Third party/vendor risk management and risks:
ItNews reported the University of Wollongong’s Professor Alex Frino’s new research stating, “the media usually breaks the news of security breaches first.”
As part of Professor Frino’s study, he compiled a database of cyber security incidents regarding the stock price impact of cyber incidents. Although, only in draft form, Professor Frino’s paper backs up existing evidence that supports the risk and exposure of third parties and vendors to associated organisations. In particular, cyber breaches that set out to compromise a third party or vendor with the intention to bring major disruption and financially cripple them. Other reports have identified that this type of cybercrime is on the rise:
IBM’s 2022 Cost of a Data Breach Report noted an increased cost and time of discovery arising out of third-party-caused data breaches. As the research found, nearly one-fifth of breaches were caused by a supply chain compromise and these compromises made breaches more expensive and resulted in longer lifecycles.
Collating and analysing the data of over 230,000 organisations from Security Scorecard’s Automatic Vendor Detection, Security Scorecard, and the Cyentia Institute, worked together to determine factors that exacerbate third and fourth-party risk.
A significant finding from the report was 98.3% of organisations are associated with or have an existing relationship with at least one third-party that has experienced a breach in the last two years. Additionally, 50% of organisations have indirect relationships with at least 200 fourth parties that have had breaches in the last two years.
The Australian Cyber Security Centre’s (ACSC) most recent annual Cyber Threat report highlights the ways in which threat actors use different tactics for cyber-attacks on supply chains, knowing the disruption it will cause.
According to Blackberry's research, four in five IT security professionals were aware of an attack or vulnerability in their supply chain in the last 12 months. Additionally, 80% of organisations across Australia were notified of a vulnerability or attack within their software supply chain.
“Compared to the global average, Australia suffered the highest rates of operational compromise and data loss. It proves cyber-security must go far beyond vendor trust.”
What has been less clear, until now, was the role that those compromised third parties are playing, specifically whether they are being transparent with respect to events occurring. Professor Frino’s preliminary research provides tangible evidence of organisations seeking - for as long as possible - to keep breaches/events confidential, an act that could have significant consequences on organisations and people unknowingly impacted.
Medibank’s half-yearly results invariably addressed their well-publicised 2022 cyber event and associated data breach. Further insight into the event, has, for the first time, outlined that the threat actor obtained the user ID and password used as part of the intrusion from a third-party IT Services contractor.
In what may be a surprise to some, was the significant direct cost they occurred from the event, with a $26 million half-year hit declared and an expectation that this is set to climb to between $40 million and $45 million over the full year. The intangible costs are estimated to be significantly more.
A deeper dive:
Whilst beneficial, and an essential, undeniable, part of doing business in the modern economy, there are risks associated with outsourcing services or products. Unlike the services rendered, the risk and liability cannot be outsourced.
If a third party fails to deliver or suffers a breach, the organisation that utilises the vendor will face the consequences. The impact can be fiscally, operationally, reputationally, and contractually significant. Data shared between external vendors (supplier, vendor, contractor, or service provider) can be exposed.
Supply attacks have had dramatic effects in the past, such as with the SolarWinds hack back in 2020, which saw cybercriminals exploit a vulnerability in the SolarWinds Orion platform that allowed them to impersonate users and accounts of the thousands of companies using it. SolarWinds’ clients included government agencies and multinational corporations. According to Microsoft, the Nobelium hacking group that was alleged to have carried out the attack gained access to around 3,000 email accounts across 150 organisations. Identifying, assessing, and mitigating third-party risks is critical to ensure business resilience.
But what do terms like "third party" or "supply chain" mean?
Cyber Supply Chain
Digital Supply Chain
Used interchangeably, these terms refer to the utilisation of a third party for a service, function, or product.
Quantifying the exposure:
Referencing again The Cynetia Institute’s research, it is helpful to get a glimpse of the complex web of third and fourth-party relationships for just one small company. The anonymous company chosen in their research and used by way of example developed code that plugs into websites to determine what users are doing on their site.
According to Automatic Vendor Detection, about 12,500 organisations have this code running on their sites. Not insignificant, but certainly not universal like you’ll soon see for behemoths, like Google and Microsoft. When Cyentia extended the aperture to fourth parties that share a relationship with those 12,500 organisations running the example company’s code, “universal” does indeed become an apt description of the scope of potential exposure. A full 98.7% of the 232,000 organisations in their sample had an indirect, once-removed relationship with this company.
In other words, an organisation may not directly use them, but it’s near-certain that others in their supply chain do. This represents that if that code were compromised, or subverted, for nefarious purposes, an organisation would experience some level of exposure.
