Know your partners

Third-party risk

The time is now to double down on your security. This year expect dark lines to be drawn. Organizations will evaluate the cyber risks arising from their supply chains in new ways and with heightened concern.

If certain standards cannot be met, contracts will not be signed. The reasoning is simple. It takes just one undefended back door to compromise business viability – most recently illustrated by the supply chain compromising Accellion’s legacy file-sharing program, and SolarWinds' Orion network management software. For-profit, non-profit, academia, government – all organizations are interconnected, and COVID-19 forced more dependency on third-parties as organizations scrambled to meet digital demands. The march towards Central Processing Units (CPUs) and hybrid computer chips with software components is also ushering in new risk. Compromise one version of a chip, and a hacker now has potential access to thousands of organizations. Even knowing all of this, organizations may be hard-pressed to actually assess the vulnerability and security of their supply chains. The static approach of relying on the unverified and untested responses supplied to a 500-question risk assessment may no longer be enough. So, what can your organization do? Third-party source code review may be an option but will likely be resisted and beyond the abilities of many. Assessments and certifications by trusted neutral third-parties may become best practice. A comprehensive controls assessment, combined with risk quantification and insurance planning, is a start. But managing third-party risk truly demands a continuous assurance model, with ongoing cyber scanning and threat hunting, for example via red teaming. Organizations must also become prepared to respond, and are tasked with choosing the right incident response vendor. Quality varies, and insurers are demonstrating less flexibility in the use of non-panel or pre-agreed vendors.

Organizations are not ready to assess and manage third-party risks.

Explore key risks arising from supply chains, map them to key cyber security controls, and determine actions your organization can take to close cyber security gaps.

Click the security domains below to learn more.

*Aon's Cyber Quotient Evaluation (CyQu) is a comprehensive cyber risk assessment that evaluates cyber risk across 9 security domains and 35 critical control areas.

3 | Concentrate on controls