Third-party risk management is still rather early in its maturity because it is a difficult task to accomplish and, according to the table’s honest opinion, nobody likes to do it. In fact, the moderator, Thusu, believes that it can really only exist in companies that have the available resources and budget to maintain it. The group agreed that you must have the right to audit in your contract with critical third-party providers who have access to your data. Furthermore, participants agreed that you must be involved up-front in the life cycle of your relationship with third parties. For example, security and IT teams must be involved, and an evaluation period should be required before the business buys new SaaS that will expose all of your data to these third parties. It sounds like a difficult transition to make, but the participants of the roundtable noted that if you do this at the outset of your relationship with these third parties, you will not have to play “catch up” down the road.
Another key aspect in your risk management is knowing which vendors to prioritize in your risk management amongst the population of dozens or even hundreds of solution providers working with your company, who all have access to your system or data at some level. Some providers can be quicker to access and even quicker to evaluate, while others may take longer and have more permissions than others. It requires creating a ranking list for your team to go through. And finally, how does cyber insurance play into this ecosystem of third-party risk management? Sometimes your team may be taken by surprise when your insurance policies do not necessarily cover every single possibility in risk, so teams should take the time to review their policies and liability coverage to ensure it covers what you need.
All in all, it is an area that needs far more traction and visibility. Though it is still immature in its development, if we actively work toward solutions, we can quickly begin to evolve and further secure our organizations.