By Kyle Lai CISSP, CSSLP, CISA, CIPP/US/G
COVID-19 Third Party Risk Management Guidance. Businesses globally have been adversely affected by the Coronavirus / Covid-19 pandemic. The trend for decades has been to increasingly rely on the operational flexibility that comes through contracted third-party suppliers and service providers. But that flexibility comes with additional risk: Reliance on their financial and operational stability, but also through taking on their added cybersecurity risks. In a time of crisis, are they sacrificing cybersecurity priorities in their efforts to continue as a going concern?
In all likelihood, yes.
COVID-19 Third Party Risk Management Guidance Found in 2008 Financial Crisis Lessons (Continued)
Q: What were cybersecurity practices like prior to the 2008 financial crisis?
Before the 2008 financial crisis, I consulted as a security advisor to a major U.S. financial institution having contract relationships with over 3000 vendors / suppliers. We evaluated each one for their criticality (how vital were they to our business), financial risk, and cybersecurity risk to us. For any vendor determined to be a critical need supplier, we conducted an onsite assessment to determine if cybersecurity policies and procedures were being followed in accordance with standards established in our business associate agreement (BAA). As a financial institution subject to cybersecurity regulation we were responsible to ensure contracted 3rd party vendor / suppliers were equally compliant to protect our sensitive customer data.
Our vendor review program at that time provided us with several benefits:
- We had a strong overall understanding of risk associated with each vendor.
- A strong business continuity and disaster recovery plan, but they were not tested across all business groups like third party vendors / suppliers.
- A well-developed security incident response plan with chain of command and designated press release contacts. But it too was not tested across all business groups.
Q: How successful were the existing vendor cybersecurity controls, policies and procedures during the 2008 financial crisis?
When the 2008 financial crisis hit, a wave of bankruptcy filings and company closings ensued. Vendor’s executive management directed efforts to preserve liquidity and continue functioning as a going concern. Reductions in staffing, especially in IT and information security staffing adversely impacted their data security. A large mortgage company made news headlines when they hurriedly threw customer’s paper files in their dumpster without shredding!
Q: What was the response?
We realized our own cybersecurity program would be compromised if a key critical need vendor was in financial trouble, so we quickly developed new procedures:
- Immediately seek to verify the critical need vendor’s financial condition from Dun & Bradstreet (D&B) or other reliable source
- For any critical need vendor that showed signs of financial duress, seek a replacement vendor in a stronger financial position
- For any critical need vendor showing sign of financial duress but who could not be replaced:
- Pursue discussion with vendor’s management to best understand financial condition, planned staff reductions and likely impact to cybersecurity (i.e. patching, security monitoring and operations)
- Ensure we had an effective security incident response plan is in place (e.g. What should we do when we see an attack coming through a vendor? Who should we contact at the vendor side?)
- Ensure we had an effective business continuity and disaster recovery plan is in place and was being updated in accordance with policy (e.g. What should we do if a vendor shuts its door tomorrow?)
- For any critical need vendor who faced an imminent abrupt closing:
- Activate or prepare to activate our business continuity plan, and keep the critical business functions operational
COVID-19 Third Party Risk Management Lessons learned:
- In times of a global crisis such as the Coronavirus / COVID-19 that affect many companies simultaneously, financial health receives top priority over cybersecurity health. If a company is facing a shut down, IT and cybersecurity programs will falter.
- Plan to be agile in business processes and critical vendor relationships so your core business segments can continue to operate.
- Plan for increased cybersecurity incidents caused by the vendors collapse and be ready to handle them. If possible, utilize machine learning module from your vendors to help with security monitoring and alerting to reduce noise. Suppliers that are lagging with patch updates are vulnerable to compromise and could be used as a launchpad to attack your organization.
- Beef up a third-party supplier risk management program and closely monitor each vendor. Identify each vendor’s business criticality to your organization, and verify their financial and cybersecurity health status.
- If possible, have a backup vendor identify in case you need a replacement
- Establish and maintain your own:
- Cybersecurity Incident Response Plan with key team members identified and assigned specific roles and responsibilities
- Establish a Business Continuity Plan (BCP)
- Establish a Disaster Recovery Plan (DRP)