Cybersecurity-Risk-Assessment

 

The Federal Trade Commission (FTC) is updating the requirements for organizations to establish a reasonable cybersecurity program, with revised recommendations involving internal actions of a company—like designating a chief information security officer (CISO) who will report on cybersecurity, at least annually, to the board of directors. This suggestion is neither new nor novel, and closely mirrors regulation released by the New York Department of Financial Services (NYDFS). Some of the biggest changes, however, reflect external actions and partners.

The FTC recognizes that in today's technology and business environment, many operational systems involve cooperation, coordination and inter-operability of data and access between the systems operated, owned or licensed by multiple organizations. While this is significant, it should not be a surprise. Many of the largest data breaches have involved compromises that began not within the company, but at a business partner, supplier, outsource or other outside organization. By explicitly including provisions addressing “external risks to the security, confidentiality, and integrity of customer information” and “the sufficiency of any safeguards in place to control these risks,” the FTC is shining a spotlight directly on third-party cyber risks.

Managing Growing Third-Party Cyber Risks

The findings from Kroll's investigation of thousands of cyber incidents mirrors those of the FTC, indicating that many, if not most, of these events were preventable. Our investigators regularly find that incidents at third-parties occurred because the original company didn't consider, inquire or fully evaluate the risks of partnering with the third party. The fact is that when it comes to third-party cybersecurity, not knowing is no longer acceptable.

Some third parties may provide outsourcing of cyber infrastructure (for example, Amazon Web Services or Microsoft Azure). These services typically document their security features and often have independent certifications and reviews available for customer review, but only reviewing their documents is insufficient. It's vital to determine that you are using their security services appropriately. Just because they offer a security feature doesn't mean that you've chosen to use it.

Most third-party business partners, suppliers or vendors are likely much smaller and less sophisticated, and it should be required to actively determine the security that they employ, the access they will be given and the degree of risk that the connection to that organization represents. For an organization of any size, the number of engaged third parties can quickly scale into the hundreds, or even thousands. This is where a third-party cyber risk management solution helps in carrying out and interpreting vendor risks, along with factors to consider when evaluating a potential (or actual) partner organization.

These solutions accelerate the data gathering and analysis phase, allowing an organization to quickly make risk-informed decisions utilizing industry standard security frameworks such as the NIST Cybersecurity Framework—the same standard controls on which the NYDFS regulations and the FTC's proposed regulations are based. To optimize these decisions, risk assessments and control compliance must be contextualized within your relationship with a given third party.

Understanding the Impact of Third Parties

It is important to understand the impact third-party organizations can have on your company's cybersecurity. Whether you allow third parties to access your systems, you access theirs or you provide data to a third party, there is risk that must be actively managed. Ignoring this fact doesn't manage or control the risk, it just sets you up for unpleasant surprises at some point down the road.

You also need to determine the degree of connectivity between your systems and the third party. This is largely driven by the functions that need to be performed by the third party and the architecture of your systems. Once this is understood, you should ask three questions:

  • Are we providing access to only those systems and functions that are necessary?
  • How are we limiting the access?
  • Do we know that the restrictions are working?

We repeatedly see that providing more trust, access or privilege than is required to a third party can lead to serious issues.

When a third party is permitted to access your systems, it is important to determine the security of access codes or other authentication methods that are used to carry out the access. Have you considered using the IP address to limit access so that even with the access codes, access will only be granted if the IP address of the person/system requesting access is one that has been provided by the third party? Alternatively, is remote access controlled with dual-factor authentication? For example, when a correct user ID and password are provided, the system might send an authentication message to the authorized user's mobile phone and require a response.

When you provide organizations access to your data, once they have it, you are essentially responsible for their data security failures. If you don't know how effective their security is, you're assuming their risk in the dark. You either need a review by an independent third party (a cybersecurity firm, most likely) documenting the state of security, or to use a tool to obtain enough information to make a determination as to how effectively they are carrying out their cybersecurity responsibility.

It is not unreasonable to ask a potential partner whether they have active cyber insurance, what that insurance consists of and how much coverage there is. You want to make sure if there is an incident involving your (or your customer/client's) data that there is coverage to assure a complete response. Consider having your risk manager or general counsel involved in reviewing their response.

Finally, ask the partner whether they are willing to execute an agreement which mandates good cybersecurity practices and an obligation to notify you if they know or suspect that a breach may have occurred.  Work with your general counsel (or outside counsel) to draft the terms of such agreement.

Regulatory standards to “implement and maintain reasonable security procedures and practices” are included in California's forthcoming Consumer Privacy Act (CCPA), and will no doubt appear in others. The updated guidance from the FTC and NYDFS show a rising pressure to manage risks both within and outside of your organization—with a particular focus on third parties. While there is no magic formula for managing third-party risk, ignoring the risk is simply unacceptable.

 

Alan Brill is a senior managing director with Kroll's Cyber Risk practice. As the founder of Kroll's global high-tech investigations practice, Alan has led engagements that range from large-scale reviews of information security and cyber incidents for multibillion-dollar corporations to criminal investigations of computer intrusions. Shay Colson is a director in the firm's Legal Management Consulting practice at Duff & Phelps and leads the Assessment Team for CyberClarity360. He joined the firm from the U.S. Department of the Treasury and has over a decade of experience in cybersecurity and information assurance, with a focus on designing and building secure systems.