Keeping Third Party Risk First On The Cyber (Risk) List

As companies expand and interact with an ever-widening web of vendors, third-party risk deepens as data is shared and, potentially, exposed. In the latest Topic TBD, Gayle Woodbury, managing director at Crowe Horwath, weighed in with PYMNTS’ Karen Webster on why risk control needs to have broad horizons.

Talk about timely.

The news that hit Friday afternoon that malware and ransomware were racing across the globe at a breakneck pace, infecting computers at companies across verticals and causing havoc, brought cybersecurity to top of mind, yet again.

In an interview with PYMNTS’ Karen Webster as part of the continuing Topic TBD series, Gayle Woodbury, managing director at Crowe Horwath with Ops Risk, Third-Party Risk, and eGRC strategy, focused on risk for third parties where “cybersecurity seems to be an ever-changing topic.”

“It is one that is multidimensional, for many reasons, not the least of which are the challenges that are presented” as businesses have evolved and have elected to use an increasing number of third parties for distinct functions.

In prior years, a company may have used a third party to supply raw material or parts. Now third-party firms are interacting directly with other companies across data-intensive processes. The challenge thus has become one where cybersecurity is not just centered on what must be done internally to protect a company and its customers, said Woodbury, but also to determine how third-party interaction with data is regulated.

With the changing roles and demands tied to security, she said, efforts are going well beyond the questionnaires sent out to third-party vendors querying about the controls that they may have in place — in effect “going from ‘trust’ to ‘verify,’” as she put it, with even on-site, independent assessments an increasing occurrence.

The management of third-party relationships is no longer “one and done,” she added, with sporadic risk assessments. Now, active and frequent interaction becomes part of the lifecycle of risk management, said the executive, from planning a strategy through to due diligence to monitoring, and, perhaps even termination of a vendor and supplier relationship.

In an ideal world, said Woodbury, the clarity sought from such scrutiny of third parties would happen as “part of the on-boarding process.” For it is at this point, she said, where there is the most leverage to gain access to information and offer such information.

All of this takes place against a backdrop where what was once spectacular acts of cybertheft have become commonplace, as seen in the brave new worlds of data breaches, which came just a few years ago with Target and Netflix. These and other events, said Woodbury, “have enlightened lots of people” from regulators to boards of directors to senior management teams.

Queried by Webster as to whether organizations are prepared for the risks that are in place and that loom in the future, Woodbury noted that in her own career, and prior to joining Crowe Horwath, she’d headed up a third-party risk management program at one of the top five banks in the United States.

The firm was in the midst of evolving its risk management program to meet the then-current expectations of bank management and regulators. Process, people and technology — “a three-pronged approach,” in Woodbury’s eyes — are all under consideration, and must continuously be so. Among the concerns both then and now include manually-intensive spreadsheet data entry, which is a point of inefficiency when business is being done at scale and volume with third parties.

“That is where technology comes into play,” she said, referring to the availability of tools and software suites focused on cybersecurity, with attendant offerings in compliance to disaster recovery, among other areas.

And yet, even as technology advances, one size does not fit all, the duo agreed. Were that to be a reality, said Woodbury, “it would be tremendous. Most organizations will take a look at what is the strategy of using the third party and … what are they doing for you. If you use a lot of one type of third party, that may dictate how you try to segment or categorize [them].”

Most organizations use some type of risk classification or tiering to find out what the inherent risk may be within a given relationship. That allows for some tailoring of the relationship in a strategic way.

“If an organization is doing a good job of managing third-party risk, you don’t know it, because they are not having events” — but regardless of skill or luck, she stated, third-party management has to be a “topic that gets attention and gets asked about” as firms connect disparate departments within the organization — such as regular audits or independent quality assurance functions — all in an effort to mitigate risk.