Query or Consequences; When Third Party Risk Management (TPRM) Goes Awry

Over a number of past articles, we’ve explored the why, what, and how of Third Party Risk Management (TPRM). Looking back there’s much to review about the nature of the processes and methods that help companies understand the risks associated with partner, supplier, provider, and even inspector relationships. Some provide key services, some backup resources for key functions, others deliver materials or routine maintenance of facilities. There are many relationships, ranging from those who have no data access, communications exposure, or exchange at all to integrated partners tied into the heart of your operation. According to a recent study of companies that had a data breach, 59% involved a vendor or third party. Even the cloud is not immune. In 2019, 20% of breaches occurred through attacks on third-party cloud services that store data for companies, up from 9% in 2018, according to one Cybersecurity Company’s report.

After considering all that one should understand and assess to address the risks each one presents, one question remains nagging in the background—”What if we just do nothing about it? Just how significant are these risks that we’re working so hard to manage”. To answer, let’s look at some past experiences where such risks went either undetected or were poorly addressed, the consequences to those businesses, and what might have made a real difference in these outcomes.

Freddie Mac
Freddie Mac notified borrowers by letter in July of this year that a company performing due diligence on its loans experienced a ransomware attack earlier in 2020. The attack locked the vendor’s system, and so the vendor doesn’t know all the details of the incident or the information that may have been affected, according to that letter. The vendor found no evidence that Freddie Mac’s information has been misused or stolen, still, Freddie Mac has informed borrowers of the attack and is providing two years of free identity-theft monitoring as a precaution. While only a very small percent of Freddie Mac loans were potentially impacted, the relationship between the companies was dissolved. One must wonder if, despite all the internal precautions made by Freddie Mac, greater attention to those of this provider, through some of the automated risk assessment and remediation tracking tools we’ve discussed, would have increased its ability to apply better risk management practices to thwart a ransomware attack and prevent the disruption to operations, client trust, and the deterioration of reputation to both.

One of the most damaging and high visibility breaches of the decade, this event, first revealed in 2013, started when hackers broke into the retailer’s network using login credentials stolen from a heating, ventilation, and air conditioning company that does work for Target at a number of locations. The credentials were used to gain access to a server on the Target network, leading to the introduction of malware into their point-of-sale (POS) system that collected customer and credit card data. Many security and procurement managers would not intuitively associate HVAC services with third party IT risk. In this case, that oversight led to a wholesale settlement with credit card holders, and security monitoring for its customers, changes to its POS and credit card technologies, increased security infrastructure and management, all at an estimated total cost in excess of $202 million dollars. Had Target employed an IT risk management program utilizing a GRC tool with integration to TPRM features to assess risks and determine protocols for this vendor, they may have identified the need to segment their network and to assure their HVAC vendor, who had network access credentials, followed more robust security practices. All that would have cost a fraction of the cash cost of $202 million, in addition to the brand damage and lost business that Target experienced in the business periods that followed.

Quest Diagnostics
An unauthorized user gained access to Quest Diagnostic’s confidential data through a billing collections vendor. The hacker had gained access to a third party billing system provider, and through it had access to patient information for roughly 7 months – from August 2018 to March 2019. The sensitive data of 11.9 million patients was accessed, ranging from credit card numbers to bank account information and even social security numbers. It also included confidential medical data on patients. The third party vendor was not able to fully disclose the extent of the breach to this point in time. The incident led to the termination of the third party service arrangement. Clearly, the vendor’s breach detection and access control measures were not up to detecting this breach in a timely manner, given the duration of the breach until it was reported to be detected. And, it also appears that Quest may not have had the processes, practices, nor tools to apply rigorous TPRM oversight and due diligence with respect to this vendor.

U.S. Customs & Border Patrol
Hackers breached a U.S. Customs and Border Protection database containing photos of license plates and travelers’ faces. The images were obtained through an unnamed subcontractor’s network that had been hacked. The contractor had ties to the US Department of Transportation, the National Institutes of Health, and the US Department of Homeland Security. The contractor was hit by a malware strain known as Emotet, often distributed through email attachments. According to the contractor, the compromised systems were part of the firm’s test environment and “no longer valid”. Still, the breach is reported to have affected up to 100,000 travelers. Strong TPRM assessments and evaluation practices, like the ones discussed in earlier articles, would clearly disclose that this contractor possibly did not have adequate end user security training to make sure their staff was careful about unknown emails and attachments. Having such training might have prevented this event before it became a widespread infection-causing disclosure and embarrassment for these high-level Federal Agencies.

These incidents represent a small sampling of ones that have been identified and disclosed to originate from some interaction by a vendor, supplier, or third party partner. In some cases the firm taking the biggest hit and experiencing the greatest after-the-fact costs was one whose internal security practices were sound, except for TPRM. There is no question that integrating rigorous third party risk management is essential, if not existential to providing a comprehensive risk management platform for your company. In each case, the root cause of the breach was behavior that could have been detected through foundational security practices and methods. Lack of attention, or resources in the case of small vendors, led to a significant event. Hackers and other malicious actors will look for the easiest path to gain access to the information they seek. Like other thieves, if one premise is locked tightly, they’ll simply go elsewhere. But, when a vulnerability is found, they pounce…quickly, and with all the stealth they can muster. The longer they remain undetected the more they can gather and the bigger the haul, and the bigger the cost or remediation and recovery.

TPRM can function independently, and it may be integrated easily into a comprehensive GRC platform; one that serves as a single authoritative aggregation and analysis point for risk, audit, compliance, and security data. However, enterprise transparency for vendor sourcing and oversight, through TPRM is essential. To achieve that, centralization and standardization of processes, policies, data, and methods is invaluable. A single platform that can support rigorous TPRM, yet integrates with other risk management data to support a holistic, enterprise encompassing view of risk is essential.

DoubleCheck offers such a platform, and the DoubleCheck TPRM offers stand-alone or integrated services. By providing some basic information through its entry point, then, working with a fully integrated seamless interface to Dun & Bradstreet’s proprietary data bases, that third party will be matched and key information about that third party gathered, including financial stability and status on the US government’s lists of businesses of concern. DoubleCheck’s TPRM Essentials provides a structured process to inventory your third parties, categorize them by potential business impact, collect and review relevant documentation to assure your third parties have appropriate procedures and controls in force and effective. These services offer an effortless but comprehensive launch into fully vetting a potential third party as part of the procurement process.

Integrating risk management into the procurement of third parties closes an important gap in security and risk management planning and execution. Doing so protects your brand, your investments, the trust of your clients, partners, customers, regulators, and all other stakeholders, and strengthens your competitive position in the marketplace. It’s an important investment for your company. Thorough TPRM is an enterprise best practice, an essential component of an effective cyber security program, and clear evidence of a mature and comprehensive approach to governance and management in the 21st century.

About the Author:

Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

Leave a Reply


DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.