A new approach to third-party risk management
- Supply chain attacks affect multiple global victims and have significant economic and operational consequences;
- The hyper-connectivity of industries makes it imperative for supply chain actors to collaborate and align third party risk governance practices, especially when 60% of organizations need to manage more than 1,000 suppliers;
- A collaborative, aligned and holistic approach is needed to streamline the process and mitigate future risks while providing cost and time efficiency, multidimensional risk coverage and increased transparency.
Recent supply chain attacks compromising several large organizations in various industries have had dramatic operational, financial and reputation consequences. These events not only affect the victim, but all stakeholders in the value chain and demonstrate the importance of taking a collaborative and holistic approach when managing third-party risk.
Managing third-party risk is difficult due to the large number of vendors organizations must onboard and manage (60% of organizations work with more than 1,000 third parties). Companies can have differing requirements due to the uniqueness and complexity of their business and their business model. In the oil and gas industry, for example, the rapid digitization of manufacturing companies is increasing the complexity of managing risks from third parties within their supply chain.
Most third-party risk management approaches depend on the internal configuration, culture and priorities of the organization. Current industry processes and requirements are still conservative and use resource intensive methods. This hampers their ability to scale as it incurs additional overhead in terms of business engagement, including capacity building to integrate young organizations and start-ups with new technologies.
Collaborative action and a holistic approach among stakeholders in the supply chain will provide multiple benefits to organizations.
The World Economic Forum’s Cyber Resilience Oil and Gas community defined such an approach based on four key recommendations for assessing, assessing and monitoring third-party risks. These recommendations align the engagement expectations of the various stakeholders in the oil and gas industry.
We encourage organizations to consider the following four recommendations when managing third-party risk:
Recommendation 1: Establish common cybersecurity baseline requirements with third parties by following 10 key principles:
- Govern the risks of third parties by establishing clear roles and responsibilities within the organization as well as the ownership of risks;
- Develop cyber-literacy and education for employees handling third parties;
- Establish access controls and management of critical assets for employees and third party contractors;
- Implement change and configuration management specifically on assets, information and facilities falling within the scope of third party engagement;
- Require secure systems, services and interfaces by design and by default;
- Maintain response and recovery mechanisms by ensuring that incident management, business continuity management (BCM) and disaster recovery planning (DRP) are in place, up-to-date and regularly tested against scenarios derived from intelligence and consequence-based analysis;
- Protect critical information while complying with relevant regulations and policies;
- Secure operational and physical environments using best security practices;
- Implement a secure development lifecycle of products, systems and tools;
- Provide support for vulnerability management and patches.
Recommendation 2: Define and adopt an evaluation process according to the level of risk of the products and services of suppliers by combining different evaluation methods. Make the choice by combining several methods based on scalability and coverage for optimal risk coverage.
Recommendation 3: Continuously monitor and review all third parties based on the level of risk to the organization.
- Agree on standard cybersecurity contract terms at the organization level, using existing industry reference language (e.g. minimum cybersecurity requirements for all third parties) to the extent possible;
- In addition to the standard contract terms, institute more elaborate improved contract terms based on the type of product / service and its importance (e.g. for IT and cloud providers, operational technology organizations and marketing).
- Use segmentation criteria or an internal approach to inherent risk to assess risk and determine the level of improved conditions needed;
- Consider the problems identified during the evaluation process before the execution of the contract in order to adjust the terms and conditions for any change in risk;
- Collaborate with risk experts and the legal department throughout the negotiation process as an escalation channel for contract negotiation.
Recommendation 4: Continuously share, engage and communicate with supply chain stakeholders to identify, monitor and mitigate cyber risks faster and as a team.
- Set a pace to review the third party’s risk rating in order to capture any change in their risk profile or the scope of their commitment;
- Perform an ongoing and risk-based review of the nature, timing and extent of ongoing monitoring activities;
- Define criteria that would trigger ad hoc assessment and audit activities and, if possible, automate the process;
- Integrate cybersecurity into business reviews with third parties and constantly communicate on the evolving risk and threat landscape;
- Define reporting mechanisms to raise awareness and ensure timely and informed decisions by the board and senior management, from monitoring meetings to a performance dashboard and more.
To achieve a cyber-resilient environment through a collaborative and risk-informed approach, the Cyber Risk Resilience in Oil and Gas community presented a list of 39 basic requirements and a common assessment approach to increase maturity of the cybersecurity and improving the efficiency of how third-party risk is managed across the industry. This represents the first step in industry collaboration on this issue – will you align with this initiative?