Following on from part one, and part two of this three part series, this week’s final instalment looks at Third-Party Risk…
3. Third-Party Risk
Third parties can present your greatest area of risk exposure — both for data security, and for regulatory compliance. It is therefore important to extend your focus beyond the organization’s figurative four walls, and consider the impact of your “extended enterprise”. The ramifications of the GDPR and NY requirements broaden significantly when you think about all of the third parties that are essential to your daily operations.
Carefully monitor the security practices of partners and vendors — engaging in third-party due diligence and periodic assessments — to ensure that cybersecurity requirements have been met throughout your supply chain.
Under the GDPR, third parties may be considered regulated “data processors”, and are thereby subject to the directive. For example, if you are a retailer that collects customer information, which you then share with a third-party call center, then under the GDPR you are the data controller, and the call center is the data processor; you both need to maintain compliance. The NY regulations have an extensive section dedicated to having companies “implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers.”
Elements of a Third-Party Risk Program
Developing and implementing a third-party risk/compliance program is essential not only to your compliance efforts, but to your overall security posture.
Several key elements of a successful program appear below:
Third-party security tools can enhance your efforts by providing automated vendor risk assessment, and continuous vendor threat monitoring. Additionally, security scoring tools can help to assess both third-party security, and your own by using predictive analytics and security risk assessment tools to issue either FICO-like scores, or grades ranging from A to F to help predict the organization’s likelihood of a breach.
People, Process & Technology
In order to successfully address data protection and privacy regulations and maintain a competitive advantage, the critical components of all enterprise initiatives should be well-considered: people, process and technology.
Professional security assessments are a best practice that is required by both regulations. The NY requirements call for a “Risk Assessment” to which the overall program and policy are explicitly tied, and the GDPR mandates a “Data Protection Impact Assessment”. These services can help your organization determine an actionable roadmap for achieving compliance, and maturing your overall data protection capabilities.
The Benefits of Being Prepared
For many organizations, building and operating a cutting edge data protection program hasn’t been a top priority. Requirements such as the GDPR and NY Cybersecurity Requirements are ushering in a new era of accountability, in which every regulated organization that collects, stores and uses sensitive customer data needs to raise the bar to meet new standards. As UK Information Commissioner Elizabeth Denham said during a lecture in January 2017, “We’re all going to have to change how we think about data protection.” As arduous as this may seem, there are benefits. Organizations that mature their data protection capabilities with robust data-centric security, incident response and third-party risk programs can enhance their brand reputation, and are likely to be more resilient going forward. Taking extra care in how you collect, store, and use sensitive data will help you stay prepared as the regulatory landscape continues to evolve, and reduce the likelihood and impact of data breaches on your business.
This blog was originally published by our Partner Forsythe.