How to Mitigate Third-Party API Risk

If you’ve ever used your Google account to log into an app or website, you can probably appreciate the convenience of not having to create a new user profile. This is an example of an integration between two systems that utilizes Google’s third-party application programming interface (API) to transfer data between the website and Google’s authentication platform.

Google is a well-known provider of third-party APIs, but many different organizations have developed these tools to integrate into other systems. In general, a third-party API is either for public use and free for any developer, or for partner use, which a vendor provides to an authorized user.

Many organizations rely on APIs to perform essential functions, like processing payments or providing location services. Although third-party APIs help increase efficiency, they also expose an organization to risk. In fact, research from Salt Labs has shown that almost 94% of organizations experienced a security issue with production APIs and 17% have suffered a breach because of their API.

Let’s review some common risks found in third-party APIs and how to address them within your third-party risk management (TPRM) program.

4 Common Third-Party API Risks  

Third-party APIs will always contain at least some level of risk, whether they were built by a large, well-known organization, or a smaller organization in a specialized industry. Here are a few risks you’ll need to consider before integrating a third-party API into your system:

• Cybersecurity – If the third-party API has access to your organizational or customers’ data, it’s important to recognize the potential for cyber incidents like data breaches, ransomware, and malware. API vulnerabilities also open the door for cybercriminals to launch larger attacks on the rest of your infrastructure. 
• Operational – In the same way that a third-party vendor’s actions can create operational inefficiencies for your organization, a third-party API can also unexpectedly fail and create significant issues. For example, if your organization uses a third-party API to provide a chat feature on your website, consider the dilemma if the API suddenly failed.
• Compliance – A third-party API exposes you to compliance risk if it doesn’t have adequate data protection and privacy controls that are relevant to your industry. Remember that your organization is responsible for ensuring that all aspects of your products and services comply with applicable laws and regulations.
• Reputational – API risks can sometimes overlap, causing reputational harm in addition to other negative consequences. Maybe the third-party API is responsible for a data breach that impacted hundreds of your customers, or it put your organization in the spotlight for noncompliance. Your organization’s reputation can ultimately be damaged because of a third-party API.  

How to Manage and Secure Third-Party API Risks

The good news is that there are steps you can take to manage and secure these third-party API risks. You’ll notice that the following steps are closely aligned to activities already found within a third-party risk management program:

1. Create an inventory – You can’t manage risk if you don’t know where it exists, so make sure that you create and maintain an inventory of the third-party APIs that are integrated into your system. It’s especially important to identify APIs that have access to sensitive information. 
2. Perform risk assessments and due diligence – Both of these activities should be performed before you integrate the third-party API, and periodically after. Depending on the type of API you’re using, and the risks involved, you may need to evaluate different due diligence documents such as security testing procedures and business continuity and disaster recovery (BC/DR) plans. 
3. Establish ongoing monitoring and testing – Third-party APIs should be continuously monitored to ensure that you can quickly identify and remediate any performance or security issues. Vulnerabilities and threats are continuously evolving and can appear quickly. You may want to consider periodically testing the API for known vulnerabilities so you can block its functionality until the issue is resolved. 
4. Consider contract management – If the API is provided by a third-party vendor with whom you have a contractual relationship, you’ll want to consider certain provisions such as service level agreements (SLAs) and a right to audit clause. SLAs will set expectations around how the third party’s API should perform, while a right to audit clause will obligate the vendor to provide certain documentation like policies and procedures when requested.

Third-party APIs are essential tools that offer many benefits, but they can also expose your organization to significant risks that need to be managed. By using the practices found in TPRM, you’ll create a safer environment when integrating third-party APIs into your system.