“Marking your own homework.” If there was one phrase that stuck out during Skybox Security’s recent panel discussion with senior cyber and risk management executives in the banking and financial services industry (BFSI), that was it.
The discussion, moderated by Abbas Kudrati, Industry Professor and Executive Advisory Board Member at Deakin University, was about third-party cybersecurity compliance. This is a key requirement of APRA’s latest Prudential Standard CPS 234, currently the focus of compliance activities for third-party suppliers, according to panel participants.
Improve process efficiency
At the start of the discussion, most participants said they were focused on improving the efficiency of their third-party cyber compliance processes.
Many organizations are heavily challenged by the process of onboarding new suppliers. This requires third parties to jump through a number of hoops, including procurement, legal, privacy, cyber risk, operational risk, and regulatory compliance.
This often results in overlapping processes and duplicated activities. “People are asking the same questions over and over again in slightly different contexts,” said one participant. “What we are doing results in a very poor experience both for third parties and also from an internal business perspective,” said another.
The more mature organizations are investing in technology solutions to coordinate their efforts, automate processes where possible, and act as a single source of truth for compliance information.
Compliance assurance is a particular challenge, however, given the large numbers of suppliers involved, rapid changes in enterprise delivery models, and a desire for greater business agility. Not to mention the fact that assurance processes are inherently difficult to automate and therefore more costly than self-assessment.
Third-party cyber risk management methods range from using manual Excel spreadsheets to leveraging automated workflows along with sophisticated security or IT service management tools. In either case, questionnaires are used.
Trust but verify – a costly endeavor
Of course, marking your homework isn’t always a bad thing. The phrase “trust but verify” was also used, and this kicked off a lengthy discussion about different approaches to the assurance of third-party suppliers’ cybersecurity postures.
When discussing third-party risks to the most critical systems and sensitive information, the participants all invested in assurance processes. To varying degrees, they require an independent assessment of third-party cyber compliance through, for example, penetration tests or SOC 2 Type 2 certification.
Whereas the preparation, distribution, and processing of questionnaires can be easily automated, assurance remains a manual process for most BFSI organizations. The results of a pen test or SOC 2 certification are easy to process. However, someone has to perform the test or do the certifying, and that requires boots on the ground that must be paid for. This is typically through the employment of expensive consulting firms that perform manual assessments of the third party. This imposes high compliance costs on service provision that end up being paid by BFSI organizations themselves.
Sometimes these costs are paid directly by BFSI organizations. As one participant said, “We have a supplier that is the only show in town. There is no way they are going to do a certification for us. You either take it or leave it. What we ended up doing is paying the vendor to perform some sort of assurance like SOC 2.”
Perhaps the most stringent third-party assurance employed by any of the participants is based on a 100-point system. This allocates scores to independent assessments of third-party security posture such as SOC 2 Type 2 (which could be worth 100 points), ISO (say 50 points), and external penetration tests (30 points).
Despite the practicality of this approach, such assessments still only represent an approximation of risk at a single point in time. And they impose high costs which are ultimately paid for by BFSI organizations.
Take a tiered approach to third-party risk assessment
Large organizations taking part in our discussion have thousands of suppliers. With limited resources, it is not feasible to perform stringent assurance on all third parties. Instead, they categorize suppliers into tiers depending on the criticality or sensitivity of the information assets they could access.
When supplier risk is considered to be low, measures such as including requirements into contracts and collecting information via questionnaires are deemed adequate for compliance. Some organizations conduct randomized assurance checks of suppliers in low-risk categories – trusting all but verifying some to make sure.
While questionnaires are a common mechanism for gauging the security posture of third parties in less risky tiers, there is a widespread agreement they are not sufficient to ensure the compliance of suppliers in the riskiest tiers. These could balloon into the hundreds for large organizations where total numbers of suppliers are in the thousands.
Tiering helps organizations focus assurance activities on those third parties presenting the greatest risk. The disadvantage, as one participant pointed out, is that no supplier represents zero risk. Information collected via questionnaires is potentially unreliable. Also, there is the risk of categorizing suppliers in the wrong tier or failing to reassess them when circumstances change.
The thorny issue of fourth-party risk was also raised in the discussion. Some organizations proactively investigate both third and fourth party (suppliers of suppliers) exposure. Others deem only the contracted party to be of concern and it is considered to be their responsibility to manage their own third-party risks.
Moving beyond compliance to increase security efficacy
In addition to third-party regulatory compliance, many of the participants said they are increasingly focused on operational cybersecurity effectiveness.
Ticking the box is not enough, they said. It is also important that compliance activities help to prevent cyber attacks. This focus is being driven by boards who are just as sensitive to the actual or reputational damage to organizations from cyberattacks as the risk of regulatory non-compliance.
There are many operational improvements that must take place to go beyond compliance and mitigate true third-party cybersecurity risk, including:
- Even the most stringent third-party compliance processes rely on point-in-time assessments. Effective cybersecurity – with dynamic information systems and ever-changing cyber risk environments – requires continuous assurance of third-party risks and vulnerabilities.
- Technology investments participants are making to improve efficiency are focused on automating business processes and creating a single source of truth for compliance information. They lack the necessary integration with operational cybersecurity solutions to create a single, security-centric source of truth.
- The reliance on manual processes for cyber assurance means the compliance programs of BFSI organizations face major cost and scalability challenges in the face of increasingly stringent cyber regulations such as the proposed Australian Critical Infrastructure Act.
To bolster security efficacy beyond ‘checking the compliance box’, organizations should focus on managing their cyber exposure at scale. Skybox can help in the following ways and more:
- Create mature, consistent, and enterprise-wide security posture management programs
- Facilitate and verify proper segmentation across the hybrid infrastructure
- Achieve continuous compliance as new regulations are issued
- Simplify and automate compliance assessment with one system for the entire hybrid infrastructure
- Create customizable risk and compliance reporting in a singular view
To find out more about Skybox’s approach, get our Change Management ebook.