In 2021, Frontier Software experienced a ransomware attack, whereby the South Australian Government, the Indigenous Land and Sea Corporation, Workskil, infrastructure business APA Group, and agribusiness Viterra all emerged as victims. The South Australian Government revealed 80,000 of its employees may have been impacted. Two years later, NSW Health has only recently learned that some of its data was compromised during the software ransomware attack in 2021.
In a recent FAQ posted to its website, NSW Health said the breach impacted staff or former staff who were “employed by the Ministry of Health, as a senior executive of NSW Health, or in the Mental Health Review Tribunal, Health Professional Councils Authority, Official Visitors Program, Health Infrastructure, and the previous NSW Institute of Psychiatry between 2001 and 2015.” The data affected by the breach may include name, residential address, and telephone, date of birth, tax file number, BSB, and financial institution (bank) account number. Frontier's most recent update to customers, 16 months post the initial notification, is a stark reminder of how beholden organisations can be to their digital supply chain.
Customers have been impacted by the Frontier breach to varying degrees, fiscally and reputationally, with most having notified their own customers of a data breach.
Regulatory and D&O Liability focus:
More specifically, we believe the focus will shift from a regulator focus on what organisations are doing with respect to their internal cyber security practices, to how they are managing external, third (and fourth) party exposure, i.e. their digital supply chain. This is foreshadowed by ASIC Commissioner Danielle Press:
"Cyber measures taken should be proportionate to the nature, scale, and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes the reassessment of cybersecurity risks on an ongoing basis. ASIC also expects this to include oversight of cybersecurity risk throughout your organisation’s digital supply chain."
CPS 230 is another example of ongoing action from Australian regulators to expand the scope of privacy and cybersecurity obligations, and specifically address third-party provider risk management.
APRA is focusing on regulated entities that are placing increased reliance on third parties to undertake critical operations on their behalf. CPS 230 looks to enforce, amongst other obligations, ongoing monitoring, testing, and assurance of the risk management controls implemented by third-party service providers, utilised by regulated entities.
In the US, the Office of Management and Budget has issued deadlines to improve the software supply chain more specifically, within the government. The directive is for each Federal agency to comply with National Institute of Standards and Technology guidance when using third-party software on the agency’s information systems. The US Office of Management and Budget’s memorandum said:
“Agencies will have to collect attestation for all software subject to the requirements. The software supply chain can be compromised by a deliberate attack, as in the SolarWinds case, or it can be affected by an unintentional flaw that goes undetected for years, as in the case of the Log4j vulnerability.”
So, what is next for third-party risk management? How do we evolve as the utilisation of third and fourth parties increases, and we see large-scale breaches and hacks on a regular basis? There are a few essential elements to addressing third and fourth-party risk.
Fundamentally, third-party/vendor risk management is a program, not a project. It is an ongoing and constantly evolving area of risk that must be addressed that way. Put another way, comprehensive risk management can't be comprehensive enough.
Risk transfer relevance, the Lockton approach:
Ultimately, organisations need to have an ongoing, focused approach to cyber-risk management and specifically address their third-party exposures. Organisations have rightfully focused on improving their own/internal security posture over the last few years, however, the time is now to shift focus to improving exposure to third parties and vendors.
Businesses must implement solutions to identify, mitigate and monitor their third-party/vendor exposure from a technology and contractual standpoint.
'Inform' involves understanding your business operations and aspirations and reliance on third parties/vendors. It is then complimented with the design of complete enterprise risk strategies to fit cyber-security risk management goals.
‘Improve’ involves tailored, data-driven recommendations to improve risk posture and build resilience.
Finally, and only then, can 'Insure' involve developing an insurance solution that fits your individualised risk, potential exposures, and targeted goals. This needs to focus on implementing a plan that protects your balance sheet, preserves your reputation, and enables growth.
Lockton predicts third-party/vendor risks and how insureds are mitigating such to be of significant focus from insurers in 2023. Insurers are entering 2023 with a focus on balancing long-term sustainability in the market, specifically seeking to address in various manners some key challenges faced by systemic risk. Systemic cyber risk refers to a single cyber event that impacts multiple insureds.
For example, a successful cyber-attack on one part of a digital business system spreads to other companies operating on it. This is third-party risk defined. Insurers will be specifically addressing and pricing for systemic/third-party exposures. By way of example, some markets are addressing this through specific endorsement sub-limits coverage for:
Cloud provider outages that affect AWS, Azure, Google, and/or IBM and last 72 consecutive hours or more, and;
for "operating system events" that exploit vulnerabilities in computer operating systems and that have a "major detrimental impact" on a sovereign state due to disruption of essential services.
Insureds need to review policy responses specific to this exposure, as insurers seek to sub-limit, restrict coverage, or remove it in its entirety.