Value of a Third-Party InfoSec Assessment Program
RAJITA NAIR, April 2020
Information Security (InfoSec) professionals realize that their infosec program is only as strong as the weakest link. 3P (Third Party) vendors with access to sensitive data are generally regarded as the weak link, hence the focus on securing the 3P. However, given the scope and possible costs on securing this link, and the doubts regarding the assessment methodology, it is easy to doubt the value of the third-party vendor risk management (TPRM) program. InfoSec managers are often challenged by their seniors to prove the value of the TPRM program.
As a leading vendor risk management company, at ComplyScore, we manage thousands of assessments annually and are asked to assist in showing the value of the program. Here are some points that I would like to share with you.
Let us first consider what happens if you don’t have a strong it vendor management program. Let us look at instances where companies suffered because of their vendors.
Visser Precision: In Feb of 2020, a data breach at Visser compromised contract data, pricing, and other highly sensitive details of companies like Tesla, Lockheed Martin, and SpaceX.
LabCorp: In august 2018, a data breach at LabCorp’s vendor
American Medical Collection Agency (AMCA) compromised data of almost 7.7 million patients
Home Depot: In 2014, a data breach compromised credit card details of nearly 56 million customers. Hackers used stolen credentials from third-party vendors to gain access.
Target: In 2013, almost 40 million customer credit and debit card details were compromised during a breach. The culprit? Again, a third party that had privileged access.
These are just a few of the reported incidents I have used as an example. The above examples demonstrate that even though there is an increasing awareness regarding cybersecurity and even though companies are spending a tremendous amount of money on security, third party breach is still one of the weakest links.
Now, let us look at the impact of these incidents.
Visser has taken a hit in reputation with this breach. The magnitude and the details are still being assessed, but sensitive contract details like pricing and manufacturing details are compromised.
LabCorp spent almost $2.5 million after the breach to ramp up their security. A class-action lawsuit is pending.
Target– $18.5 million in lawsuits. CEO had to resign
Home Depot – $25 million in a settlement.
On average (from what I have read, it is $3.92 million), companies have spent over $ 4 Million in settlements. Additionally, there is the damage to the reputation, customer confidence, countless hours spent in investigations and lawsuits and even forced the resignation of the CEO.
That is a steep price to pay.
These incidents remind us about the potential impact if you do not have a methodical approach to TPRM.
A recent survey published in Allianz Risk Barometer 2019, consistently ranked cyber incidents as the top 3 areas of concern. Another interesting insight comes from Deloitte. In the study conducted by Deloitte between March – July 2018 with respondents from 94 financial institutes around the world, almost 67% of the respondents named cybersecurity as one of the top 3 challenges they will face, and a risk that they feel is only going to increase in nature.
The more interesting fact is that the Deloitte survey showed that respondents felt more confident in being able to handle breaches due to disruptive attacks, financial loss, and loss of data by customers. But they did not feel as confident if the breaches occurred due to nation-states and risks from third-party providers. The survey, along with the examples, shows that we need to be proactive in addressing the issue, and we need to be proactive NOW.
Now that we have enough data to convince the leadership that TPRM is essential as part of a robust vendor management system, and needs to be done, let us talk about the cost and ROI. In short, let’s talk numbers:
With data breaches, the losses are generally in millions of dollars. Companies take a hit in their reputation; some have had to file for bankruptcy. Now, if we compare the cost, they would have incurred had they been proactive.
Assessments are proportional to the level of risks. ComplyScore does vendor risk assessments for as little as $200 per assessment. So if you spend between $250K to $500K, you can assess and secure a significant part of your supply chain and de-risk your company to a great extent. Now that’s a significant ROI.
Value of assessments
You might ask, “How reliable are the questionnaire-based approach?” I have seen that a lot of clients are initially apprehensive about the process and reliability. For those with questions and apprehensions, these are ways and means that you can use to ensure that the assessments are answered honestly.
The security rating agencies add value, as well. ComplyScore will cover the topic on the value and reliability of the questionnaires and how to validate the answers in our upcoming blog.
I hope that I have been able to cover some talking points that you can use to address the benefit of TPRM with your leadership. Cyber incidents are only going to be more frequently seen in the future. You need to secure your organization by diligently including TPRM and supplier risk management in your organization’s vendor governance program. Address it now, contact us and request your demo today.