21 March 2024

Navigating third-party security and privacy risk management

Piotr Debowski
Manager
Rahul Prasad
Manager

elevenM’s Rahul Prasad and Piotr Debowski discuss some observed challenges in managing third-party risk and outline some actions organisations can take to address these challenges.

Running a third-party risk management program is a massive challenge. Different organisations use different strategies to approach third-party risk management, but whatever the approach, the diverse nature of third parties and the ever-evolving threat environment combine to make this a complex and challenging space.

Through our experience helping organisations with their third-party risk, we’ve observed recurring challenges, and identified some consistent actions that organisations can take to stay ahead of third-party supplier cyber and privacy risks.

Why do organisations use third parties?

In simple terms, a third party is any external company that provides goods or services on behalf of the organisation. Often called suppliers or vendors, typical examples include providers of: Software as a Service (SaaS), cloud services, marketing and advertising, IT support, and data centres. Less typical but just as important examples include consultants, lawyers, and financial advisers – all of which are likely to have access to some sort of commercial or personal information.

Organisations use third parties to achieve a variety of strategic goals, such as:

  • reducing and controlling costs of operations
  • increasing efficiency for some time-consuming services that the organisation may lack resources for or that the third party has proficiency in
  • sharing or ameliorating risk
  • leveraging specialist expertise of the third party provider
  • improving organisational focus.

Security and privacy challenges in third-party collaborations

Utilising a third party can help your organisation conduct business more efficiently. However, it can present unique challenges to your organisation’s security and privacy health. These are the top three challenges that we’ve observed for the clients and industries we have worked with.

Security

  • Evolving threat landscape
    The ever-evolving nature of cyber security threats adds a layer of complexity to risk management. Keeping up with the dynamic threat landscape, understanding emerging risks, and adapting risk management strategies accordingly is a constant challenge. This becomes even more crucial while using third parties, as use of third parties expands the attack surface of organisations.
  • Lack of control and visibility over third party operations and security practices
    There is an inherent challenge in attempting to manage processes that are not within your organisation’s control or visibility. With an expanding network of third-party relationships, organisations often find themselves operating in the dark for more and more of their processes, lacking the granular control needed to ensure that the third parties align seamlessly with their security standards and operational protocols.
  • Insider threats and trust
    Building a trusted relationship with third parties while guarding against insider threats poses a unique challenge. However, it is a necessary one: 74% of companies are vulnerable to insider threat to some extent. It is very difficult to strike a balance between fostering collaboration and maintaining a vigilant stance against potential internal security risks from third parties, ensuring the trust placed is reciprocated.

Privacy

  • A lack of understanding and transparency about how the third party will be handling personal information
    Many organisations don’t take any active steps to understand and document what personal information a third party will be handling, including what personal information it will have access to and how it will be using or disclosing that personal information. This lack of understanding can lead to problems down the line.
  • Exposure to unnecessary legal and regulatory risks
    Different jurisdictions impose different levels of obligations and liabilities between the outsourcing organisation and the third party. In Australia, the Australian Privacy Principles (APPs) requires some organisation to take ‘reasonable steps’ to protect personal information. In certain circumstances, a reasonable step will be to have carried out appropriate due diligence on the third party’s privacy and security practices. This means that if you haven’t done this and something goes wrong with how the third party has handled personal information – it’s not only the third party who is liable, but your organisation may also be in breach of APP 11.
  • Limited privacy controls and follow-through
    We see many organisations that routinely implement privacy controls to address risk associated with third parties. Most commonly this is achieved through standard privacy terms negotiated during the contracting process. But standard privacy terms aren’t the be-all and end-all. Your organisation might need more particularised privacy terms to address the particular risk in question. But how do you identify what the particular risk is in the first place?

On top of that, even organisations with established privacy programs are often offenders of poor follow-through. What use is a contractual term that the third party is to destroy all your organisation’s personal information at the conclusion of the contract if you don’t verify that they have done so, such as through obtaining a destruction certificate?

Rise in data breaches involving third parties

We are also seeing an increase in data breaches involving third parties. Between July to December 2022, the Office of the Australian Information Commissioner (OAIC) reported that “8 of the 40 large scale data breaches that affected over 5,000 Australians… involved a service provider relationship.” This trend has continued and in their January to June 2023 Notifiable Data Breaches report, 7 out of the 8 large scale data breaches were caused by a malicious or criminal attack on a service provider.

One good example of this is a cyber attack on MOVEit by cybercriminal group Cl0p, which some are calling “not just the largest attack of 2023 – but also one of the largest in recent history.” MOVEit offers a managed file transfer product that is used by organisations worldwide. In June 2023, MOVEit announced that it had been the subject of a cyber attack and current information shows that this has resulted in commercial and personal information being stolen from at least 130 organisations, affecting over 15 million people.

How can organisations address these challenges?

A recent study by Australian Securities and Investments Commission (ASIC) found that 44% of participants are not managing third-party or supply chain risks. While running a third-party risk management program is challenging, it is nonetheless essential. Organisations need to look at the third-party lifecycle and build their privacy and cyber risk strategy to follow it. This will help ensure appropriate coverage, backed up by governance process, sound remediation management, continuous monitoring and improvement.

There are some basic actions that any organisation can implement to ensure they are considering and addressing these risks.

TPRM lifecycle graphic

Before on-boarding

  • Third Party Classification
    Identify whether the type of access and to what kinds of personal/commercial information the third party will have.
  • Due Diligence
    Carry out a comprehensive due diligence assessment to evaluate a third party’s security and privacy controls, policies, procedures and governance. This can involve reviewing documentation, conducting interviews, and performing technical assessments.
  • Contracting
    Implement contractual terms that clearly define the security and privacy requirements and responsibilities of both the organisation and the third-party.

During engagement

  • Ongoing Monitoring
    Carry out periodic monitoring of security and privacy controls to ensure agreed controls have been implemented, gaps are noted, and effective remediation is performed until closure.
  • Contract Review
    Contracts must be reviewed to ensure robust security and privacy clauses are in place. Outdated contracts or contracts in lengthy engagements should be re-negotiated periodically so that they reflect best practice.

Offboarding

  • Termination/End of contract
    Carry out an offboarding assessment to ensure data deletion, asset disposal and data retention guidelines are followed by the third party after the end of services.

Contact us

If you’re interested in learning more about managing your third-party risk, contact us at hello@elevenM.com.au or on 1300 003 922.