7 Critical Sources of Third-Party Risk Intelligence

Holistic third-party risk management (TPRM) programs combine periodic, inside-out assessments of internal vendor controls with continuous, outside-in monitoring of their external threats. By complementing vendor assessment results with a stream of outside intelligence, you’ll gain a more complete understanding of each vendor’s potential risk to your business.

When building monitoring into your third-party risk management program, be sure to tap sources of vendor intelligence that are both broad and deep. This post will get you started by outlining a use case for continuous monitoring and revealing key sources of third-party risk intelligence. It will also share best practices for success along the way.

A Use Case for Continuous Monitoring

Informing your vendor risk assessment activities with real-time cyber and business monitoring intelligence will make your TPRM program more continuous and less reactive. For example, you can use monitoring to scan the dark web for a vendor’s vulnerabilities, breaches and leaked credentials. You can then correlate this data with information gathered from vendor assessment questionnaires to reveal inconsistencies in password and/or patch management controls.

A strong TPRM solution not only handles this analysis, but also includes rules and automations that trigger follow-up assessments. This approach closes the loop on third-party risk and transforms point-in-time assessments to continuous risk monitoring.

Third-Party Risk Intelligence Sources

Making sound, risk-based decisions means consuming and normalizing data from many disparate sources. It’s easy to spend a lot of time finding, centralizing, and making sense of the data behind your vendor security posture. That’s why it’s important to consider a TPRM solution’s ability to aggregate and report on third-party intelligence in an actionable way.

Whether you’re evaluating risk monitoring solutions or taking a manual approach, be sure to look into these sources of third-party risk intelligence:

1. Public Sources

Common sources of publicly available – and likely free – third-party threat intelligence provide general industry news, trends and breach updates:

• Data breach sites review the impact of recent breaches (e.g., Data Breach Today)
• Corporate websites share press releases that could indicate potential risks (e.g., layoffs, financial news, etc.)
• Product and company review websites provide insight into customers’ thoughts on a company’s products (e.g., G2)
• Job boards and employee review websites expose how a company operates and indicate potential disruptions (e.g., Glassdoor)
• Trade publications and industry sites review trends that can impact a company’s operations (e.g., Manufacturing Today)
• Blogs and social media posts provide updates on company news, including security incidents (e.g., Recorded Future)
• Certification sites that indicate a company’s level of security (e.g., SOC)
• News feeds provide continuous headlines

2. Private Sources

Private sources of third-party risk intelligence include fee-based data services and websites that may be difficult to find or dangerous to navigate. These sources can provide more detailed business and cyber risk intelligence about your third-party vendors.

• Credit reporting agencies provide a score indicating the financial health of a potential partner (e.g., Experian)
• Financial review sites discuss earnings and risks (e.g., Motley Fool)
• Legal action sites review lawsuits that can negatively impact a vendor’s business relationships and ability to execute (e.g., ClassAction.org)
• Threat feeds provide continuous updates on vulnerabilities and exposures (e.g., ThreatConnect)
• Paste sites include code that can be used to exploit a company’s defenses (e.g., Pastebin.com)
• Code repositories are similar to paste sites (e.g., Bitbucket.org)
• Hacker forums where cybercriminals are discussing attack targets and sharing information illegally*
• Dark web forums where you can find leaked credentials and other damaging company information*

Reliable providers of this intelligence feature a global research team that continuously searches for vendor exposures, utilizing multiple risk intelligence partners. This approach can deliver analytical insights that are particularly broad and deep.

*Monitoring hacker forums and dark web sites is best left to professional security researchers!

3. Regulatory Bodies

Industry and government regulators are critical sources of third-party risk intelligence. Many will publish information about enforcement actions and violations, which can result in fines or lawsuits affecting a vendor’s operations.

Your organization may also be legally required to ensure that its third parties meet compliance requirements. This can be accomplished by conducting vendor assessments and validated them with continuous monitoring.

Examples of major regulations and regulatory bodies that come up in third-party risk management include:

• CCPA – California Consumer Privacy Act
• GDPR – EU General Data Protection Requirement
• HIPAA – Health Insurance Portability and Accountability Act – Security and Privacy Rules
• NYDFS – New York Department of Financial Services, part 500
• OCC – US Office of the Comptroller of the Currency
• PCI – Payment Card Industry Data Security Standard

You can see a table of regulations that require vendor assessment and/or monitoring in our compliance section.

4. Industry Partnerships

If your industry has an information sharing center (ISAC), then membership in this organization should be mandatory for you. Examples include:

• The Healthcare Information Sharing and Analysis Center (H-ISAC) in the healthcare/pharmaceutical industry
• The Legal Vendor Network and Theorem Legal for law firms
• Shared Assessments for general third-party risk

5. Technology Integrations

Chances are, you are using several different products to manage risk throughout your enterprise. If your solutions operate in silos, then investigate how integrations can benefit your third-party risk intelligence gathering. For example, many organizations utilize ticketing and operations management solutions (e.g., ServiceNow) in conjunction with vendor risk monitoring solutions. In this case, linking ticketing with risk data can help to accelerate decision-making and facilitate remediation.

6. Vendor Assessment Responses

As you collect answers from completed assessments, you should ideally track and report on the responses in a central risk register. While third-party intelligence gathering is usually conducted on an individual basis, centralizing the data can inform subsequent activities across groups of industry vendors.

Common industry-standard assessments include:

• Shared Assessments Standard Information Gathering (SIG) questionnaire
• Cybersecurity Maturity Model Certification (CMMC) assessments
• National Institute of Standards and Technology (NIST) assessments for SP800-53 and the Cybersecurity Framework
• International Organization of Standards (ISO) questionnaires for 27001, 27002 and 27036-2

This is where the use case mentioned above comes into play. With automated rules, you can take vulnerabilities discovered through continuous monitoring, correlate them against assessment responses, and use the findings to trigger follow-up assessments.

7. Vendor Risk Networks

Libraries of completed vendor assessments can provide you with the baseline assessment and risk scores for thousands of organizations. They are especially helpful for conducting sourcing and procurement due diligence on potential vendors. They also can give your security team a head start on risk analysis for your most important suppliers. Be sure to select a service that goes beyond delivering assessment scores to at least include external cyber security ratings. This will help you to bridge the gaps between vendor assessments and updates to the library.

Next Steps for Third-Party Risk Intelligence

More intelligence leads to better, more informed decision-making. Prevalent offers a range of vendor risk management
software, networks and services that integrate assessment and monitoring to deliver a 360-degree view of third-party risk.

Learn about our proven, 5-step approach to vendor risk management in our best practices guide, or request a demonstration today.