Third party cyber risk is growing. Despite that, most companies are unprepared to address it in a systematic way. In this Spotlight Podcast, a companion to our new eBook, Rethinking Third Party Cyber Risk Management, we go deep on the topic of building a mature third party cyber risk program with Dave Stapleton the Director of Assessment Operations at the firm CyberGRX* and Jon Ehret, the President & Co-Founder of Third Party Risk Association.
Third party cyber exposure is a growing cost center for organizations. There are lots of reasons for this. Consider the emergence of strict data privacy and security regulations in recent years including the European Union’s General Data Privacy Regulation (GDPR) and like-minded laws like the California Consumer Privacy Act and the New York State Information Security Breach and Notification Act.
In recent years, these laws and others have imposed substantial fines on companies found mishandling sensitive data. That means that, for companies holding onto personally identifiable information, the cost of ignoring third party risk is growing.
In just one example, the hotel chain Marriott was fined £99 million ($123 million) in 2019 under GDPR for a 2014 breach of a reservation system at the hotel chain Starwood that affected 339 million customers. (Marriott acquired Starwood in 2016.) In a statement accompanying the fine, UK Information Commissioner Elizabeth Denham said that GDPR’s protections for personal data mean that companies must “carr(y) out proper due diligence when making a corporate acquisition, and pu(t) in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Marriott is hardly the only company (or even the only hospitality company) to suffer from a third party breach. Absent robust tools to manage their third-party relationships, organizations of all kinds struggle to scale inefficient processes to meet the new demands of regulators and business partners for third party risk assessments. A survey of 600 IT professionals by The Ponemon Institute found that companies spend an average of $2.1 million annually vetting third parties. Still, more than two thirds of those IT pros said the processes they use to do so are only somewhat effective or not effective at all.
For our new ebook: Rethinking Third Party Cyber Risk Management, Security Ledger interviewed IT risk professionals across industries. They told us that high costs and limited scale characterize third-party cyber risk management programs in their sector. As a result, many have languished, even as the need for them has grown.
In conversations with leading risk and security professionals about their third-party cyber risk practices, many described legacy programs focused on regulatory compliance and questionnaires – whether paper-based or online. “Ten or 15 years ago (third-party risk management) was basically a Word document with questions that got sent out,” says Jon Ehret the President and Co-Founder of the Third Party Risk Association. At many organizations today – particularly those that are not far down the road of third-party cyber risk management, static questionnaires and checkboxes may still be the norm, he says.
Why do so many companies struggle to manage third party cyber risk program? What distinguishes a mature- from an immature program? Those are questions that we set out to answer when we sat down with two experts on the topic of Third Party Cyber Risk: Dave Stapleton is the Director of Assessment Operations at the firm CyberGRX, while Jon Ehret is the President & Co-Founder of Third Party Risk Association.
In this Spotlight Edition of the Podcast, Dave, Jon and I talk about the many technology, cultural and logistic obstacles facing companies that want to establish a third party cyber risk management program. We also review best practices for building a mature cyber risk management program. Dave and Jon also contributed to a new e-book that Security Ledger released today: Rethinking Third Party Cyber Risk, which you can download from our website. Just point your browser to securityledger.com/risk.
(*) Disclosure: This podcast was sponsoredCyberGRX for more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.