According to Black Kite’s 2022 Third-Party Risk Report, the average time from breach to third-party vendor disclosure of the breach is 75 days from the attack. The financial and reputational impact can be substantial for companies experiencing such a delayed notification from their vendors.
What can help? Consider implementing a continuous monitoring process as part of your overall Third-Party Risk Management (TPRM) program. Continuous monitoring raises awareness of risks inherent in the security posture of third-party vendors and can be a key factor to reducing the time from attack to disclosure.
Automated continuous monitoring can become an essential part of a mature TPRM program. There are numerous monitoring tools and services available and many companies choose to utilize a combination of tools to ensure broad coverage of their highest risk vendors.
This article focuses on:
- Benefits of continuous monitoring
- How to implement continuous monitoring
- Steps to take when a material change in vendor score is detected
To learn more about setting up a third-party risk management program, read How a Teen Taking Control of Teslas Affects Your Business
Why Continuous Monitoring?
Companies with effective TPRM programs categorize their vendors based on a risk rating. They then perform periodic assessments where a risk based approach is taken with the highest risk vendors being assessed more frequently and more extensively.
These assessments are effective and they provide a good view of the risk level and security posture of third-party vendors as well as identifying their risks and the extent of remediation plans.
However, these assessments are not a complete solution. They are in effect just a snapshot in time. With vendors as well as threats constantly evolving, a lot can change in between scheduled assessments.
This points to the need to do more than risk rating vendors, conducting assessments and identifying engagement specific risks and remediations. In effect, companies need to be aware of what’s happening with their vendors in between assessments.
Fill in the Gaps
Continuous monitoring fills in this gap that exists between assessments. In addition, it provides companies with additional benefits including:
- An independent view of their vendor’s security posture
- Ability to compare security ratings of all vendors in their portfolio using a common benchmark or score
- Having an objective means of verifying self reported responses received from vendors on their periodic security assessment questionnaires
- Ability to provide their vendors with copies of their targeted continuous monitoring report and then having the leverage to request remediation plans for noted problem areas
Continuous monitoring can also go beyond specific feedback on implementation effectiveness of technical controls. It can also provide insight into business and reputational risk by providing transparency into a vendor’s leadership changes or financial risks.
Continuous Monitoring Implementation
There are several industry leading vendors to consider when researching the implementation of a continuous monitoring program. As part of their implementation process, companies should survey the latest research, review white papers, and request demos in order to construct their short list of monitoring vendors to consider.
Typically continuous monitoring vendors:
- Take different approaches to gathering their risk data
- Have their own unique scoring algorithms
- Provide different feature levels
- Have different price points
Consider Multiple Vendors
It may be worth considering bringing more than one vendor onboard. This way you can benefit from multiple perspectives on a particular third-party vendor’s risks as well as expand the scope of data coverage.
This can be particularly beneficial if one monitoring vendor focuses on effectiveness of technical controls while another has better coverage of business and reputational risk. This way you can receive a combined set of continuous monitoring information and get the best of both worlds!
Typical vendors in this space that you could consider include:
Once you have made your decision and selected your specific continuous monitoring vendor(s) you typically purchase a specific number of third-party vendor monitoring subscriptions or vendor slots. To complete the onboarding process you then log onto your vendor’s platform and utilize your subscriptions to add your full inventory of third-party vendors.
Congratulations - continuous monitoring is underway!
Continuous Monitoring Workflow
Once entered, these third-party vendors would now be visible in your continuous monitoring dashboards where you can see their latest security scores as well as historical trends. Typically your monitoring vendor will also show you how your specific vendor rates compared to their industry average.
As part of your TPRM program, you would periodically review this continuous monitoring dashboard in order to keep an eye on trends. It would also be important to note where certain third-party vendor’s scores are well below industry average. It may point to a need to find alternate vendors with more effective security programs.
As part of your periodic review, you likely also would have the ability to download risk reports. These reports would detail specific deficiencies noted by the monitoring vendor. These are particularly useful in validating your risk rating of that third-party vendor.
Another key feature is the ability to configure alerts where the monitoring service will send you notifications. These notifications would be triggered by specific events such as if a data breach were to occur or if a certain level of change were to occur in your third-party vendor’s risk score.
Responding to an Alert
As you update your TPRM processes you would want to specifically note what actions to take when an alert is received. Some steps to consider include:
- Determine the root cause that triggered the alert
- Review the latest risk report for the vendor
- Assess the trend of the risk score - is it a gradual decline or was the alert triggered by a sharp drop in score?
- Reach out to your company’s internal business owner or project contacts and notify them of the third-party vendor issue
- Reach out to the third-party vendor and request a remediation plan and timeline
- Determine if any compensating controls from your company can be put in place
- Determine if the vendor risk rating needs to be adjusted
- Determine if a new out of cycle third-party vendor risk assessment should be performed
- Track third-party vendor’s remediation to completion
With the increase in risks associated with third-party vendors, it has become ever more important to continuously monitor your entire portfolio of third-party vendors for changes in their business, financial conditions as well as for cyber risks.
Automating this process through use of monitoring services makes it feasible for the TPRM group within your company to now monitor for changes in vendor risk in a timely and efficient manner. Continuous monitoring also empowers your company to become proactive in reaching out to your vendors when warning signs or negative trends in risk metrics and reports are observed.
Christine has 15+ years in the technical industry developing software, leading teams along with extensive experience as a hiring manager. She found that she really enjoyed the process of building teams and interacting with candidates and business customers. As a result, Christine decided to make the hiring process her focus and started Vector Recruiting.