NEW TECH: This free tool can help gauge, manage third-party cyber risk; it’s called ‘VRMMM’

By Byron V. Acohido

Late last year, Atrium Health disclosed it lost sensitive data for some 2.65 million patients when hackers gained unauthorized access to databases operated by a third-party billing vendor.

Turn the corner into 2019 and we find Citigroup, CapitalOne, Wells Fargo and HSBC Life Insurance among a host of firms hitting the crisis button after  their customers’ records turned up on a database of some 24 million financial and banking documents found parked on an Internet-accessible server — without so much as password protection. The culprit: lax practices of a third-party data and analytics contractor.

Related: Atrium Health breach highlights third-party risks

One might assume top-tier financial services firms and healthcare vendors would have solved third-party cyber exposures by now. But the truth of the matter is, companies of all sizes and in all sectors remain acutely vulnerable to attack vectors laid open by third-party contractors. And this continues to include enterprises that have poured a king’s ransom into hardening their first-party security posture.

What’s happening is that supply chains are becoming more intricate and far-flung the deeper we move into digital transformation and the Internet of Things. And opportunistic threat actors are proving adept as ever at sniffing out the weak-link third parties in any digital ecosystem.

Mike Jordan, senior director of the Shared Assessments Program, a Santa Fe, NM-based  intel-sharing and training consortium focused on third-party risks, points out that at least one of the banks that had data exposed in this latest huge data leak wasn’t even a customer of the allegedly culpable contractor.

“Hacked subcontractors or downstream service providers can harm companies that have no business relationship with each other,” Jordan told Last Watchdog. “Individuals can even be affected by parties with whom they have no explicit relationships, such as credit bureaus and data brokers.”

Uphill battle

Third-party cyber risks are likely to persist at the current scale for a while longer. According to a recent Ponemon Institute study, some 59% of companies experienced a third-party data breach in 2018, yet only 16% believe they are effectively mitigating third-party risk. There is impetus for change – beyond the fear of sustaining a major data breach. New York state’s Cybersecurity Requirements for Financial Services Companies, which took effect last March, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.

And the comprehensive set of data-handling rules that Europe rolled out last year also calls out the need to address third-party risk. These include the new framework for commercial data exchange between the United States and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.

However, even in the face of intensifying compliance requirements, large enterprises face an uphill battle trying to compel third-party contractors sprawled across overlapping supply chains to embrace secure data-handling best practices.


I was cognizant of these complexities when I sat down with Mike Jordan to learn more about the member-driven Shared Assessments Program, which finds itself in a unique position to help stem the tide of rising third-party cyber risks – and one day, perhaps, even help to reverse it.

Shared Assessments was created in 2005 by five big banks and the Big Four accounting/consulting firms as a forum for deriving a standardized way to assess the risks of partnering with one other. The founding participants developed assessment regimes and tools, all having to do with measuring and assessing, essentially, third-party risks. It was a natural step to expand and evolve these protocols and tools, and to invite companies from other sectors to participate.

The program grew over the years into what it is today, a collaborative consortium of professionals from the banking, investing, insurance, healthcare, retail and telecom industries as well as academics and GRC (government, risk-management and compliance) specialists. Shared Management equips its members to lead their organizations – and their organizations’ partners — in mitigating third party IT security risks in several ways.

Advancing best practices

Members gain access to third-party IT security risk management best practices via case studies, surveys, whitepapers, webinars, meetings and conferences. And they can partake of comprehensive training programs that provide certification in third party IT security risk management.

Jordan told me the goal is to “get everybody together and advance the practice of third-party risk management. The focus is on understanding what is needed for effective third-party risk management, identifying it quickly, and coming up in with solutions from the membership.”

The consortium recently issued its 2019 Shared Assessments Third Party Risk Management Toolkit – an extensive set of tools and guides designed to serve as a roadmap to manage the full vendor assessment relationship life cycle.

The beauty of this toolkit is that it is informed by consortium members worldwide. This intelligence ecosystem, if you will, provides tips and tools to guide risk management practitioners at all phases, from  program planning, to building and capturing assessments, to bench-marking and ongoing program evaluation.

Take, for instance, the Vendor Risk Management Maturity Model, or VRMMM. This tool set is designed to evaluate third party risk assessment programs against a comprehensive set of best practices. It translates into an effective, consistent way to understand the major building blocks of any vendor risk management program.

Broken into eight categories, VRMMM covers more than 200 program elements that, in effect,  forms the basis of a well-run third party risk management program. And perhaps the very best thing about it is that it’s a free tool any company can use.

Another initiative of note is the Standardized Information Gathering (SIG) Questionnaire Tools.

The SIG employs a holistic set of industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency and data security risks. It helps outsourcers gather “trust” components on third parties, in the form of succinct, scoped initial assessment information on a third party’s controls.

Model sharing

There’s no question that third-party risks at this moment present a vexing, potentially catastrophic exposure to any organization plugged into Internet-centric supply chains. That said, the work Shared Assessment has been doing gets down to the devil in the details. One benefit of bench-marking is the ability to track progress using a consistent index over an extending period of time.

Shared Assessments is putting the final touches on its fifth annual Vendor Risk Management Benchmark Study, based on real-world data generated by its members in 2018; findings are expected to be ready in a few weeks. Last year’s study, which looked at 2017 data, showed steady, incremental year-over-year gains, painting an overall encouraging picture.

Maturity levels in eight different vendor risk management categories contained in the VRMMM either held steady in 2017, or increased modestly, compared to 2016. That included five of eight categories improving in average maturity on a year-over-year basis. And numerous vendor risk activities within two categories – “vendor risk identification and analysis” and “skills and expertise” – posted major improvements.

The study also found that the engagement of board members with cybersecurity risks also increased in meaningful ways, though board members’ engagement with those same risks continued to lag behind cybersecurity awareness inside the organizations.

In today’s ultra-competitive business environment, what Shared Assessments is doing should be considered a model for how to share valuable knowledge for the greater good. Clearly the wide sharing of proven best practices and real-time threat intelligence must become much more commonplace.

When it comes to third-party risks, Shared Assessments is demonstrating how it can make a measurable difference deterring both malicious threat actors, as well as well intentioned employees who inadvertently create exposures.  Jordan put it well: “Our tools are basically just a very practical application of the thought leadership that takes place within the membership organization.”

(Editor’s note: LW provides consulting services to some of the organizations included in our coverage.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone