Cybersecurity and Third-Party Risk. Gregory C. Rasner
to a Ponemon Institute survey in 2019, 60 percent of the companies surveyed admitted to not performing adequate cybersecurity vetting of their third parties. Thirty‐three percent replied they had no or an ad‐hoc cybersecurity vetting process. Fifty‐nine percent admitted being affected by a third‐party breach in the previous year. In that same survey, the companies also admitted to sharing their data on average with and requiring protection from a whopping 588 third parties. Following those numbers, this means over half the companies admitted to not performing their cybersecurity due diligence on nearly 600 third parties. Note, these statistics are pre‐COVID‐19 pandemic. However, post pandemic, the cyberattack increase was over 800 percent, according to the FBI as of May 2020. Prior to the pandemic, the problem was pronounced, with the breaches listed including Capital One, Home Depot, and others. However, the lack of due diligence and programs to review the cybersecurity of third parties by so many firms led to an explosion of breaches. And, as everyone is someone else's third party (i.e., every company is selling to someone and using vendors to assist in that effort), the problem was magnified to a boiling point.
Third‐Party Risk Management
Third‐Party Risk Management (TPRM) as a discipline is not very old. In the financial sector, it was not mandated by the Office of the Comptroller of the Currency (OCC) until 2013, when it regulated that all banks must manage the risk of all their third parties. OCC 2013‐29 defined “third party” as any entity a company does business with, including vendors, suppliers, partners, affiliates, brokers, manufacturers, and agents. Third parties can include upstream (i.e., vendors) and downstream (i.e., resellers) and non‐contractual parties. Other regulated sectors have seen similar requirements, often indirectly via privacy regulations. For example, General Data Protection Regulation (GDPR) or the California Privacy Rights Act (CPRA) require many companies subject to these regulations to perform due diligence on vendors who have access to their customer data. This may not lead to a full‐blown risk management division or group, but someone will be required to perform some oversight in an organized process, lest they get subjected to the extreme financial penalties both regulations require.
Other risk domains exist in TPRM: strategic, reputation, operational, transaction, and compliance domains. Why is the focus in this book on the cybersecurity domain exclusively? That is where the money is. While there are financial and reputational risks for the other domains, none of them provide the level of risk to a firm such as the risk of information security. As described previously, there are number of breaches that can be directly attributed to a cybersecurity breach at a vendor. It is not that these other domains aren't important, but none of them have the impact that a cybersecurity risk poses to a firm, financially or reputationally. Perform an internet search on the other domains, and you will struggle to find results. A similar search on cybersecurity breaches produces more results than one can list in a single page. Like any organization with more than one domain, if one of those domains presents a higher risk for practitioners, and evidence shows that Information Security does, then that domain needs more research, resources, and results.
While TRPM organizations struggle to keep up with the level of breaches and incidents with vendors, evidence shows most cybersecurity organizations are not taking a lead in this domain, and that TPRM groups do not have the expertise to address this gap. According to the Ponemon Institute “Data Risk in the Third‐Party Ecosystem” study (2018), only 40 percent perform any cybersecurity due diligence. Sixty percent perform none or only ad‐hoc cybersecurity reviews. The evidence indicates that a large percent of the 40 percent (i.e., those that perform some cybersecurity due diligence) do not do enough (as evidenced by the level of breaches/incidents). TPRM organizations must begin focusing more on the Information Security domain, and either directly bring cybersecurity experts into their organizations or partner with cybersecurity teams to address the gap. Doing so will also require that a cybersecurity team is able to understand the problem with third parties and address the risk.
While the fines and publicity for failure to follow TPRM guidelines are not as big, instances of regulators acting can be found:
In 2020, the OCC assessed an $85 million civil money penalty against USAA for failure to implement and maintain an effective risk management compliance.
In 2020, the OCC assessed a $60 million civil money penalty against Morgan Stanley for not properly decommissioning some Wealth Management business data centers.
In 2020, the OCC assessed a $400 million civil money penalty against Citibank for failures in enterprise risk management.
In 2020, the Federal Reserve announced an enforcement action against Citigroup Inc., requiring that the firm correct several longstanding deficiencies.
In 2020, the OCC assessed an $80 million civil money penalty against Capital One for not establishing an effective risk assessment process, which led to the breach in its public cloud.
In 2013, the U.S. Security and Exchange Commission (SEC) lowered the burden of proof for proxy disclosure enhancements on risk management inadequacy from fraud to simply negligence. This means that boards of directors and senior management of publicly traded companies can no longer claim they had no knowledge about a risk.
In 2019, the SEC and Commodities Futures Trading Commission (CFTC) charged Options Clearing Corp. with failing to establish and maintain adequate risk management policies, forcing the organization to pay a $20 million penalty.
Cybersecurity and Third‐Party Risk
Cybersecurity as a field is also very young, though it is older than TPRM. Cybersecurity is often thought to have begun after the first cyberattack was thwarted in 1986 in the Soviet Union, when Marcus Hess hacked into 400 military servers and the Pentagon. Intending to sell the information to the KGB, Hess was foiled by American Clifford Stoll.
In the 1970s, several attacks occurred on the early internet. For example, Bob Thomas created the first computer worm named Creeper, which traveled between early APRANET terminals with the message “I'M THE CREEPER: CATCH ME IF YOU CAN.” Also, in the same decade, Ray Tomlinson created the worm, Reaper, the first antivirus software that could find copies of Creeper and delete them. However, the one that finally illustrated the need for information security at the doorstep of the novice IT industry was the Morris Worm.
The Morris Worm
In 1988, Robert Morris, like all curious computer scientists, wondered “how big is the internet”? And like all good curious computer scientists, he decided to write a program to find out the answer of “how big?” The answer was found by his worm, which traveled through networks like wildfire, invaded Unix terminals, and crossed domains faster than a speeding bullet. His worm was so good at replicating that it would infect the same computer multiple times, and each additional infection would continually slow the computer down to the point of damaging it. Robert Morris was charged under crimes covered by the Computer Fraud and Abuse Act. Enacted in 1986, this act was an amendment to the first federal computer crime law and addressed hacking. This act continues to be updated, but only as recently as 2008, which reaffirms our earlier point that regulators are not considered to be at the cutting edge, and that good cybersecurity programs should not be designed to meet regulations. Such programs should exceed these regulations in order to have any hope of being successful. If we consider the 1970s as the start of cybersecurity, it is only within the last 20 years that companies have had Chief Information Security Officers (CISOs) and divisions, groups, or teams who reported directly to them.
Cybersecurity, like any other discipline, has developed several frameworks, associations, testing accreditors, credentials, and subdisciplines over those 20+ years. ISC2, ISACA, and EC‐Council, are just three of the credential/testing accreditors. CISSP, CIPM, CISM, CompTIA Security+, and countless other managerial, technical, and administrative certifications are also available. For the purposes of demonstration on the complexity of the cybersecurity subject matter, we use the Certified Information Systems Security Professional (CISSP) as the best example. This certification is still the