Managing third-party risks? Here’s how a holistic approach can help

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Ali H. Asseri, Head, Cybersecurity Risk Management, Saudi Aramco, Mansur Abilkasimov, Director, Cybersecurity Governance, Schneider Electric, Dennis Frio, Managing Director, PwC, Filipe Beato Lead, Centre for Cybersecurity, World Economic Forum

  • Supply chain attacks affect multiple global victims and have large economic and operational consequences;
  • The hyper-connectivity of industries makes it imperative for supply chain stakeholders collaborate and align third-party risk governance practices, in particular when 60% of organizations have to manage more than 1,000 suppliers;
  • A collaborative, aligned and holistic approach are required to streamline the process and mitigate future risks while delivering cost and time efficiencies, multi-dimensional risk coverage and increased transparency.

Recent supply chain attacks compromising multiple large organizations across various industries have had dramatic operational, financial and reputational consequences. These events don’t just affect the victim, but all stakeholders in the value chain and demonstrate the importance of taking a collaborative and holistic approach when managing third-party risks.

Managing third-party risks is challenging owing to the large number of suppliers that organizations have to onboard and manage (60% of organizations work with more than 1,000 third parties). Companies may have diverging requirements due to the singularity and the complexity of their business and business model. In the oil and gas industry, for example, the fast-paced digitization of manufacturing companies heightens the complexity of governing risk stemming from third parties within their supply chain.

Most third-party risk management approaches depend on the organization’s internal setup, culture and priorities. Current processes and requirements in the industry are still conservative and use resource-intensive methods. This hinders their ability to scale as it leads to additional overheads in terms of business engagement, including from building the capacity to onboard young organizations and start-ups with novel technologies.

Third-party risks in the oil and gas industry
Third-party risks in the oil and gas industry

Collaborative action and a holistic approach across stakeholders in the supply chain will provide multiple benefits to organizations.

The benefits of a holistic approach to risk management
The benefits of a holistic approach to risk management

The Cyber Resilience Oil and Gas community at the World Economic Forum defined such an approach based on four crucial recommendations to assess, evaluate and monitor third-party risks. These recommendations align the expectations of engagement from different stakeholders in the oil and gas industry.

We encourage organizations to consider the four following recommendations when managing third-party risks:

Recommendation 1: Establish common cybersecurity baseline requirements with third parties by following 10 key principles:

  • Govern third parties’ risk by establishing clear roles and responsibilities within the organization as well as ownership of risks;
  • Develop the cyber-literacy and education of employees handling third parties;
  • Establish access controls and management of critical assets for both employees and third-party contractors;
  • Implement change and configuration management specifically on the assets, information and facilities falling under the third party’s scope of engagement;
  • Require secure-by-design and by-default systems, services and interfaces;
  • Maintain response and recovery mechanisms by ensuring incident management, business continuity management (BCM) and disaster recovery planning (DRP) are in place, up-to-date and tested regularly following scenarios derived from intelligence and consequence-driven analysis;
  • Protect critical information while aligning with relevant regulations and policies;
  • Secure operational and physical environments by using leading safety practices;
  • Implement a secure development lifecycle of products, systems and tools;
  • Provide support for vulnerability management and patching.

Recommendation 2: Define and adopt an evaluation approach depending on the level of risk of products and services from suppliers by combining different evaluation methods. Make the choice by combining several methods based on the scalability and coverage for optimal risk coverage.

An approach for evaluating risk management
An approach for evaluating risk management

Recommendation 3: Continuously monitor and revise all third parties depending on the level of risk to the organization.

  • Agree on organizational-level standard cybersecurity contractual terms and conditions, using existing industry baseline language (for example, minimum cyber-requirements for all third parties) where possible;
  • On top of the standard contractual terms and conditions, institute more elaborate enhanced contractual terms based on the product/service type and how critical it is (for example, for IT and cloud vendors, operational technology organizations and marketing).
  • Use segmentation criteria or an internal inherent risk approach to assess the risks and determine the level of enhanced terms and conditions needed;
  • Consider the issues identified during the assessment process before executing the contract in order to adjust the terms and conditions for any changes in risk;
  • Engage with risk subject matter experts and the legal department throughout the negotiation process as an escalation path for clause negotiation.

Recommendation 4: Share, engage and continuously communicate with supply chain stakeholders to identify, monitor and mitigate cyber-risks more quickly and as a team.

