What is Third-Party Risk and Why is it Important to my Business?

Third parties are people or organizations with whom you share your data or allow access to your information systems to support business activities. These can be service providers, partners, suppliers, and vendors. The level of access and type of data shared with a third party will help you prioritize who you must engage in your third-party risk management efforts.

According to Gartner, in 2023 alone, 84% of security professionals experienced at least one significant disruption directly attributed to a third party. 66% incurred a financial loss attributed to a third-party and 59% saw reputational damage due to a third-party.

The Federal Trade Commission requires service provider oversight and outlines three specific considerations:

1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;
2. Requiring your service providers by contract to implement and maintain such safeguards; and
3. Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards

The A2C solution provides a conduit for you to gather information from your third parties by way of a direct invite that when followed, gives your vendors three options to provide the information you need to make a reasonable evaluation of their commitment to information security best practices.  Check the service agreements you have with your vendors. Many of them will contain privacy language and in some cases language that describes the controls a company uses to protect the data you share with them.  This language can be the starting point of your risk assessment of a particular vendor and provide evidence of your due diligence in lieu of any other information made available.

You still need to decide whether doing business with a particular vendor poses a significant or intolerable risk to your company. Large service providers like Cox Automotive, CDK, Nuspire, Solera Solutions to name a few have well-developed cyber and information security programs and pose low levels of risk overall. Smaller partners may not have well-developed controls and if they are not able to demonstrate them to your satisfaction, you may be forced to seek those same services from a vendor that can readily attest to compliance standards.

Here are some questions to ask when you are developing your vendor risk program.

1. Do I allow this vendor to have access to my information systems?
2. Do I share customer personal information with this vendor?
3. Does this vendor have access to physical locations where I store personal data or the servers on which data is stored?
4. Does this vendor help to collect customer data I may use to facilitate a sale?

If you answer YES to any of these questions, it’s worthwhile to assess the risk they pose to your data and data systems. If you would like to discuss further or have any questions, contact us.