This copy is for your personal, non-commercial use only.

To order presentation-ready copies for distribution to your colleagues, clients or customers visit
https://www.djreprints.com.

https://www.wsj.com/articles/third-party-cyber-risk-management-primer-11652990949

WSJ PRO CYBERSECURITY RESEARCH

Third-Party Cyber Risk Management Primer

By
David Breg
, Deputy Research Director, WSJ Pro
May 19, 2022 4:09 pm ET

Listen to article (10 minutes) Queue

Key Points:
•Hackers exploit the trust relationships between organizations and their third-party suppliers and vendors,
resulting in potentially damaging targeted and untargeted attacks.

•Understanding the organizations in a supply chain and critical dependencies is essential to reducing the risk,
though some threats are nearly impossible to mitigate.

•Multiple internal stakeholders working together with technology solutions and consultancy expertise can
significantly reduce the risk of, or impact from, supply chain attacks.

“Gone are the days when organizations could wash their hands of liability or damage to reputation from
outsourced work due to ethics and compliance failures.”
— Marjorie Doyle, principal with Marjorie Doyle & Associates and former chief ethics & compliance
officer at Dupont

Ms. Doyle’s warning should be evident for risk and compliance officers. A mistake by a
vendor or contractor can result in a costly and time-consuming error for a company
that can also lead to reputational damage if customers are affected. This is especially
true with cybersecurity, where there have been numerous examples of companies
adversely affected by preventable mistakes made by vendors in their supply chains.
One has to look no further than the recent supply chain attacks on software
manufacturer Solarwinds Corp. and Microsoft Corp.’s Exchange email software. These
attacks, which were very difficult for customers to prevent, may have infected tens of
thousands of companies globally and the wide reaching effects are still not fully
understood.

“583”
— Number of third-parties with which the average company shares data, according to a 2018
Ponemon Institute survey of more than 1,000 IT and IT security officials.

Perhaps the most high-profile third-party attack was the breach that affected Target
Corp., which started with compromised email credentials from a refrigeration and air-
conditioning contractor for the retail giant. The attack resulted in approximately 40
million stolen credit and debit records, an $18.5 million multistate lawsuit settlement
and a significant black eye for the company’s reputation. This should be a cautionary
tale for businesses around the globe that have third-party suppliers.

The Crux of the Challenge

The supplier ecosystem provides a highly desirable target for cybercriminals. A
successful attack on one company’s network opens up numerous opportunities to
expand into other connected businesses. It may take weeks before the intrusions are
revealed, if they are ever discovered, providing ample time for the attackers to
infiltrate multiple systems without being detected.

“44%”
— Organizations that suffered a third-party breach in the past 12 months, according to a 2021
Pomemon Institute survey of 627 risk managers.

Complicating matters is the multiple attack vectors criminals can use to infiltrate a
supply chain. These include stealing login credentials from third-parties (Target),
exploiting third-party software updates (SolarWinds), or injecting malicious code into
vulnerable applications or software to steal customer payment card information. 

And the potential damages from third-party breaches are substantial. Examples
include significant operational downtime, loss of sensitive information and revenue,
reputational damage, compliance issues and legal complications, including fines.

Designing and Implementing a Plan

“38%”
— Organizations stating they had no way of knowing when or if an issue arises with a third-party,
according to a BlueVoyant survey of 1,200 chief information officers, chief information security
officers and chief procurement officers.

The dangers posed by third-party vendors are apparent, but what can be done to
minimize them? third-party cyber risk management is a strategic approach that
enables an organization to analyze and monitor cyber risks associated with suppliers,
vendors and other service providers. A well-organized program can mitigate third-
party cyber risks while facilitating the general process for on-boarding and managing
third-party suppliers.

There are a variety of approaches to third-party cyber risk management, some of which
can be found in this paper’s Resources section. Many adhere to the following format:

•Identify: Compile a current list of vendors and suppliers by working with an organization’s procurement office.

•Prioritize: Develop a rating system that ranks and prioritizes the third parties based on the following
considerations:
•Their level of access to your network

•The importance of the relationship to your business

•Their cyber profile and precautions taken

•The criticalness of data that can be accessed

•Assess: Conduct a full audit of your partners and assign each one a score. 
•This can be done by sending all of the relevant parties a questionnaire that will deliver insights into their
cyber practices and potential risks to your operations.

•An outside consultant with experience designing and analyzing the results of TPCRM questionnaires
could be brought in. 
 •Technology solutions that ingest a list of third parties and provide scores, as well as providing on-going
scanning, are also an option.

•Respond: Take action with the organizations in the order of the risk they pose, with the following options:  
•Accept the risk an organization poses

•Work with the third-party to improve its posture to a tolerable level and monitor while it makes
corrections

•Remove the third-party based on the risk and seek a replacement with cyber posture in mind

•Track: Conduct follow-up inquiries to measure progress.

•Standardize: Establish an on-boarding process for every new partner with one of the stipulations being data
breach notification requirements in the contract.

•Revise: Conduct regular reviews of the program to enable enhancements.

High-Level Guidance from a Cyber Risk Expert

Eric Fiedberg, co-founder and co-president of risk consulting firm Stroz Friedberg,
spoke with WSJ Pro Research and recommended the following best practices for cyber
risk management:

•Design a thorough but ingestible questionnaire that identifies significant risks and promotes transparency and
accountability, while obligating the vendor to provide hard data and allow an inspection if an incident happens.

