Value of a Third-Party InfoSec Assessment Program
RAJITA NAIR, April 2020
Information Security (InfoSec) professionals realize that any infosec program is only as strong as the weakest link. 3P (Third-Party) vendors with access to sensitive data are generally regarded as the weak link, so the focus is often on securing that 3P connection. However, given the scope and possible costs of securing this link, and the doubts regarding assessment methodology, it is easy to question the value of the TPRM program. InfoSec managers are often challenged by their superiors to prove the value of the TPRM program.
At ComplyScore, we manage thousands of assessments every year and are asked to assist in demonstrating the value of the program. Here are some points that I would like to share with you.
First, consider what happens if you don’t have a strong program. Let’s look at instances where companies suffered as a result of their vendors.
Visser Precision: In February of 2020, a data breach at Visser compromised contract data, pricing, and other highly sensitive details of companies like Tesla, Lockheed Martin, and SpaceX.
LabCorp: In August of 2018, a data breach at LabCorp’s vendor American Medical Collection Agency (AMCA) compromised the data of almost 7.7 million patients.
Home Depot: In 2014, a data breach compromised the credit card details of almost 56 million customers. Hackers used stolen credentials from third-party vendors to gain access.
Target: In 2013, almost 40 million customer credit and debit card details were compromised during a breach. The culprit? Again, a third party that had privileged access.
These are just a few of the reported incidents I have used as examples. The above examples demonstrate that even though there is an increasing awareness of cybersecurity, and even though companies are spending huge amounts of money on such security, third-party breaches are still one of the most significant risks.
Now, let’s look at the impact of these incidents:
Visser – took a hit in terms of reputation with this breach. The magnitude and the details are still being assessed, but sensitive contract details like pricing and manufacturing details were compromised.
LabCorp – spent almost $2.5 million after the breach to ramp up their security. A class-action lawsuit is pending.
Target – faced $18.5 million in lawsuits, and the CEO had to resign.
Home Depot – reached a settlement of $25 million.
On average (from what I have read, it is $3.92 million), individual companies have spent roughly $4 million in settlements. Additionally, there is the damage to the company’s reputation and customer confidence, countless hours spent in investigations and lawsuits, and even forced resignations of CEOs.
That is a steep price to pay.
These incidents remind us of the potential impact if you don’t have a methodical approach to TPRM.
A recent survey published in the Allianz Risk Barometer 2019 consistently ranked cyber-incidents as the top three areas of concern. Another interesting insight comes from Deloitte. In the survey conducted by Deloitte from March-July 2018, with respondents from 94 financial institutes around the world, almost 67% of the respondents named cybersecurity as one of the top three challenges they face and a risk that they feel is only going to increase in nature. The more interesting fact is that the Deloitte survey showed that respondents felt more confident in being able to handle breaches due to disruptive attacks, financial loss, and loss of data by customers. However, they did not feel as confident if the breaches occurred due to other nation-states and risks from third-party providers. The survey, along with the examples above, shows that we need to be proactive in addressing the issue, and we need to be proactive NOW.
Now that we have enough data to convince your leadership that TPRM is important and needs to be done, let’s talk about the cost and ROI. In short, let’s talk numbers:
With data breaches, the losses are generally in the millions of dollars. Companies take a hit in their reputation, and some have had to file for bankruptcy. Now, if we compare the cost they would have incurred had they been proactive about their risk exposure, the price tag would be significantly less. Assessments are proportional to the level of risk. ComplyScore does assessments for as little as $200 per assessment. So, if you spend between $250K to $500K, you can assess and secure a major part of your supply chain and de-risk your company to a great extent. Now that’s a significant ROI!
Value of assessments
You might ask, “How reliable is the questionnaire-based approach?” I have seen many clients that are initially apprehensive about the process and its reliability. For those with questions and concerns, there are ways and means that you can use to ensure the assessments are answered honestly. The security rating agencies add value as well. ComplyScore will discuss the value and reliability of the questionnaires and how to validate the answers in our upcoming blog.
I hope that I’ve been able to cover some talking points you can use to address the benefit of TPRM with your leadership. Cyber-incidents are only going to be more frequent in the future. You need to secure your organization by being diligent in your TPRM and your supplier risk management, and you need to address this issue now.