Third-Party Risk Management Principles to Follow for Cybersecurity Regulatory Compliance

Due to the prevalence of outsourcing, cybersecurity and privacy issues rank at the top of third-party risk management (TPRM) concerns regardless of industry or business sector. This is no surprise, as daily headlines are filled with stories about cyber breaches and privacy violations impacting every industry, many of which are directly attributable to an organization's third parties or vendors. 

Unfortunately, many organizations lack the necessary controls to thwart cyberattacks, from phishing to ransomware, and customers' personal information is breached, stolen, and misused. For over a decade, industry regulators and certifying bodies have emphasized that organizations must have adequate infrastructure, governance, and controls to deal with the increasing threats to cybersecurity and privacy, both internally and with their third parties. 

The newly released Interagency Guidance on Third-Party Relationships: Risk Management, the Health Insurance Portability Accountability Act (HIPAA), and the National Cybersecurity Protection Act (NCPA) are examples of just a few of the many laws and regulations governing cybersecurity and privacy. Failure of your organization or its vendors to comply with these regulations and requirements can result in serious operational issues, reputational damage, harm to consumers and customers, and hefty legal fees and fines.

6 Third-Party Risk Management Principles to Follow

Regardless of the industry, from financial services to healthcare and others, regulators and certifying bodies have common themes and requirements regarding how third parties should be vetted and monitored to ensure they have appropriate risk management practices and controls to address cybersecurity and privacy. 

To remain in compliance with cybersecurity and privacy regulations, you should follow these six third-party risk management principles:

1. Risk assessment: Your organization must identify all potential cybersecurity and privacy risks related to the product, service, and third-party relationship.
   
2. Criticality of the product or service: If your vendor’s product or service fails completely or undergoes a prolonged and unplanned outage, your organization must determine whether the failure will significantly impact operations or customers. Your organization must also consider if the product or service is necessary to maintain regulatory compliance. 
   
3. Third-party due diligence: Regulations stipulate that third-party vendors should undergo risk-based due diligence. The higher the risks, the more robust and extensive the due diligence should be. Critical and high-risk vendors should have the most intensive due diligence process. Due diligence shouldn’t only seek to establish that the vendor has the necessary practices and controls to manage cybersecurity and privacy risks but should also require proof that the controls are effective. Documentation, testing results, and independent third-party audits are all necessary to evaluate a proper control environment.
   
4. Contracting: Contracts should specifically call out cybersecurity and privacy protection requirements, including testing results and your organization's right to audit. Contract language regarding mandatory breach notification and compliance with all laws, rules, and regulations should be standard.
   
5. Periodic risk re-assessments and updated due diligence: Organizations can’t depend on a single point-in-time risk review and due diligence. It’s necessary to re-assess the risks in the third-party engagement and ensure that due diligence is updated at regular and pre-determined intervals. This is especially important when it comes to cybersecurity. As cybercriminals become more sophisticated and the attack surface constantly changes, third-party control environments must be re-assessed to ensure they are up to date.
6. Ongoing monitoring: Between regular risk re-assessments and due diligence, third parties must be continuously monitored for significant events such as data breaches, changes in ownership or management, negative news, customer complaints, or industry changes. 

How to Achieve and Retain Regulatory Compliance 

So, how can your organization achieve and maintain compliance with regulations or requirements for specific certifications? 

• Identify all applicable regulations or standards: If you’re in a regulated industry, you must know the requirements. Even if your industry isn’t regulated, your customers or clients may be held accountable to specific standards, which extend to their vendors by association. Ensure you can identify and understand what’s required from you and your third parties. If you have questions, your compliance team can be an excellent resource.
  
• Map your current processes against requirements: No third-party risk management program is perfect; even the most mature programs can benefit from improvements. Carefully analyze how well your existing processes and practices align with the regulatory guidance or certification standards. Document the issue and create a written remediation plan when you identify a gap. Ensure that the issue remediation is timebound and keep records of the progress until your process aligns with regulatory expectations or other standards. Documented details will help provide transparency to your auditors and regulatory examiners, which can mean the difference between an observation and a severe finding in an audit or exam.
  
• Collaborate with information security and privacy subject matter experts: Whether you need to enhance your understanding of specific cybersecurity or privacy controls or are looking to improve your processes for vetting your third parties, get the experts to weigh in. Subject matter experts can help your TPRM team identify the right cybersecurity questions to ask in a vendor risk questionnaire or provide a list of privacy laws and regulations that might apply to a specific product or service.
  
• Review your TPRM processes at least once a year: Take time each year to review TPRM tools such as your inherent risk assessment, vendor risk questionnaires, required due diligence documents, etc. Cybersecurity and privacy issues are constantly changing, so your TPRM processes and tools need to keep up.
• Stay alert of regulatory changes: Sign up for news and email alerts directly from regulatory websites. Internet news alerts and industry publications are great additional resources.

Cybersecurity and privacy are serious issues for all organizations and the third parties providing products and services to them. Regulators and certifying bodies have specific expectations and guidelines for managing these risks. 

Organizations can avoid the negative consequences of noncompliance by ensuring they understand what is required of them, have the processes and practices in place to meet requirements, and constantly monitor both their TPRM environment and their third parties to ensure cybersecurity and privacy concerns are addressed effectively.