It’s been more than a year since the World Health Organization (WHO) declared the COVID-19 outbreak a global health emergency and approaching a year since the outbreak was declared a pandemic. This makes it a good time to take a look back and review how third-party risk management has been affected the most.
While aspects of third-party risk management are very interconnected, third-party risk management has especially been affected in four big areas: cybersecurity, business continuity/disaster recovery/pandemic planning, financial and compliance and regulation.
Aside from human health itself, the arena of cybersecurity may have been the most impacted throughout the pandemic, and the damage still continues. Bad actors everywhere took advantage of the chaos and vulnerabilities as millions were sent home to work on unsecured networks.
It became top priority to review vendor’s cybersecurity and information security plans along with their SOC reports.
Here are some interesting cybersecurity statistics as a result of the COVID-19 pandemic:
Whether it’s a low or high-impact exposure or vulnerability, your organization’s reputation is at risk. Customers don’t care about the “sensitivity” of data stolen or particular details of what happened. It comes down to trust.
We watched those cybersecurity statistics play out as there were some especially notable data hacks over the last year to be aware of and remember. Here are ten to know about:
Pay extra close attention to your call center vendors. Ransomware attacks on all centers rose in 2020 and continue to be a threat. Groups are reportedly cold calling their victims to tell them their systems have compromised by ransomware and will then “shakedown” the unsuspecting individual not only using crypto-locking malware but, lately, also leaking data to increase the psychological pressure on victims to pay. The scary thing is some of these groups have developed to be more-or-less like a mid-sized company, complete with staffing and budgets.
Ensure you’re doing proper due diligence and oversight on these vendors and verify they are prepared and educating their staff on how to handle various situations like this.
The above is only the tip of the iceberg. The healthcare and pharmaceutical industry has by far been the hardest hit with breaches. Healthcare cybersecurity breaches cost the most of any other industry at $7.13 million. And, since November of 2020, cyber attacks on healthcare facilities increased by 45%.
The unique makeup of the healthcare industry, which, in many ways is still a bit old school and is decentralized, often relies on paper transmission and uses technology within its medical devices, which are ultimately vulnerable to attack. When Blackbaud, a third-party cloud computing vendor we mentioned in the list above (which services non-profits, healthcare, academic institutions, religious organizations and other organizations alike) was hacked this year, the fallout was massive — especially for healthcare.
It’s estimated that more than two dozen providers and over 10 million patients have been included in the final breach tally and the number is still growing. As of December 2020, the Blackbaud hack has resulted in close to $6 million in damages.
Now, Blackbaud is being audited by the Department of Health and Human Services (HHS) and state and federal regulators.
There are some things that even the best thought-out plans aren’t prepared for. It became even more important than ever to be aware of your vendor’s business continuity, disaster recovery and pandemic plans to ensure procedures are strong and meet expectations.
It’s important to look into these matters and determine any root cause of issues and if circumstances could have or can be avoidable. Even if a matter is recovered, there could be systemic issues which show further action should be taken to remediate, or perhaps transition to a new vendor. Either way, as people have done especially in 2020, continue to keep a close eye, increase ongoing monitoring and incorporate lessons learned.
With the pandemic, the possibility of vendors being disrupted from the pandemic in some form greatly increased. By reviewing and monitoring their plans, you’re determining the resiliency of the vendor and, therefore, your own organization.
Examiners, especially now, expect you to have an analysis of the plans as well as documentation available. For example, a joint paper between the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation on operational resilience was published in October 2020 outlining practices to have in place to be prepared when facing cybersecurity, natural disaster and pandemic-related scenarios. This shows the heightened focus on third-party risk management due to the pandemic and the importance of being prepared.
Here are a few interesting statistics:
Monitoring the vendor’s financial status also became increasingly more frequent to see how the pandemic was affecting their revenue. When income declines, it leads to reduction in staff, which then leads to declining service levels and longer response times… and all of that which then leads to declining service levels and longer response times… and all of that leads to decline in maintenance of security and systems which loop us back around to information security.
And it’s important to remember that not all of the shutdown fall-out is felt instantaneously. There may be organizations holding on now, but sustainability is uncertain. Even when operations begin to go back to normal, the residual impacts to organizations large and small will continue to play out over the coming months and years.
According to a report done by Baker McKenzie November of 2020, 35% state that their compliance function has no way of knowing if third-party partners are compliant.
So, it’s no surprise that all the increased risks from the pandemic created compliance and regulatory shifts. We’ve seen many regulations created as a result, a couple notable ones being:
Meanwhile, compliance and regulatory shifts have happened within the financial industry, specifically, and needed some major support, resulting in a long, and somewhat complex list of updates pertaining to various facets of mortgaging, credit and loans. Some of these included changes and relief or changes around:
From our own recent survey released last month, the State of Third-Party Risk Management 2021, 36% of respondents are feeling more pressure now because of regulatory/audit scrutiny and 67% feel that there is more scrutiny on third-party risk management over the last year.
More organizations than ever are placing a priority on third-party risk management, as evidenced by the investment of budget expenses increasing for many and the other facts we’ve mentioned throughout.
Organizations are continuing to see a practical advantage of third-party risk management as a positive return on investment (ROI). From our survey, 80% of organizations do believe there is a ROI from efficient vendor risk management. Also, around 73% of organizations overall are feeling pressure to improve their vendor management program.
So far, 2021 is shaping up to be somewhat of a transitional period. We’re all still in the thick of the many changes that are sure to come. But, of one thing we are certain: regardless of industry, third-party risk management is indispensable. Managing risk is non-negotiable, and while we will undoubtedly weather more shifts in cybersecurity, business continuity/disaster recovery/pandemic planning, financials and compliance and regulatory requirements, dedicating resources to developing a strong risk program is a steadfast, strategic advantage in the best and worst of times.
Are you aware of the long-lasting impacts COVID-19 could leave on third-party risk management? Learn more in this infographic.