Third-party risk has become a hot topic. That’s in part because the risk associated with a potential breach to an organization through a third party can significantly impact that organization’s operations, reputation, financial stability, or compliance status. And breaches have been on the rise.
“Third parties, whether they’re vendors, suppliers, service providers, or anyone who has access to sensitive information and critical systems, need to be thoroughly evaluated,” says Tom Armstrong, a Senior Manager at Clark Schaefer Hackett. “By doing business with a third party, they become part of your universe. So, appropriately evaluating them, and identifying and remediating their risks, is extremely important.”
Smart Business spoke with Armstrong about how to better manage risks inherent in third-party relationships.
Who faces third-party risk?
Many small- to medium-sized enterprises do not have a robust third-party risk management program in place — whether internal or led by an outside service provider — often because they don’t fully appreciate the risk. For example, cyber security failures can lead to operational risks that disrupt services. Compliance risks can co-mingle with financial risk because of regulatory penalties. Organizations also face strategic risk from any misalignment of third-party goals and practices, and reputational risk that could translate to a loss of business and potentially stick with a company for years.
All organizations should do an annual vendor review to explore what data and networks each third-party can access, and if their systems have adequate protections against a breach.
How can organizations address these issues?
Third-party reviews should be a collaborative effort among internal teams such as risk management, compliance, IT, procurement and an internal or external legal adviser. As part of this risk management process, it’s important that organizations build strong relationships with their vendors, suppliers and service providers. That helps create more transparency and collaboration when it comes to risk management. These third parties might get annoyed with answering all the questions and the seemingly constant reviews, so the more an organization can create a strong relationship and a foundational understanding of why such scrutiny is necessary — that it’s not just for the organization’s benefit, but it also benefits the third party — the better.
Keeping a close watch on guidelines and requirements from the relevant regulatory authorities is important. Organizations can also leverage regulatory bodies in this process, for example, through their support line to get clarity on their guidelines. Industry peers can also be useful in this process as industry forums, and peer groups are a good place to learn best practices.
SOC 2 reports, which evaluate a company’s security framework and how it protects customer data from unauthorized access, are more frequently being requested in third-party contracts among businesses of all sizes. Who should be required to have such a report done comes down to who is processing, managing or has full access to shared data. If a third party has those capabilities, they should have a SOC 2.
Organizations that do not manage or have access to sensitive information or critical networks might not need a SOC 2 report, but should still have some form of risk assessment and mitigation in place, such as a Standardized Information Gathering (SIG) questionnaire. A SIG is a security information gathering tool that asks questions about the third party, their security posture, their privacy posture, etc. It can be used in lieu of a SOC 2 for third parties that have less access to organizational data.
Who can help?
In cases when internal teams are not equipped to handle an adequate third-party risk management program, organizations can turn to accounting firms that specialize in this area and can be brought in to evaluate third parties in an audit setting. They can help establish a standard operating procedure that is then handed off to the internal team.
Businesses in today’s world are interconnected and often their networks are intertwined. A third-party risk management program is essential for safeguarding operations and reputation, and maintaining compliance within regulatory standards. ●
INSIGHTS Accounting is brought to you by Clark Schaeffer Hackett.
