Improving Third-Party Cyber Risk Management with MetricStream and BitSight

Introduction

With the growing reliance of organizations on an interconnected network of third parties, they are becoming increasingly vulnerable to a plethora of risks. A 2020 Ponemon survey found that a typical enterprise has an average of 5,800 third parties, and the number is expected to grow by 15 percent this year. As the third-party network of an organization expands, so does the number of potential points of failure.

Companies often have to share sensitive information with third-party vendors for business-critical goods and services. And, if the latter suffers any data breach, it could have a deleterious effect on the organization. Recent incidents, such as security breaches at Microsoft and Accellion, and SolarWinds hack, are unfortunate reminders of how third-party risks can make multiple organizations susceptible to illicit actors and impede their operations. Moreover, in this digital era and hyper-connected business environment, a security lapse at even a small-sized enterprise can have far reaching and disastrous consequences.

As such, implementing an effective third-party risk management (TPRM) program has become critical for today’s extended enterprise. The objective is to identify and mitigate the business, operational and cyber risks associated with the third parties, fourth, and subsequent parties, including security breaches, supply chain disruptions, unethical actions, poor performance, financial impact, and more.

TPRM Key Considerations

There are certain must-haves when it comes to a robust TPRM framework:

• Comprehensive visibility into supply chain hierarchy and mapping of the third parties to products, services, business units, fourth and subsequent parties
• Segregating third parties into critical and non-critical categories depending on their access to critical organizational assets and impact on margins and profitability
• Well-defined and comprehensive vendor contracts that details roles and responsibilities of third parties even after the contract terminates
• Performing third-party due diligence and risk assessment to determine if they are financially stable and ensure that they are operating in secure and compliant manner
• Continuous monitoring of third-party risks to determine changes in risk levels, identify new risks, and ascertain how secure third parties are
• Extend TPRM framework to fourth, fifth and subsequent parties

Implementing a centralized and technology based TPRM solution, which streamlines and digitizes these processes, has become vital for organizations to mitigate third-party risks in an efficient manner. MetricStream Third-Party Risk Management provides organizations with an integrated, real-time view of the extended enterprise and helps automate various associated processes including collating information, onboarding, continuous monitoring, risk, compliance and control assessments, and risk mitigation.

The MetricStream Arno release enhances BitSight integration, enabling proactive identification and mitigation of cybersecurity risks in the extended enterprise. When setting up the due diligence task, organizations can now define one of the stages as information security risk assessment using BitSight content. The task to review the content will be triggered as part of the due diligence workflow – the information security score and rating from BitSight can be reviewed and risk mitigation steps can be documented.

Furthermore, organizations can also leverage BitSight infosec ratings to continuously monitor third-party risks. They can also subscribe to regular or periodic alerts from BitSight for chosen third parties and define rules to automate review task assignment—when a change occurs in the BitSight score, it will automatically send notifications so that the user can review the changes and take further action.

To know more about BitSight content integration, register for the live webinar here.