Third Party Cyber Risk Management:
Key Issues, Trends, and Tools for Success
Joe Mitchell
BitSight
Senior Systems Engineer and Global SE Manager
Presenter: Joe Mitchell
Joe Mitchell is the Senior Systems Engineer
and Global SE Manager
Past Experience:
- IBM Security Intelligence
- Q1 Labs
- Cisco
- Okena
AGENDA
1. Major Issues in 3rd Party Cyber Risk Management
2. 5 Keys to a 3rd Party Cyber Risk Program
3. BitSight Research on Financial Sector and a
Portal Demonstration
4. Wrap Up and Q&A
3 KEY TAKEAWAYS
Institutions face significant challenges in managing 3rd party
cyber risk. They are being pressured by regulators to develop
dynamic programs.
Managing third party cyber risk requires an organization to
implement a governance program and technology to achieve
the strategic goals of the program.
Security ratings represent a new method for identifying security
issues during the diligence stage, and performing continuous
monitoring of critical third and fourth party relationships.
Ratings can easily be integrated into an existing VRM program.
Major Issues in 3rd Party Cyber Risk Management
Cyber Breaches Beginning With 3rd Parties
• Adversary leveraged HVAC vendor’s direct network
connection to gain access to Target
• Adversary gained access to isolated 3rd party PR firm to
steal sensitive financial reports from F1000; used that
data to conduct $100m+ “insider” trades
• Adversary gained unauthorized access to isolated 3rd
party service provider to steal millions of T-Mobile
customer records
• Adversary stole credentials from isolated 3rd party Fed
contractors to break into isolated 3rd party service
provider (Dept. of Interior)
A Framework for Thinking About VRM
Governance Issues
•
Tone at the top: Target’s CEO wanted “C-level”
security (“average”)
•
Information security responsibilities split in
various ways; CIO was not directly responsible
for POS terminals (but was responsible for
breach detection)
•
•
•
Audit and Corporate Responsibility Committees
failed to implement a “risk assessment
structure” – ISS and numerous shareholder
suits alleged breach of fiduciary duty
Did not tier
3rd
parties based on risk
Security program focused on PCI compliance
rather than risk
Technology Issues
•
No security assessment of Fazio
•
Security team identifies vulnerabilities in
payment card systems and cash registers prebreach, but no further investigations (due to
shopping season?)
•
No ongoing monitoring of Fazio
•
No two-factor authentication for Fazio to gain
access to Target network
•
No network segmentation
•
In-house team did not respond to external alert
(perceived as false positive); malware deletion
function was turned off
Regulatory Concerns Growing Re: 3rd Party Cyber Risk
•
New regulation issued in September requires cyber
program, written policies, CISO, 3rd party risk
management, incident notification
•
Cybersecurity is 2016 examination priority, and
examiners “may” focus on vendor management; a 2015
report by examiners found major gaps in firms’ efforts for
VRM
•
Considering statewide regulations and recently issued
“Principles for Effective Cybersecurity” – 3 of 12
principles are about 3rd party risk management
•
Issued “Semiannual Risk Perspective” in July 2016; very
concerned about 3rd and 4th party cyber risk; assessing
the effectiveness of banks’ 3rd party cyber risk programs
is a “Supervisory Priority”
Non-Financial Regulator Interest Also on Rise
• Financial regulators are leaders… many others
are following suit
• New requirements and oversight, especially in
highly targeted industries (financial, defense,
retail, health care, electric)
• July 2016: New rule from FERC on supply
chain risk management in electric sector
• Regulators (e.g. HHS, FTC) pursuing
enforcement actions for failure to appropriately
implement 3rd party management programs
A Top Concern for Businesses
How concerned is your organization regarding the data security risk posed by
third-party vendors and suppliers who have access to company information?
