operativos o de cara al cliente
- Interacción con datos protegidos
- Situación económica y salud
- Reputación
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further due diligence; and determine the scope of ongoing assessments and continuous monitoring.
#4. Diagram Effective Plays and Respond Aggressively
Successful basketball teams play their game but constantly adjust their approach to improve their chances of winning. Agility is key here, and in third-party risk management that means continually assessing risks and responding to third-party vendor incidents accordingly.
Key components of an effective third-party incident response program include:
- Automated event and incident management questionnaires to determine risk exposure
- Definición de los propietarios de los riesgos con recordatorios de persecución automatizados para mantener las encuestas dentro de los plazos previstos.
- Proactive vendor reporting to accelerate risk response
- Workflow rules to trigger actions on risks according to their potential impact to the business
- Orientación de las recomendaciones de corrección incorporadas para reducir el riesgo
- Plantillas de informes integradas
- Mapeo de datos y relaciones para identificar las relaciones entre su organización y terceros con el fin de visualizar las rutas de la información y determinar los datos de riesgo.
Standardizing on a risk response framework will improve team performance by aligning around a singe set of expectations.
#5. Maintain Possession
In college basketball, the possession arrow is used to determine which team will gain possession in situations where definitive control of the ball is not clear. For third-party risk management teams, we extend that definition to include the possession of data – sometimes you have it, and sometimes a third, fourth or Nth party has it.
To limit your risk exposure to data security incidents in your extended vendor ecosystem, identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map will depict information paths and dependencies that could expose your environment to risk.
Once this is determined, conduct data security and privacy assessment. Key considerations should include:
- Privacy Impact Assessments to uncover at-risk business data and where personally identifiable information (PII) exists, where it is shared, and who has access
- Control mapping and reporting against privacy regulations
- Continuous vendor data breach monitoring – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications
- Enforcing contractual data protection provisions from the beginning of the relationship
Knowing who has the ball (or in this case the data) is the first step to improving third-party incident response.
#6. Avoid Fouls
Nothing can alter a basketball team’s momentum more than a mis-timed foul. For third-party risk management teams, fouls can mean a damaging compliance violation. To efficiently demonstrate compliance and avoid fines, automate the collection of vendor risk information; quantify risks; offer remediations to vendors (or require compensating controls); and map results to established IT security controls frameworks such as ISO 27001, NIST, and others. A proactive view into vendor security practices can help your team get ahead of potential compliance fouls and speed reporting during audits.
#7. Know When to Trade Up
When the losses pile up or when team chemistry is suffering it may be time to change the lineup, and that could mean a trade. For third-party risk management teams, this means constantly monitoring contractual performance and offboarding vendors when KPIs, KRIs or SLAs are missed.
When a termination is required, leverage automation and workflows to:
- Perform a final review of the contract
- Settle any outstanding invoices
- Revoke access to IT infrastructure, data and physical buildings
- Review data privacy and information security compliance
- Update your vendor management database
- Continuously monitoring vendors for potential future risks
Performing these tasks will reduce your organization’s post-contract risk exposure.
Next Steps to Mitigate Third-Party Data Breach Risks
If a cybersecurity incident such as the NBA data breach occurred in your vendor ecosystem, would your organization be able to quickly understand its implications to your business and activate its own incident response plan? Consider running these seven plays to improve your team’s performance, download the third-party incident response checklist, or contact us to schedule a personalized demonstration today.
Nota de la Redacción: Este artículo se publicó originalmente en Prevalent.net. En octubre de 2024, Mitratech adquirió la empresa de gestión de riesgos de terceros basada en IA, Prevalent. El contenido se ha actualizado desde entonces para incluir información alineada con nuestras ofertas de productos, cambios normativos y cumplimiento.