•Ensure that staffing and budgeting for the TPCRM process makes it possible to cycle through third-party
vendors in a short amount of time so important vendors do not go unattended for years.

•Pay attention to the risk posed by the trojanization – malware that misleads users of its actual intent – of
software providers and the risk of installing malware during updates. Do you trust your software providers?
Can you detect malware and see its potential exploitation?

Insights from Third Party Cyber Risk Management Workshop

Highlights
On May 10, 2022, the WSJ Risk & Compliance Forum included a workshop on third-
party cyber risk management. Kelli Tarala, principal and founder of digital security
firm Enclave Security and SANS Institute third-party cyber risk instructor, and Anson
Fong, chief information security officer at Los Angeles World Airports, provided their
‘Insights from Third Party Cyber Risk Management.’ The following key findings and
professional tips were discussed during the workshop.

Structuring for Success

Proper preparation and having safeguards in place are key first steps in the
development of a robust third-party cyber risk management program.

•Know Your Network and Vendors: Organizations need to understand their networks, what they’re connected
to, and where the data flows, because this will help to better understand how to protect them. It’s also
important to conduct an assessment to see who the vendors are and what they can access.

•Control Data Access: Due to increased reliance on cloud storage, there are more and more entry points for
getting into a network. Emphasis should be placed on access control, including third-party consultant
contractors who have to read, write or modify access to critical data.

•Involve the Right People: When starting a program, coordinate with the chief information security officer, the
chief information officer, the chief risk officer (if the business has one) and representatives from the legal,
procurement and purchasing departments. It’s also important to keep the board of directors apprised of cyber
risk so they aren’t blindsided if an incident happens.

“I see organizations doing good things and the documentation is lacking a little bit. If we don’t
document it, it didn’t actually happen.”
— Kelli Tarala, principal and founder of Enclave Security

Maturing the Program

Developing a mature and comprehensive third-party cyber risk management program
does not happen straight away. After a program is started, it may take months or even
years to assess the security questionnaire results from hundreds of third-parties,
prioritize which vendors have vulnerabilities that need to be addressed and make
necessary adjustments to the program to minimize risk.

•Expand Your Toolkit: Researching the dark web can be a useful tool for tracking suppliers and vendors.
Determining if a third-party has experienced a data breach or a data leak that is being sold on a dark web
market can provide insight into its vulnerabilities and security posture.

•Frameworks Matter: Find out what security controls framework third parties are using. Knowing a vendor is
using an established framework such as the Center for Internet Security’s Critical Security Controls framework
offers a level of confidence that those vendors have a plan and are taking security seriously.

•Take the Next Steps: A mature program will have advanced from practicing basic hygiene, such as inquiring
about a vendor’s information security policy and determining whether a third-party is sending data to fourth
and fifth-parties; to intermediate hygiene, which involves documenting processes; then being proactive by
reviewing the processes for their effectiveness, which will lead to a fully optimized vendor management
program.

Key Takeaways

•According to Mr. Fong, your organization is only as secure as your weakest link.

•Risk isn’t just an IT concern, it is organization-wide.

•Ms. Tarala said risk management is a contiguous approach involving threat monitoring, control
implementation and validation, risk reporting and risk response.

•You may not get a perfect solution the first time; keep refining in light of your company’s culture and needs.

Resources
•The National Institute of Standards and Technology’s Risk Management Framework

•CSO: 6 steps for third-party cyber risk management

•Venminder: 4 Best Practices to Reduce Third-Party Cybersecurity Risk

•CyberGRX: Third-Party Cyber Risk Management for Dummies

•Forbes: Understanding The Third-Party Impact On Cybersecurity Risk

•centraleyes: Top Cybersecurity & Third-Party Risk Management Trends to Follow in 2022

Watch the ‘Insights from Third Party Cyber Risk Management’ workshop here. All WSJ
Pro Cybersecurity research reports, webinars, events and data are available at
www.wsj.com/pro/cybersecurity/research

WSJ Pro Research is a premium membership that supports executive

decision making on critical business issues by supplementing the news with
timely, in-depth research and data.

All WSJ Pro Cybersecurity research reports, webinars, events and data are available
at wsj.com/pro/cybersecurity/research

Meet the Author

David Breg is deputy research director at WSJ Pro, The Wall Street
Journal’s professional arm, where he writes and edits cybersecurity
research and analysis for executives and businesspeople. He also
appears frequently at WSJ Pro events as a moderator. Dave has prior
 experience managing the research unit at public relations firm
Burson-Marsteller and policy knowledge from serving as an analyst
at the Congressional Research Service.

Write to David at
david.breg@wsj.com

REL ATED PAPER S

• Post-Incident Communications: Recent Trends and Best Practices

(July 28,
2022)

• A Perspective on Russian Cyberattacks and Disinformation

(June 21, 2022)

• Takeaways from the WSJ Pro Cybersecurity Executive Forum

(June 10, 2022)

• Preparing for Energy Industry Cyberattacks

(April 21, 2022)

• Conflict in Ukraine: Preparing for Cyberattacks

(April 11, 2022)

Copyright 2022 Dow Jones & Company, Inc. All Rights Reserved

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-
personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.