Doing business in the digital age means entrusting the protection of sensitive data to external partners. It is a proposition that can make any organization lose sleep, yet as technology continues to re-define corporate relationships, it is also re-shaping our approach to third-party risk management.
"The first thing we must remember is you can never outsource accountability with respect to protecting data," says David Bruyea, Senior Vice President and CISO, Architecture and Information Security, CIBC. "Your third-party vendors or cloud-based services are stewards of your information, not the owners. You, as an organization, have to take an active role in making sure they have the right controls in place and a culture geared towards cyber security to keep it protected."
With repeated news of cyber attacks and data breaches, it is little wonder why organizations are devoting more attention to what data they are sharing with outside parties, who they are sharing it with, and what measures are being taken to secure it.
Critical to those discussions, however, is an understanding of one's current risk posture and the controls already being used by the organization to shore its defenses. For example, Bruyea offers, "Our approach at CIBC is to adapt and evolve our risk management strategy based on what we learn about the ever-changing digital environment. That has meant uncovering the real risks of making our data available to vendors and cloud-based partners, and modifying our risk assessment, risk remediation, and intelligence-gathering processes accordingly. Beyond that, it has also required us to become more advanced in adopting market leading tools and capabilities to better manage emerging threats."
At the core of that strategy, he adds, is a fundamental understanding of CIBC's internal standards, "In order for you manage outside risks, you need to have a strong sense of your own standards and responsibilities. If you do not have that for yourself, or you cannot adequately define them, chances are you will not have a solid position about what you should expect from others."
Establishing strong internal standards is one step towards mitigating third-party risk. Another is ensuring potential partners are willing (and able) to rise to those same expectations. Herein, says Bruyea, it is beneficial for both partners to collaborate on risk mitigation from the get-go, "We have had great success in working with businesses in the early stages of a partnership – be it third-party or cloud-based – to help them identify their inherent risks and strategies for addressing them. Along with that, we want to make sure we align the contract incentives and interests of the other party with what we believe the key risks are going forward with them."
Certainly, not all third-party vendors are mature enough to uphold a partner's standards. This is especially true for start-ups, fast-growing fintechs, and young market newcomers. This poses an opportunity for larger, more established players to assist in fostering those capabilities and, in so doing, influence the development of secure and sustainable partnerships.
Drawing from CIBC's experience, Bruyea notes, "If one of the most important aspects of third-party risk mitigation is your approach, rather than enforcing your standards, organizations should flip it around to say, 'How can we help you identify the risks you are dealing with early, and how can we help manage the compliance process easily?"
The process of building risk mitigation capabilities within a potential partner can include conducting gap assessments, testing controls, drafting compliance plans, offering cyber security training, and contributing to a more proactive approach.
At the end of the day, Bruyea says, "Going through those early assessments and activities not only improves their posture and ability to get contracts from other banks going forward, it gives us confidence they have the right elements in place to protect our information if we are going to trust them with it."
In managing third-party risk, organizations must also account for their partners' own network of service providers.
"We treat our third-party provider as the manager of those fourth and fifth party providers," offers Bruyea. "What's more, we make sure we have explicit knowledge of any sub-contracting they engage in so we can determine if that equates to a risk for our business."
The same considerations apply to multi-tenant cloud environments. That said, there are technological safeguards such as virtual machine introspection making their way to market that can manage cloud-based risk by equipping organizations with the ability to manage every second of their data's journey.
"We used to wring our hands over the potential issues of operating in a cloud environment because the technology was not there to give us assurances. Now, there are new technologies coming on stream that provide those assurances by giving us greater oversight of how our information is being treated," says Bruyea.
"That speaks to the incredible investment cloud providers are making in their security infrastructure." he adds.
In addition to new tools, there are oversight servicesthat provide cyber security risk ratings for organizations across the globe. Over time, these services will become more sophisticated, standardized, and become more widely utilized.
Ultimately, says Bruyea, "What I would like to see is application programming interfaces (APIs) opened up by these organizations so they can be activated by these third-party inspection sites; and then moving down the path of certifying those APIs as providing the right information to help organizations do business in a more trusting way."
It might seem like simple advice, but it is worth repeating: if the risks of making specific types of data available to third-parties or a cloud-based platform are too great, then do not make the data available.
"It takes a sophisticated capability to determine what you want out there and what you do not, but if you are overly concerned about workload and the types of risks you can run in a public environment, then do not put it out there." notes Bruyea.
There is nothing simple about managing risk in the age of disruption. By understanding the inherent risks of third-party partnerships, taking preemptive steps to bring all parties up to (and beyond) cyber security standards, and collaborating on risk mitigation strategies with seasoned consultants, organizations can build more secure relationships on solid foundations.