The Security Ledger Podcast

The Security Ledger Podcast


Spotlight Podcast: Rethinking Your Third Party Cyber Risk Strategy

September 11, 2019

Third party cyber risk is growing. Despite that, most companies are unprepared to address it in a systematic way. In this Spotlight Podcast, a companion to our new eBook, Rethinking Third Party Cyber Risk Management, we go deep on the topic of building a mature third party cyber risk program with Dave Stapleton the Director of Assessment Operations at the firm CyberGRX* and Jon Ehret, the President & Co-Founder of Third Party Risk Association. 

Third party cyber exposure is a growing cost center for organizations. There are lots of reasons for this. Consider the emergence of strict data privacy and security regulations in recent years including the European Union’s General Data Privacy Regulation (GDPR) and like-minded laws like the California Consumer Privacy Act and the New York State Information Security Breach and Notification Act.

In recent years, these laws and others have imposed substantial fines on companies found mishandling sensitive data. That means that, for companies holding onto personally identifiable information, the cost of ignoring third party risk is growing. 

Jon Ehret is the CEO and founder of the Third Party Cyber Risk Association

In just one example, the hotel chain Marriott was fined £99 million ($123 million) in 2019 under GDPR for a 2014 breach of a reservation system at the hotel chain Starwood that affected 339 million customers. (Marriott acquired Starwood in 2016.) In a statement accompanying the fine, UK Information Commissioner Elizabeth Denham said that GDPR’s protections for personal data mean that companies must “carr(y) out proper due diligence when making a corporate acquisition, and pu(t) in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Marriott is hardly the only company (or even the only hospitality company) to suffer from a third party breach. Absent robust tools to manage their third-party relationships, organizations of all kinds struggle to scale inefficient processes to meet the new demands of regulators and business partners for third party risk assessments. A survey of 600 IT professionals by The Ponemon Institute found that companies spend an average of $2.1 million annually vetting third parties. Still, more than two thirds of those IT pros said the processes they use to do so are only somewhat effective or not effective at all. 

Download our new ebook: Rethinking Third-Party Cyber Risk Management

For our new ebook: Rethinking Third Party Cyber Risk Management, Security Ledger interviewed IT risk professionals across industries. They told us that high costs and limited scale characterize third-party cyber risk management programs in their sector. As a result, many have languished, even as the need for them has grown.  

In conversations with leading risk and security professionals about their third-party cyber risk practices, many described legacy programs focused on regulatory compliance and questionnaires – whether paper-based or online.  “Ten or 15 years ago (third-party risk management) was basically a Word document with questions tha...