AIAA

The World's Forum for Aerospace Leadership

  • MY AIAA
  • Donate
  • Press Room
  • Renew
  • View Cart
American Institute of Aeronautics and Astronautics

    Third Party Risk Management

    Third Party Risk Management

    This month in Protocol we take an in depth look at third party risk management. A third party is any outside party, usually (but not exclusively) a vendor that provides products, services, or data to your organization. While third parties are indispensable in supporting large and small organizations, they introduce additional risks to corporate networks and data. This month’s feature will review a few examples when third parties were the weak link that resulted in large breaches for parent companies. Then, it will examine how to sort and identify third parties that pose the greatest cyber risks. Finally, it will review what to do about such risks, including how to incorporate risk mitigation into the acquisition process.

           

    Third party vendors provide a wide range of services: administering payroll, health benefits, and other administrative business operations; holding or processing data; marketing; supporting research and development; and, even providing managed cybersecurity services. Many vendors are ubiquitous at corporations around the world, such as ADP, Oracle, and Amazon Web Services (AWS). ADP, for example, performs payroll services for two-thirds of the Fortune 500 and companies in over 125 countries. ADP was the victim of tax and salary data in 2015, when they had to inform multiple customers that their data may have been affected. This breach resulted from the customer firms sharing information about their ADP relationship that made them easy targets for hackers. Like many third parties, ADP had a public portal for customers to access their data, but attackers were able to gain unauthorized access to the portal. These business-to-business relationships and opportunities to reach the other’s network both enable businesses to function but create risks for these connections to be compromised. Other third parties provide a specific service to a limited number of companies. Third parties can also include organizations like government regulators that require companies to report information to them, in which case information that was entrusted to the company can pass beyond its direct control.

     

    The most well-known example of a third party vendor being the weak link in a major breach involves the major retailer Target. The Target breach happened via a third party supplier for Heating, Ventilation, and Air-Conditioning (“HVAC”) services that was responsible for monitoring the temperature on refrigerators at Target stores. The third party’s networks were compromised, and the attackers were able to use information and access gathered there to penetrate the Target network. Once they penetrated the Target network, they were able to place malware on the Point-of-Sale systems that customers use to make in-store purchases, resulting in the theft of ~40 million credit cards and affected ~70 million people.

     

    Many organizations in the aviation industry rely on the same third parties and suppliers for a variety of products, services, and data. As these examples have shown, the third party ecosystem has repeatedly been shown to have critical importance, both for aviation corporations and for corporations around the world. In many cases, these third parties are at the core of business operations and are indispensable, or “too big to fail”.


    Managing Third Parties

     

    Since most organizations have dozens or hundreds of third parties, and managing third party risk takes time, business managers and IT security employees must work together to identify and prioritize third parties that pose particular risks to their organizations. Sorting third parties can be done in multiple ways, but if you are facing these issues for the first time, we recommend using the following questions and issues to begin understanding the risks to your organization.

     

    First, does the third party require or have access to your corporate network to perform its functions? This connection could be exploited by an attacker. These third parties may be the most sensitive to your organization and should be reviewed to understand several details of these relationships, including whether they have access to the full network or a segmented section of your corporate network, how many employees or contractors at the third party have access to your network, how that access is controlled, and what security measures are in place at the third party to prevent anyone from stealing their credentials to access your network.

     

    Second, does the third party receive sensitive data belonging or entrusted to your organization? For example, an organization might share intellectual property with an external law firm to submit a patent application. These third parties perform important services, but as they hold corporate data, they may be putting at risk confidential information. To begin managing such risks, it is crucial to understand what data third parties are holding, how it is being protected, and what happens if the third party has a data breach or compromise of their own. Organizations can address some of these risks through contracts. It is important to do this not only with new third parties but also with long-standing third party relationships, as these relationships may have changed due to the increasing use of data in business operations.

