Managing third-party risks? Here’s how a holistic approach can help

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Ali H. Asseri, Head, Cybersecurity Risk Management, Saudi Aramco, Mansur Abilkasimov, Director, Cybersecurity Governance, Schneider Electric, Dennis Frio, Managing Director, PwC, Filipe Beato Lead, Centre for Cybersecurity, World Economic Forum

• Supply chain attacks affect multiple global victims and have large economic and operational consequences;
• The hyper-connectivity of industries makes it imperative for supply chain stakeholders collaborate and align third-party risk governance practices, in particular when 60% of organizations have to manage more than 1,000 suppliers;
• A collaborative, aligned and holistic approach are required to streamline the process and mitigate future risks while delivering cost and time efficiencies, multi-dimensional risk coverage and increased transparency.

Recent supply chain attacks compromising multiple large organizations across various industries have had dramatic operational, financial and reputational consequences. These events don’t just affect the victim, but all stakeholders in the value chain and demonstrate the importance of taking a collaborative and holistic approach when managing third-party risks.

Managing third-party risks is challenging owing to the large number of suppliers that organizations have to onboard and manage (60% of organizations work with more than 1,000 third parties). Companies may have diverging requirements due to the singularity and the complexity of their business and business model. In the oil and gas industry, for example, the fast-paced digitization of manufacturing companies heightens the complexity of governing risk stemming from third parties within their supply chain.

Most third-party risk management approaches depend on the organization’s internal setup, culture and priorities. Current processes and requirements in the industry are still conservative and use resource-intensive methods. This hinders their ability to scale as it leads to additional overheads in terms of business engagement, including from building the capacity to onboard young organizations and start-ups with novel technologies.

Collaborative action and a holistic approach across stakeholders in the supply chain will provide multiple benefits to organizations.

The Cyber Resilience Oil and Gas community at the World Economic Forum defined such an approach based on four crucial recommendations to assess, evaluate and monitor third-party risks. These recommendations align the expectations of engagement from different stakeholders in the oil and gas industry.

We encourage organizations to consider the four following recommendations when managing third-party risks:

Recommendation 1: Establish common cybersecurity baseline requirements with third parties by following 10 key principles:

• Govern third parties’ risk by establishing clear roles and responsibilities within the organization as well as ownership of risks;
• Develop the cyber-literacy and education of employees handling third parties;
• Establish access controls and management of critical assets for both employees and third-party contractors;
• Implement change and configuration management specifically on the assets, information and facilities falling under the third party’s scope of engagement;
• Require secure-by-design and by-default systems, services and interfaces;
• Maintain response and recovery mechanisms by ensuring incident management, business continuity management (BCM) and disaster recovery planning (DRP) are in place, up-to-date and tested regularly following scenarios derived from intelligence and consequence-driven analysis;
• Protect critical information while aligning with relevant regulations and policies;
• Secure operational and physical environments by using leading safety practices;
• Implement a secure development lifecycle of products, systems and tools;
• Provide support for vulnerability management and patching.

Recommendation 2: Define and adopt an evaluation approach depending on the level of risk of products and services from suppliers by combining different evaluation methods. Make the choice by combining several methods based on the scalability and coverage for optimal risk coverage.

Recommendation 3: Continuously monitor and revise all third parties depending on the level of risk to the organization.

• Agree on organizational-level standard cybersecurity contractual terms and conditions, using existing industry baseline language (for example, minimum cyber-requirements for all third parties) where possible;
• On top of the standard contractual terms and conditions, institute more elaborate enhanced contractual terms based on the product/service type and how critical it is (for example, for IT and cloud vendors, operational technology organizations and marketing).
• Use segmentation criteria or an internal inherent risk approach to assess the risks and determine the level of enhanced terms and conditions needed;
• Consider the issues identified during the assessment process before executing the contract in order to adjust the terms and conditions for any changes in risk;
• Engage with risk subject matter experts and the legal department throughout the negotiation process as an escalation path for clause negotiation.

Recommendation 4: Share, engage and continuously communicate with supply chain stakeholders to identify, monitor and mitigate cyber-risks more quickly and as a team.

• Set a cadence to review the risk rating of the third party in order to capture any change in its risk profile or scope of engagement;
• Perform a continuous and risk-based review of the nature, timing and extent of continuous monitoring activities;
• Define criteria that would trigger ad-hoc assessment and audit activities, and if possible, automate the process;
• Embed cybersecurity in business reviews with third parties and continuously communicate on the evolving risks and threat landscape;
• Define reporting mechanisms to raise awareness and ensure timely and informed decisions by board and senior leadership, from oversight meetings to a performance scorecard and more.

To reach a cyber-resilient environment via a collaborative and risk-informed approach, the Cyber Risk Resilience in Oil and Gas community put forth a list of 39 baseline requirements and a common assessment approach to increase cybersecurity maturity and improve the effectiveness of how third-party risk is managed across the industry. This represents the first step of industry collaboration on this issue – will you align to this initiative?