We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Why You Need to Build Cybersecurity Into Third-Party Relationships and How to Do It

Posted by Tom Fuhrman October 06, 2015

When it comes to managing cyber risk, most organizations think about their own vulnerabilities, but stop short of considering third-party relationships. Yet cyber criminals have launched some of the most damaging attacks of the past few years through third parties. However, only about one-third of risk professionals say they examine the cybersecurity measures in place at third-party partners, according to a survey during Marsh’s recent The New Reality of Risk® webcast.

We asked: “Do you assess the cyber risk management controls at suppliers, customers, and others with which you do business?” The responses from our 300 respondents were:

  • 36% said yes.
  • 30% said no.
  • 34% said they were not sure.

Even those who do such checks need to ask themselves: Do we really understand and manage these risks?

Involving a degree of trust between you and a vendor, third-party relationships are especially attractive to criminals. For example, a trust relationship may enable a threat actor to exploit the vendor’s access credentials to enter your network. Or it may mean that a partner holds valuable information about your organization; if their network is hacked, your data is at risk.

Here are five steps to help combat the problem:

  1. Understand the scope. Who has access to your network? In a typical enterprise this might include providers of infrastructure services, software-as-a-service, content hosting services, vendors, contractors, and others.
  2. Develop a complete inventory of providers. Include details about their services, access, and security provisions in contracts and service agreements.
  3. Clean up the agreements. Too often, the cybersecurity responsibilities of the outsource provider are not detailed in the service agreement. For example, what security controls do they have? How well is network security managed? Who will have access to your information resources?
  4. Tighten access management. It’s not enough to know who is accessing your network — you must ensure their access rights are tightly managed. And access management must be addressed as more than just an IT issue: Human resources, legal, risk management, and security need to be involved, along with the business units from which the requirements stem.
  5. Monitor and manage the relationship. Outsource providers are understandably reluctant to be subjected to intrusive inspections of their security controls from their customer base. However, the new reality is that customers — as well as regulators — now require companies to do a better job of understanding and managing the risks they inherit from their external relationships.

Managing cyber risk comprehensively involves continued vigilance, including about your suppliers, vendors, and partners. Fortunately, there is a movement toward more transparency and independent attestation of the cyber security controls of providers.

To hear more about cyber risk management, listen to a replay of our The New Reality of Risk webcast.

Related to:  Cyber Risk , Cyber Risk

Tom Fuhrman

Managing Director, Marsh Risk Consulting