Promoting a wider view of Third-Party risk
The Financial Conduct Authority (FCA) has released its FCA Cyber Security – Industry Insights briefing paper, developed from the output of their Cyber Coordination Groups (CCGs) to aid the improvement of cyber security practices amongst members and help promote understanding and awareness of innovative cyber practices.
The paper provides a view of the policies, process and practices applied to governing cyber security, including Third-Party Risk Management (TPRM), within the group’s member organisations and offers the opportunity to learn and apply tried-and-tested best practice from industry peers.
We’ve looked at the detail and summarise the highlights for third-party risk practitioners:
Good governance starts with Tone at the Top
Governing cyber risk should be no different to the way organisations govern any other business risk or activity. The ability to execute and retain resources is closely linked to its stature within the organisations objectives and priorities. Whilst members of the CCG agree there is no “one-size-fits-all” approach to the exact operational approach (roles & responsibilities, risk appetite, framework delivery) in order to succeed cyber risk should be:
a) On the Executive board’s agenda, with supporting education provided as necessary
b) Aligned to business objectives and considered part of the Enterprise Risk Management framework
c) Measured and reported with high quality actionable intelligence – in simple and useful terms (e.g. financial loss or brand damage)
This advice echoes the overall findings of the 2019 Vendor Risk Management Benchmark Study produced by Shared Assessments and Protiviti which found that high levels of board engagement directly correlate with best-in-class TPRM maturity.
Functioning in an eco-system – Think bigger picture
Scoping and categorising third-parties provides a foundation to understand the scale and form of resources you’ll need to deliver an effective TPRM program.
Understanding your organisation’s connectivity between and dependency on external “partners” is key to this. Typically, the initial focus of TPRM will be on suppliers, given they are the easiest to identify and there will typically be a financial or contractual trail to point too. However, the cyber supply chain extends much further – wherever data and risk is shared, for example:
Downstream into any third-party, platform or service provider you outsource to AND who they may further outsource to – i.e. your 4th, 5th, “nth” parties
Upstream into client and customer organisations, and
Horizontally within the separate legal entities of business units, group and subsidiary companies, joint ventures etc.
As the FCA puts it “Adopting the view that you only need to be concerned with suppliers limits the ability to think wider about third-party risk.”
You can outsource the solution but…. You can’t outsource risk
A simple but oft-forgotten message, especially in more senior ranks. Increasingly regulations, including the likes of EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018, place ultimate responsibility for the security of data and systems on the owner/manager.
Whilst contracts with third-parties and supplies can and should clearly apportion responsibility for the secure management or processing of data downstream, firms are legally required to assure that the appropriate levels of governance, controls, monitoring, etc. are in place throughout the supply chain – as the buck will ultimately rest with them in the event of any breach or event.
Ensuring the “right to audit” is included within each contract with clear and appropriate periodic or event-based triggers puts you in greater control of the assurance process. It may also be worth considering detailing the minimum breadth or depth of any such assessment or audit within these clauses but great care should be taken to ensure you do not limit your ability should this clause be triggered.
Prioritise, Monitor and Detect
Establishing an effective program of ongoing threat detection, monitoring and risk assessments is the most practical and ultimately vital part of the ongoing success of any risk management program.
Whilst many organisations understandably focus attention on threat intelligence for direct attacks on their own systems and data, given that 65% of incidents now involve your third-party organisations, you should look to ensure a proportional amount of time and effort is applied to the monitoring of your third-parties’ security posture and so on down the supply chain. Resources and tooling should be geared to monitor and assess each risk and third-party (or group/tier) in the most effective and efficient way.
There are a variety of continuous monitoring and assessment process automation tools as well as managed service providers available in the market. The key is ensuring you choose a robust third-party risk assessment solution that allows you to identify the “Indicators of Compromise” that are critical to your risk management strategy and adequately manage the mitigation and remediation for a complete third-party risk management audit trail.
Education, education, education
Finally, risk management is a team sport, and everyone can play their part. From the very top of the organisation down, the ongoing training of your human resources on the cyber risks and practical security policies and procedures you have in place should be a minimum expectation of your risk management program. The key to success is making education appropriate to their roles and responsibilities in both scope and language that will ultimately empower them to identify risks and react and respond effectively.
Sharing your risk insights with third-parties is equally important and helps to drive a relationship away from customer-supplier to one of partnership and shared-ownership where cyber security and risk management strategies can be better aligned and stronger security postures achieved.
For the full picture download the FCA Cyber Security Industry Insights March 2019 briefing paper.
You’re only as strong as your weakest link
That is why DVV Solutions has developed a range of services and solutions to deliver more effective and efficient third-party risk management for national and local public sector organisations. Our suite of consultative and managed services deliver significant improvements in
– developing and maturing current risk methodologies and frameworks,
– scaling resources to supplement and enhance existing risk assessment programs, and
– delivering time and cost efficiencies through established best-practice and workflow automation
to enable risk assurance teams to spend more time on what’s important: eliminating control gaps, raising security standards and reducing overall risk.
Contact DVV Solutions
If you are interested in finding out more about DVV Solutions, or information about our Third Party risk assessment and risk management solutions please
Call us on +44 (0) 161 476 8700, or
Complete our Contact Form