What Third-Party Cyber Risk Management Is - and Isn't

Recent news has thrust the issue of third-party cyber risk management back into the spotlight. Brian Krebs continues his thorough work and reporting around cyber risk in investigating the Capital One breach. In his post entitled "What We Can Learn from the Capital One Hack," Krebs highlights several issues that face enterprise risk managers:

• Third party risk is incredibly difficult, even for highly-resourced financial institutions such as Capital One. It turns out that a misconfigured open-source (and therefore third-party) web application firewall (WAF) was pinpointed as the source of the breach.
• The concept of "n-th-party" risk – the third parties of your third party, or their third parties, etc. – is a very real issue, and we must continue to develop awareness and solutions for this challenge.
• Configuration details are quite difficult and still matter.

Despite the attention-grabbing headlines, it is vital that expectations for third party risk management remain realistic. Let me be clear: I am not arguing that if Capital One was your third party, your enterprise third party risk function should audit the configuration of Capital One's open-source WAF. Indeed, even their own engineers were unable to identify this issue, and they are infinitely more familiar with both the environment and the configurations than the enterprise third-party risk team. That is neither the goal, nor the expectation.

Instead, expectations should center around identifying and quantifying potential areas of risk and increasing awareness in those areas. There are simpler questions we should be asking:

• Do you know who your third parties are?
• Do you know what type of data your third parties have access to?
• Do you know what practices your third parties employ in their enterprises?
• Do you know what third parties your third parties rely on to provide the service you use?

Technology risks will continue to manifest, and the role of third-party risk management is not to eliminate them, but rather to identify these issues and diminish their potential impact on the enterprise. In an ever-more interconnected world, we no longer have the luxury to ignore the risk posed by our third parties. Instead, we must continue to be diligently aware and strategically manage our resources to address the most pressing of these risks, which change on a constant basis.

Patching processes, or lack thereof, are another common third-party cyber risk. Recently, legal technology vendor iManage disclosed a critical vulnerability in their software that required an immediate update. This is a common type of announcement—Microsoft has released a slew of patches on the second Tuesday of every month (known as Patch Tuesday) for almost two decades. What matters more than the fact that the vulnerability exists, is understanding which of your third-party legal vendors,  including law firms, are utilizing iManage, and whether those vendors have a rigorous patching process to remediate the vulnerability. Firms who utilize iManage but lack rigorous patching are likely vulnerable and may remain this way for the foreseeable future.

This "nth party" risk, where your vendor's vendors begin to pose risks to your enterprise, continues to be a challenge. Having rich data and a solid understanding of how your business partners operate will help you stay ahead of risks. Press coverage will highlight the fact that "[s]ome CIOs at iManage clients that Legal IT Insider spoke to were aware of the problem, while others were not." Awareness and actions regarding the information you have is the key to staying safe. In this situation, perhaps the most effective way a third-party risk manager can act is to ensure their vendors who use this software know about and have addressed this vulnerability. A few calls or emails to check on patching status are minor compared to what may happen if action is not taken.

Third-party cyber risk management doesn't mean doing code review on your vendors or checking configurations of every AWS instance that your data might encounter. However, it does mean understanding the risks your relationships with these vendors may pose, and strategically deploying data and automation to make the most of your human capital. There is no magic approach for this solution, particularly as your own business needs, vendor list and technology stack continues to change. Instead, investing in a rigorous, well-structured third-party cyber risk management program will allow you to quickly and easily identify the areas of greatest risk and help your team clarify remediation activities—even if that means checking in on the patching practices of certain vendors.