     

    Third, does the third party ask for information or impose requirements related to your own organization’s cybersecurity? If so, your organization needs to ensure it is meeting requirements it has agreed to. These issues typically manifest themselves in legal contracts, and the general counsel’s office is often responsible for ensuring compliance with requirements imposed by third parties. These requirements ensure transparency and better inform all parties about cyber risks, but they also impose cybersecurity obligations, for example to use specific technologies or best practices, so these third parties deserve consideration.


    Fourth, does the third party provide a service or data on which your organization is dependent in a time-sensitive manner? If so, a cybersecurity disruption affecting the third party could affect your organization’s operations, and it is important to understand how the third party delivers the service, product, or data, how it is ensuring reliability in the face of cybersecurity threats, and what guarantees it will make if reliable delivery is disrupted.

     

    Improving Third Party Risk Management

     

    For any organization, understanding the risks posed by third parties is the first step in effective third party risk management.

     

    Once this is done, there are several ways to mitigate third party risks. It is important to consider these methods early in the process of building a new third party relationship. For new vendors or suppliers, for example, this should be considered early in the procurement process. For existing third parties, periodic reviews should consider all these risk management techniques, particularly if there are new exchanges of data or access with the third party.

     

    One way to reduce risk is to assess the third party’s cybersecurity practices and possibly to demand enhanced practices. Counsel may be able to include contract provisions that allow for testing of third party networks, that require implementation of best practices, and that demand documentation guaranteeing compliance with relevant regulations or contractual requirements. Some organizations now use technology solutions to do continuous monitoring of their vendors to see if the cybersecurity “hygiene” level of a vendor changes dramatically, possibly indicating a compromise.

     

    Another way to reduce risk is to change how the relationship operates. A vendor might be able to provide the same service with access to less data, or anonymized data, for example. Or, if a vendor is invaluable because they have a team with specialized expertise, but the vendor has poor cybersecurity, it may be possible to change how the relationship operates by getting the vendor’s talent to operate within an environment controlled by your organization, or by having fewer people access your systems.

     

    You can also reduce risk by having a strong relationship with third parties that have access to your corporate networks and hold corporate data. Developing these relationships before a cybersecurity incident occurs can ensure that information sharing exists, best practices are shared, and any change in the relationship is discussed in the context of how it may impact cyber risks.

     

    Another way to reduce risk is to plan ahead for when things go wrong: require vendors to notify you if they experience a suspected breach or compromise; use contracts to get them to indemnify your organization if your employees’/customers’ data is breached because of the vendor; and, use Service Level Agreements to define the consequences if third party services are not delivered reliably.

     

    In all cases, the third party risk management program, including which third parties pose the most significant risks and how to manage them, should be reviewed through a formal process on a periodic basis with both the IT security team and relevant business units. It is only possible to balance the benefits and risks of third parties, and to keep updated in the face of a changing cybersecurity landscape and changing third party relationships, by having an ongoing, structured discussion with both IT security and business units.

     

    In the aerospace industry, there is significant overlap among companies using third parties. Some members of the aviation industry, for example some large airlines, already invest significant resources to diagnose and mitigate cyber threats from third parties. Because many of the major airlines are similarly situated, these risk assessments likely reveal similar information. In some industries with similarly shared third parties, for example the financial services industry, companies choose to work together more formally to conduct joint assessments of third parties’ cybersecurity. This has efficiency benefits and helps to reveal and mitigate shared cybersecurity risks from third parties.


    Transferring Operations Does Not Equate to Transferring Risk

     

    Third parties, particularly vendors, deliver important services, products, and data to organizations of every type and size. Organizations have traditionally paid less attention to cybersecurity risks involving third parties: for example, companies that outsource certain functions can fall prey to an “out of sight, out of mind” mentality where they believe the risk has followed the operations to the third party. In fact, risk rests with your organization until you mitigate it or purposefully transfer it, for example through contracts or cyber insurance. If your organization depends on a third party to provide a critical service, or gives a third party access to your systems, or shares sensitive data with a third party, your organization is accepting a level of cybersecurity risk. So, it is important to understand the risks, to prioritize them, and to mitigate them appropriately.