Third party vendor risk can result in potentially hugely damaging incidents, but many businesses tend to focus on protecting their in-house systems and processes and can be less concerned about those they hand over to others, who may well be perceived as ‘experts’ and so safe.

However, this difficult issue should be demanding more attention from boards as a number of recent data breaches have shown. Security experts urge taking a far more joined-up approach, indeed
enterprise-wide, and collective responsibility.

Risk framework

Far too often, an individual department such as procurement or IT may be responsible for setting up and managing third party relationships, meaning that oversight can sometimes be less rigorous. Instead, time and effort need to be invested into risk managing third parties from the offset.
All vendors should be required to provide information about their security and risk management standards to help verify they either are or can be a trusted partner and where there are possible exposures, particularly if they have access to data.

Each should be required to answer a questionnaire to be entered into a framework and this can help in their classification as to whether they are high, low or medium risk. There has to be vetting, tight business controls and legal agreements, together with monitoring and this needs to be most frequent for the highest risk vendors.

Some vendors may not appreciate this level of supervision or being asked to provide references, for example. But, if they prove reluctant, then this should provoke some serious discussions as to whether the arrangement is going to prove viable.

A recent Verizon report found that one of every two data breaches stems from third-party risks and this is why many risk managers may want to hold reviews into this area and potentially this should be at a root and branch level.

Dow Jones in the spotlight

This February it was revealed that an ‘authorized third party’ had exposed a highly sensitive Dow Jones watchlist held on a database and containing some 2.4 million records.

Dow Jones

The names were categorized as ‘high-risk’ by the financial news company as they were understood to have potential links to organized crime or terrorism. It was reported those on the list included politicians, suspected terrorists and white-collar criminals and details were said to include ages, locations, detailed notes of suspected wrongdoing and in some cases photographs.

Such a list can help businesses avoid dealing with disreputable organizations and being hit with sanctions or running into regulatory issues, such as those connected to anti-money laundering.
The names were held on an unsecured AWS server and the database was spotted by Bob Diachenko, a security expert who has also uncovered other data breaches. He said the list was sitting on a public Elasticsearch cluster 4.4GB in size and available for public access to anyone who knew where to look.

Board involvement

Dow Jones said the data was part of their risk and compliance offering and the spokesman said:

“Our review suggests this resulted from an authorized third party misconfiguration of an AWS server, and the data is no longer available.”

Unsecured Elasticsearch databases have been behind a number of data breaches recently, including one involving 32 million Sky Brazil customers and a Thompson Reuters incident also involving a watchlist and the exposure of 2.2 million records.

Passing data and functions onto other companies happens frequently for many reasons. But, it does not mean abandoning responsibility and people with the right skills must be retained in-house to both manage vendors and ensure that if there is an incident, there can be a fast and effective response.
When it comes to managing third parties, regulators are watching and boards, along with risk managers, must be engaged and involved.