70% are highly
concerned about
third party cyber risk
Source: IDG/BitSight Survey “Don’t Let Trusted Vendors Become Cyber-Breach Enablers”
Survey of North America, UK, France, Germany
Key Considerations for 3rd Party Programs
5 KEYS TO A VRM PROGRAM
(1) Identifying and Tiering 3rd Parties
(2) Assessing Security of 3rd Parties
(3) Negotiating Contractual Terms
(4) Ongoing and Continuous Monitoring
(5) Executive Reporting
Vendor Risk Management Lifecycle
Cybersecurity is an
important factor in each
of the 5 steps of the
vendor risk
management lifecycle
A comprehensive cyber
VRM program will
address governance and
technology challenges
(1) Planning: Identifying and Tiering 3rd Parties
Tiering should reflect your organization’s
risk appetite, which should be established
by senior leadership
Third parties handling data that is regulated
or considered confidential should be
prioritized as “critical”
While creating clear roles/responsibility is
crucial, consider developing a working
group comprised of IT, IT security,
procurement, business units, and legal to
identify critical relationships
Beware of the “Hidden” Critical Risk
Any service providers or contractor that
holds, maintains, or has access to
your sensitive data can be critical
Third parties can pose risk whether
they are connected or isolated
Don’t forget!
- Payment processor/benefits admin
- Facilities vendor
- HVAC vendors
- Technology service providers
- Law firms
(2) Diligence/Selection: Assessing the Security of Third Parties
“Which of the following tools or methods does your organization use or plan to use to assess
your vendors’/suppliers’ network security?”
Source: IDG/BitSight Survey “Don’t Let Trusted Vendors
Become Cyber-Breach Enablers”
Historical Approach to VRM: Point in Time
44% of companies (particularly VP+) cite an over reliance on static and subjective
information as their top concern for 3rd party risk management
• Does not provide ongoing view into dynamic
environment
• Requires organization to trust responses with
limited ability to verify
• Significant costs to fill out and respond to
questionnaires
Source: IDG/BitSight Survey “Don’t Let Trusted Vendors Become Cyber-Breach Enablers”
Key Challenge: Transparency and Disclosure
BitSight Security Ratings
DATA-DRIVEN RATING OF A COMPANY’S SECURITY PERFORMANCE
• Companies are rated on a scale of 250-900
Advanced
• Higher rating indicates a stronger security
performance and lower security risk
740 - 900
• Non-intrusive SaaS platform analyzes and
continuously monitors security performance
• Companies with lower ratings are more
likely to experience a data breach
• Nearly 70,000 companies rated today (new
additions daily)
Intermediate
640 - 740
Basic
250 - 640
Monitoring Security Performance
(3) Adjust Your Contracts
Ensure the contracts you sign with third
parties reflects the level of security
your organization expects
Ask for incident/breach notification,
audit rights, etc.
Consider asking for notification of
“security incidents” rather than “data
breaches”
(4) Ongoing & Continuous Monitoring
The standard for performing “ongoing monitoring” is
evolving from point in time assessments to “continuous
monitoring”
Continuous monitoring = maintaining ongoing
awareness of information security, vulnerability, and
threats to support organizational risk decision making
Continuous monitoring data leverages automated data
feeds
This data is integrated into the entire VRM decisionmaking lifecycle: diligence, ongoing monitoring, and
termination
Companies with a rating of 500
or lower were almost five times
more likely to have experienced
a breach than companies with a
700 or higher.
Findings verified by AIR Worldwide, a
leading insurance catastrophe modeling firm.
Percentage With Public Breach
Security Ratings Provide Actionable Intelligence
5%
4%
3%
2%
1%
< 400
400-500
500-600
600-700
BitSight Security Rating
>700
(5) Executive Reporting
With so much attention surrounding 3rd party risk
management, executives and board members are
increasingly engaged on this issue
Regular status reports on the effectiveness of a
program are critical to providing visibility and gaining
support/endorsement/budget
Senior executives have little capacity to consume
lengthy documents or raw data
Practitioners should provide graphical representation
of their program to the greatest extent possible using
common terminology
Q&A and Discussion
For more information:
[email protected]
www.bitsighttech.com
BitSight Technologies
125 CambridgePark Drive, Suite 204
Cambridge, MA 02140
[email protected]