Third-party security assessments

The current model in assessing third-party security/third-party risk is time consuming, resource intensive, and often not well correlated to actual risk. Even with an ever-changing cybersecurity landscape, companies often use static questionnaires that provide only a snapshot of the third party’s cybersecurity posture. What’s the fix? How do we design a risk-based approach that allows us to focus on the most critical third parties and not view every third party through the same lens?

Most third-party risk management programs require a due diligence questionnaire that can be quite lengthy and cumbersome. These questionnaires are often a one-size-fits-all approach and, in many cases, do not accurately or adequately assess the third party.

Adding to the difficulty of these questionnaires is the time it takes to review and follow up with any items that are not in line with the company’s expectations. Corners are cut and data is needlessly exposed using unencrypted files and unsecure email clients.

In addition, the questionnaire process is static. It is nothing more than a point-in-time snapshot of a third-party’s cybersecurity posture. Questionnaires are not well correlated with current cyber incidents because they are not updated frequently enough to keep up with the changing landscape. Often these questionnaires are simply a compliance measure and in the case of cyber insurance are rarely used by underwriters to determine premiums and coverages.

Using a combination of expected business impact in the case of a cyber incident to define overall third-party cyber risk and the criticality of a supplier’s role within your organization, it is possible to greatly decrease the number of third parties that receive a questionnaire. Explore our latest publication that covers modern thinking towards assessments.