  • Set a cadence to review the risk rating of the third party in order to capture any change in its risk profile or scope of engagement;
  • Perform a continuous and risk-based review of the nature, timing and extent of continuous monitoring activities;
  • Define criteria that would trigger ad-hoc assessment and audit activities, and if possible, automate the process;
  • Embed cybersecurity in business reviews with third parties and continuously communicate on the evolving risks and threat landscape;
  • Define reporting mechanisms to raise awareness and ensure timely and informed decisions by board and senior leadership, from oversight meetings to a performance scorecard and more.

To reach a cyber-resilient environment via a collaborative and risk-informed approach, the Cyber Risk Resilience in Oil and Gas community put forth a list of 39 baseline requirements and a common assessment approach to increase cybersecurity maturity and improve the effectiveness of how third-party risk is managed across the industry. This represents the first step of industry collaboration on this issue – will you align to this initiative?

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Big tech cannot crack down on online hate alone. We need to fund the smaller players

What makes a great CEO? The people they surround themselves with

Is your business model fit for the Fourth Industrial Revolution?

The role of public affairs in student NGOs

Coronavirus: a common approach for safe and efficient mobile tracing apps across the EU

Here’s how private investors can turn plastic into gold

Digital Single Market: Cheaper calls to other EU countries as of 15 May

How Leonardo da Vinci’s outsider status made him a Renaissance man

ECB’s unconventional monetary measures give first tangible results

ECB’s billions fortify south Eurozone except Greece; everybody rushes to invest in euro area bonds zeroing their yields

Women’s Rights: Another Challenge for Medical Students

Bugged Europe accepts US demands and blocks Morales plane

Who really cares about the 26.2 million of EU jobless?

Equitable vaccine delivery will fuel better global health processes

‘More time’ agreed for buffer zone, to spare three million Syrian civilians in Idlib

Negotiated two-State solution still ‘the only option’ for Palestine: Guterres

‘Every ventilator becomes like gold’ – a doctor’s stark warning from Italy’s Coronavirus outbreak

Africa’s future is innovation rather than industrialization

The Commission accused of tolerating corruption and fraud in taxation

Australia’s record heatwave: From fainting tennis players to dead fish

It’s time to take girls’ digital safety and literacy seriously

New EU rules cut red tape for citizens living or working in another Member State as of tomorrow

EU-US relations on the dawn of the Trump era

Amazon fires: Health Effects, Near and Far

To Brexit, or not to Brexit…rather not: 10 Downing Street, London

Victims’ Rights: New Strategy to empower victims

The fatal consequences of troika’s blind austerity policy

Ukraine: €8 million in humanitarian aid to withstand winter

80 adolescents a day will still die of AIDS by 2030, despite slowdown in epidemic

Commission facilitates the activities of ‘merchants of labour’

MEPs demand Bulgaria’s and Romania’s swift accession to Schengen area

The West and Russia impose a new order on the world

Summer pause gives time to rethink Eurozone’s problems

Recovery and Resilience Facility: Romania submits official recovery and resilience plan

Plastic Oceans: MEPs back EU ban on polluting throwaway plastics by 2021

This ‘hidden killer’ is responsible for one in five deaths, and you might never have heard of it

The challenge to be a good healthcare professional

David Cameron’s formal letter/threat that officially opens pandora’s box for the UK

Concorde is a reminder that the only way for innovation is up

Vaccines can win the race against COVID-19 variants. Here’s how

Is continuous sanctioning the way to resolve the Ukrainian crisis?

UN health agency welcomes Facebook pledge to stop vaccine misinformation from going viral

Aid stepped up to Syria camp; new arrivals say terrorists blocked their escape

Safer products: stepping up checks and inspections to protect consumers

Commission concludes that an Excessive Deficit Procedure is no longer warranted for Italy at this stage

Pesticides: MEPs propose blueprint to improve EU approval procedure

Action! How movies are helping young people fight climate change and other global challenges

FROM THE FIELD: Sourcing clean water in Ghana

Google’s hot summer never ends: EC to launch ANOTHER antitrust inquiry against the American giant

Syrians still living on ‘razor edge’ as UN launches $8.8 billion dollar appeal

ITU Telecom World 2016: it’s all about working together

Parliament compromises on Banking Union but sends market abusers to jail

More, not less, multilateralism is needed to fight the coronavirus pandemic

COVID-19: Boosting aid for farmers from the EU rural development fund

Love Affair with Some(one)/(thing)

GSMA Mobile 360 in Kuala Lumpur– Digital Societies, in association with The European Sting

Commission initiates an investigation to decide whether to prolong the steel safeguard measure

Visa facilitation and readmission: agreements with Belarus now in force

COP25: Support business efforts to tackle climate change, urges Guterres

UN chief announces progress on committee to shape Syria’s political future

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: