Understanding the Importance of Third-Party Risk Management
Check out Responsible Cyber website : Cybersecurity and Risk Management.
Supply chain security incidents have become a regular occurrence, dominating headlines and causing concern for organizations worldwide. From software intrusions like SolarWinds and Okta to supply chain attacks such as the one experienced by Toyota, the frequency of these breaches is alarming. Recently, Microsoft announced an intrusion that involved a compromised key granting unauthorized access to customer data. With the relentless pace of third-party attacks, security teams are left wondering what could possibly happen next.
In response to these growing threats, organizations are realizing the need to prioritize their third-party risk management (TPRM) efforts. By leveraging best practices guidance and benchmarks, they can strengthen their TPRM programs and mitigate the risks associated with third-party relationships. One common source of guidance is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which has recently undergone significant changes in its version 2.0.
In this post, we will explore the most significant updates to the NIST CSF related to TPRM and supply chain risk management (C-SCRM). We will also review the core functions of the CSF and provide recommendations for implementing it as part of your TPRM program.
NIST CSF Version 2.0 and its Impacts on TPRM
One of the notable changes in the NIST CSF version 2.0 is the introduction of the “Govern” function. This function emphasizes the critical role of cybersecurity governance in managing and reducing cybersecurity risks in supply chains. Previously, governance content was scattered across other functions like Identify, Protect, Detect, Respond, and Recover. With the update, these governance activities have been consolidated into the Govern function.
The Govern function now encompasses activities such as determining priorities and risk tolerances, assessing cybersecurity risks and impacts (including for third parties), establishing policies and procedures, and understanding cybersecurity roles and responsibilities. According to NIST, these activities are crucial for detecting, responding to, and recovering from cybersecurity events and incidents. Additionally, they help oversee teams responsible for cybersecurity activities within the organization. The inclusion of a dedicated governance function helps align and integrate third-party cybersecurity activities across TPRM, enterprise risk management, and legal teams.
In line with the addition of the Govern function, CSF 2.0 highlights the importance of legal and compliance teams in TPRM. These teams require accurate and timely reporting from suppliers, vendors, and other third-party organizations that have access to sensitive data, systems, and applications. By actively involving legal and compliance teams in TPRM efforts, organizations can ensure that contractual obligations and regulatory requirements are met while effectively managing third-party risks.
Perhaps the most impactful update in CSF 2.0 for TPRM teams is the enhanced guidance on managing supply chain risks. CSF 2.0 introduces additional cybersecurity supply chain risk management (C-SCRM) outcomes to help organizations address these unique risks. The primary objective of C-SCRM is to extend appropriate first-party cybersecurity risk management considerations to third parties, supply chains, and the products and services acquired by an organization.
The supply chain risk management category has been expanded into the new Govern function and includes provisions that incorporate cybersecurity into contracts, contract termination, and continuous evaluation of third-party risks throughout the organization’s environment. By integrating C-SCRM practices into their TPRM programs, organizations can proactively identify, assess, and mitigate supply chain risks, thereby strengthening their overall cybersecurity posture.
Implementing the NIST CSF for Effective TPRM
To effectively implement the NIST CSF as part of your TPRM program, consider the following best practices:
1. Understand the CSF Core Functions: Familiarize yourself with the core functions of the CSF, including Identify, Protect, Detect, Respond, and Recover. These functions provide a framework for managing cybersecurity risks and can be tailored to address third-party risks specifically.
2. Align with the Govern Function: Leverage the new Govern function to establish robust cybersecurity governance practices within your organization. This includes determining priorities and risk tolerances, assessing risks, establishing policies and procedures, and clarifying roles and responsibilities. Ensure that these practices are integrated across TPRM, enterprise risk management, and legal teams.
3. Engage Legal and Compliance Teams: Involve legal and compliance teams in your TPRM efforts to ensure that contractual obligations and regulatory requirements are met. Collaborate with these teams to establish accurate reporting mechanisms and to address any legal or compliance-related concerns associated with third-party relationships.
4. Emphasize Supply Chain Risk Management: Pay particular attention to the enhanced guidance on supply chain risks provided in CSF 2.0. Incorporate C-SCRM practices into your TPRM program, including cybersecurity considerations in contracts, contract termination clauses, and continuous evaluation of third-party risks. This will help you effectively manage and mitigate the unique risks associated with your supply chain.
By following these best practices and leveraging the updated NIST CSF, organizations can enhance their TPRM programs and effectively address the evolving challenges posed by third-party risks and supply chain vulnerabilities. Implementing a comprehensive TPRM strategy is crucial for safeguarding sensitive data, protecting critical systems, and maintaining the trust of customers and stakeholders in an increasingly interconnected business landscape.