The Growth of Third Party Risk Management (TPRM) Firms

Cybersecurity and the Continued Risks

Back in the day, we played cops and robbers with sticks and plastic squirt guns.  Sometimes you were pursued, at other times you were the pursuer.  There wasn’t much more to do than hide behind a trash can and maybe divert attention by tossing some object far from your hiding point. Sound a lot like today’s cyber battles? Not really!

Today’s bad guys enter your offices through the back door, and often directly through the front door.  They can easily access badges, security codes and passwords, and once in the office, know exactly where the jewels are located – and how to access them – without barely a fingerprint left behind.

COVID-19 has quickly pushed all of our data and activity to the cloud. This means that your corporate data protection and security is more often than not outsourced by your IT staff to third party services providers who are managing all elements of your company’s daily technology and services deployment. AWS, Google Cloud, Microsoft Azure and a myriad of cybersecurity ‘gold standard’ providers are actually not much more secure than the old chain lock I wrapped around my bicycle back in the day – that was severed with heavy duty chain cutters and away went my new Raleigh 10 speed Grand Prix. They are a deterrent, no doubt, but not the Holy Grail of protection, for sure.

Third Party Risk Management

We have seen a new industry emerge and thrive over the past few years that aims to provide an additional level of security for organizations outsourcing data and operations to cloud services providers. That industry is called Third Party Risk Management (TPRM) and consulting firms have developed entire stand-alone practices dedicated to helping clients understand, quantify, and navigate their relationships with third party services providers.  TPRM in a more innocent era was a function of supply chain and third-party logistics (TPL) protection. The Pharmaceutical industry had to ensure that pills were not adulterated on their path from production to store shelves; manufacturers had to know their suppliers and producers in offshore facilities while guaranteeing customers that the component or additive, produced in say, Vietnam would perform up to a US or European standard.  In more extreme scenarios, industrial manufacturers outsourcing production to less-regulated zones opened themselves to serious IP exposure.

Security Provisioning

What this adds up to is that paying an invoice for your cloud service provider is only the first stage of an adventure into security provisioning and does not comprehensively secure your assets.  Your company’s vulnerability is becoming a more visible line item on the balance sheet, in the form of Directors and Officers Insurance at the Board level, and impairment to a company’s brand, data, operations or viability at the most basic level.  Boards and senior management may bear financial responsibility for negligence, which can be defined as a simple failure to properly assess third party security providers. The U.S. Office of the Comptroller of the Currency (OCC) writes in its risk management guidance:

A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.

3rd Party Security

Companies today are focused more than ever on how to manage TPRM and TPSM (third party security management) challenges, while minimizing associated costs and not beefing up back office/administrative (non-revenue generating) resources.  Shareholders, stakeholders, and employees depend on a company’s sound stewardship during these unprecedented times. A balance needs to be reached that ensures that the buyer of said services (the company) is adequately protecting itself against exposures generated by third party services firms’ employees who may go rogue, make an error, fail to follow security guidelines or in some material way, knowingly or unknowingly, compromise their – and your – company’s vitality.

Business Security Audit

Professional Services firms engaged in providing third party risk services have prepared detailed questionnaires and surveys assessing your company’s partners and service providers, and themselves require their own service providers, contractors and employees to complete lengthy analyses addressing detailed technical and operational matters.  This is fine, and indeed important.  What is lost in the dialogue is that Professional Services firms often delegate the review and compliance around TPRM and TPSM matters to a procurement or compliance employee.  This is a major oversight and can cause long-term harm to all parties involved.  TPRM and TPSM has become a more technical and IT area of focus, and less a compliance, ‘tick-the-box’ topic in the post-COVID era.

Firms providing TPRM and TPSM services to clients must incorporate a senior technology executive into the TPRM/TPSM compliance assessment, and should ideally involve the IT leader (VP IT, CTO-CIO) in early discussions regarding key assessment criteria governing relationships with external partners and service providers.  The senior IT executive should have experience working with vendors, partners, and suppliers of services, and should also understand the implications of the work being contracted, to the company’s P&L.  S/he needs to be a collegial, consultative, and mature executive with some battle scars, and a level of skin in the game — be that equity, bonus, ownership or reputation.  Hens guarding the hen house can be useful when the stakes are so high and your company’s future state is one or two clicks away from dark web, ransomware-driven entrepreneurs.

When contracting with third party service providers, companies need to consider the makeup and governance of third party providers themselves, including their employees, ownership structure, partners, vendors and revenues derived from key clients.  Certain non-US firms require their partners and vendors to maintain data on servers owned by the (non-US) firm – they do not want to lose risking or compromising the data that is provided to them, and also want to ensure that their own systems manage and govern data access.  A number of Professional services firms and banks today require vendors to complete surveys covering who specifically will have access to data and systems which they have outsourced to the third party, what software is currently used to manage entry and exit points, security software, incident response, and mitigation policies. The surveys go so far as to assess symmetric encryption and cryptographic hash, wireless access policies, time based one-time password algorithm (TOTP) and authorized user device configuration.  While time consuming and even somewhat intimidating, this is the best way of ensuring that third party service providers are adequately positioned to oversee and manage your company’s key data and technology assets.

By Martin Mendelsohn

Jen
VoIP and PBX Phone Systems The cloud is already providing businesses with such a range of advanced tools and services, optimizing communication across channels, improving global cooperation, and supporting collaboration between teammates and partners both ...
Gilad David Maayan
Azure Storage Pricing Introduction to Azure Storage Services Azure Storage is a set of cloud storage services provided by Microsoft as part of the Azure public cloud. It offers highly scalable object storage, file systems ...
Threat Security
Azure Red Hat OpenShift: What You Should Know What Is Azure Red Hat OpenShift? Red Hat OpenShift provides a Kubernetes platform for enterprises. Azure Red Hat OpenShift permits you to deploy fully-managed OpenShift clusters in ...
Sofia Jaramillo
Augmented Reality in Architecture Augmented reality (AR) is a growing field of study and application in the world of architecture. This useful tool can help us visualize architectural designs by superimposing them onto real-world scenes ...
Adam Cole
Mitigating Regulatory Risk Some of the great business opportunities for Unified Communications as a Service (UCaaS) integrators and Value-Added Resellers (VARs) have been the emergence of cloud, telephony and Unified Communications (UC) technologies such as ...

PROXY SERVICES

  • Smartproxy

    Smartproxy

    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks

    Rsocks

    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.