Insights blog.

In recent months, we’ve seen a variety of regulators from Finance to Defense cite the importance of third party cyber risk management. You can now add the Federal Trade Commission to the list.

In business and in life, safety is always made a priority. From simple day-to-day tasks like wearing a seatbelt, to important business security decisions, prioritizing our safety and the safety of our families and valuable information is of utmost importance. But this process isn’t always easy. It seems like there are new security threats, from computer hackers and otherwise, that force us to find new ways to protect ourselves on a near-constant basis.

If your organization outsources to vendors, you are probably involved in a lot of due diligence. You may be looking at and verifying credit checks, getting background reports, monitoring legal standings and litigation, ensuring that third parties pay their bills and don’t employ criminals, and more.

Handling cyber risk in your organization’s supply chain isn’t easy. This aspect of Supply Chain Risk Management is a complex problem that even highly sophisticated organizations—like the Department of Defense—struggle to address.

In the majority of organizations, vendor risk management is still a highly manual process, making risk assessments a labor intensive exercise for all parties that are involved.  This is why, at best, most vendor management programs only assess third parties on an annual basis or during contract negotiation. However, risk managers know from securing their own networks that annual assessments tell us little about how effectively they are responding to emerging threats or addressing new vulnerabilities. So, how are annual vendor risk assessments making us more secure?

The last few weeks have been a whirlwind of activities here at Bitsight! Between attending and speaking at RSA, participating in the latest Verizon DBIR report, preparing for our session at FS-ISAC, announcing our new partnership with AIG, and being featured as a vendor risk management solution in the Wall Street Journal, we were happy to see the second quarter off to such an exciting start. And then we got even more good news!

Recently we discussed three benefits for vendors related to their security rating, as we are asked about this often. We are also asked for best practices when communicating with your vendors about their security rating. We have many customers with experience incorporating Bitsight Security Ratings into their vendor risk management program, and the lessons they have learned along the way are too valuable not to share. There are several different approaches that can be leveraged; here are the 3 most common:

Third party breaches still account for a large percentage of security incidents. In fact, according to this year's Verizon DBIR report, in 70% of attacks where there was a known motive, a secondary victim was involved. These victims could be vendors, business partners, or vital pieces in supply chains. While the common phrase that “you are only as strong as your weakest link” has been used ad nauseum, it certainly rings true. The following are just some of the reasons why continuously monitoring the security of third parties is crucial:

The idea of telling a vendor or potential vendor that you've rated their security performance can be a little daunting. If someone has never heard of a Bitsight Security Rating, being told that another company has been monitoring their security effectiveness, without them knowing, can sound a little "big brother-ish" and raise lots of questions about privacy and legality. Though our methods are unobtrusive and based on the same outside-in model of credit ratings, we provide many materials to our customers to help them deal with these types of situations.

Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.

Earlier this week I had the privilege of attending the invitation-only BNY Mellon 2015 Third Party Risk Management Symposium. The keynote speaker was General Keith Alexander, former Director of the National Security Agency. General Alexander painted a big (scary) picture of our national security and then quickly tied his remarks to the topic at hand: vendor security. He predicted that nation states like North Korea will come after the financial services industry with distributed denial of service (DDOS) attacks, combined with “wiper” malware, through their vendors’ networks. (Wiper malware was used in the recent attacks against Sony-- the first time this type of attack was used against a business operating in the U.S.)

Healthcare security and how updated HIPAA/HITECH Act regulations are changing the nature of risk in that industry are hot topics right now. "The rules have made it easier for organizations to have penalties levied against them because of the actions of a subcontractor," Elizabeth Warren, a healthcare attorney with Nashville Tennessee-based Bass Berry & Sims, is quoted as saying in this Becker’s Hospital CIO post. And she’s absolutely right.

With so much of today's business processes dependent on a complicated network of suppliers, contractors, and service providers, the problem of determining liability for data privacy and protection is quickly coming to a head. When sensitive data is hosted in a provider's infrastructure, is that provider or its customer responsible for protecting that data? If a company entrusts a partner with a customer database and that partner lets the database be compromised, which company is responsible for notifying those customers and who will end up footing the bill for legal damages?

Many of the facts surrounding the Target breach still remain unclear, even as details continue to emerge publicly. We still don’t know what the final tally of breached organizations will be, but the list keeps growing. In addition to who else has been breached and the impact on their customers, another factor we need to consider is how Target's business partners may be impacted. In a data breach on any retailer, card issuers, payment processors, insurers, suppliers and other parties may face substantial loss as the investigation and recovery costs ripple through these networks.