Corporations have typically relied on cyber risk ratings to analyze the risk third parties have on their organization. However, risk ratings miss an important piece of the risk analysis process since they analyze the third-party’s risk in isolation, and do not take into consideration your organization and its unique characteristics of engagement with each third party.
Risk scores, on the other hand, are a different way of measuring risk which reflects and focuses on the corporation’s own risk due to working with any given third party as opposed to the third-party’s risk to itself.
No business is an isolated island. Whether you work in finance or hospitality, agriculture, healthcare, or any other sector, you undoubtedly interact with various third parties – suppliers, partners, customers, and others – perhaps thousands of them. By necessity, doing so involves sharing sensitive regulated information – whether it’s PII (Personal Identifiable Information), medical records subject to HIPAA regulation, or credit card details regulated by PCI-DSS. Once the sensitive data is out of your hands and is processed by a third party, you can no longer protect it, but you are still responsible for it. Your interactions with these third parties may also create dependencies that can impact the availability of your services.
According to one report, in the past 12 months, 80% of organizations experienced a cybersecurity breach that originated from vulnerabilities in their third-party vendor ecosystem. The implications of such a cyber incident for your business could be costly – one recent report found that a compromised third party causes an average of $7.5 million worth of damages. But it could be much more – in 2019, Capital One had to pay $80 million when the former employee of a third-party vendor stole critical information, while a cyber breach at Home Depot, in which employee credentials were stolen from a third party, resulted in $179 million damages.
How third-party cyber risk is typically computed
Typically, organizations tend to rely on risk ratings to identify the risk of a third party that they deal with. These ratings are usually based on an assessment of either external or internal data, collected by the third-party risk rating companies. External data is taken from open-source intelligence (OSINT) and may include details of the third party’s attack surface, their digital exposure, historical data of actual security incidents and more. Internal data comes from the third party itself and may include details about what countermeasures the third party is taking to reduce their risk. This information forms the basis of the third-party risk rating.
So what’s the problem?
The issue with risk ratings can be illustrated in an everyday risk we can all relate to: crossing a road. This common activity poses a very different risk to a child, an elderly person or an adult – not because the road is different, but because of the specific characteristics of each of these pedestrians.
It is the same with third-party risk. A specific third party may pose a higher risk to your organization than it does to others, due to factors such as your business and technological dependency on that third party, the type and amount of sensitive data you share with them, and other factors. To discover the actual risk posed to your organization, it’s not enough to simply look at the risk rating of a third party. In order to understand a third party’s risk to your organization, your own context, dependencies, and characteristics of engagement with the third party must be considered as an integral part of the risk analysis process.
What risk ratings don’t tell you
First and foremost, risk ratings focus on the third-party’s risk – as demonstrated in the road-crossing example above, it does not account for the nature of your relationship and the risk of working with the third party. The risk posed to your organization might be very different from the risk posed to other companies the third party works with – this is not reflected in risk ratings.
In addition, risk ratings are in many cases a sort of a balanced scorecard of a company’s external security posture in which, if the third party does everything correctly, they will get a high score – and vice-versa. In reality – companies who had great security suffered significant breaches since it only takes one security issue for a short period of time to enable mal-actors to gain access to critical systems. In such cases, the risk ratings may not reflect such risk.
Some risk ratings don’t utilize benchmarking analysis. It may be that an organization that has a good external posture will get a good rating, but organizations with a similar external posture were breached, and this data should be taken into consideration in the risk analysis process.
Taken in isolation, on a scale of 1 to 100 (higher is better), a rating of 45 appears to be low. But it could be that the median rating of comparable organizations is 33 (due to the risks associated with the sector and geography they operate in), in which case the third party is actually doing better than the industry median.
It’s also important to bear in mind that risk can never be entirely eliminated. Even a company with a very high-risk rating, reflecting low risk, is not 100% safe from a breach – just one error by an IT professional can cause a breach. Inherent risk scores take this into account and even if the organization has a high residual risk score the inherent risk score still reflects the actual risk of a company suffering a breach based on data of what happened to other similar companies in the past.
How risk scoring fills in the gaps
Risk scores tailor the risk assessment to the unique characteristics of your relationship with each third party, by considering the actual dependencies with the third party. Risk factors such as what type of data you share with the third party and how many records, how dependent your business is on that third party’s IT systems, and how many employees the third party has – are all taken into account to make sure both that they are benchmarked to similar third parties for risk scoring purposes, but also that the risk score takes into account the relevant context of your relationship with the entity under review.
Risk scoring puts risk into context. It begins by considering both internal and external data to create both an inherent risk score and residual risk score. Inherent risk is based on who they are and what happened in the past to similar organizations. Residual risk takes into account the risk mitigation efforts which the third party carries out. The delta between the two scores represents the actual risk reduction achieved by the third party, providing 360-degree visibility based on both external and internal data, which is critical for the purpose of accurate risk analysis.
If, for example, the third party under review is a bank, it may have an inherent risk score of 25 (1-100, higher is better), signifying that similar banks had an incident or a breach. But, after completing a risk survey, the residual score calculated is 87 – a much better reflection of their investment in protecting your data. By combining both inherent and residual risk scores, you are enabled to better understand the risk levels posed by the third party and how they mitigate such risk.
Finally, to provide the highest value to your organization, a risk score should be combined with economic impact analysis. Utilizing a data-driven quantitative approach to predict the economic impact each third party may have on your company, with an actual monetary cost attached, enables you to consider impact as part of the risk analysis process. Once you have an economic impact assigned to each third party, combined with the inherent and residual risk scores, you can now take firm action and focus on those third parties that pose the highest risk to your organization.
By using a more nuanced, tailored approach, risk scores focus on what matters most to you – your own risk, while risk ratings focus mainly on the risk posed to the third parties.
To find out how Cyberwrite enables you to calculate a risk score for any third party, request free access now.