Amid the COVID-19 pandemic, global economies have come to standstill, significantly affecting the global supply chain. Businesses – regardless of size, geography, or sector – have shut down their operations either partially or completely to help flatten the curve.

COVID-19 hasn’t just affected business operations, though. The entire third-party ecosystem has felt the impact, including vendors, business partners, suppliers, and service providers. It may even challenge their ability to support organizations in the post-COVID-19 world.

To combat this, organizations have allowed vendors remote access to their enterprise systems for remote executions – creating a backdoor for perpetrators launching cyberattacks. The recent rise in cyberattacks indicates perpetrators are taking advantage of the remote access allowed by business organizations and their third parties to facilitate remote working.  

Businesses have pivoted from frequent touchpoints with their vendors to creating exceptions that facilitate remote work. But with reduced insight to what their vendors are working on or even need, the potential for cyberattacks happening undetected rises significantly.

“Unless organizations closely monitor the health of their third-party ecosystem during these unprecedented times, the temporary shutdown might permanently affect their ability to resume business operations due to the rippling effects of COVID-19 on the global supply chain.”

Considering these new working conditions, traditional risk management practices adopted by organizations to manage third-party risk may not be sufficient due to assessments that: 

• Are fragmented
• Don’t accommodate all business sizes and types
• Are reactive or driven by checklists
• Don’t account for disruptive changes
• Don’t consider external red flags: un-correlated threat, alerts, exploits, vulnerabilities impacting third-party risk
• Do not provide a holistic view of third-party risk posture

Additionally, key stakeholders (business managers, procurement, and risk management teams) who manage third-party risk often operate in silos, using disparate, non-information-sharing technologies that result in problems: gaps in identification of risks, redundant/missing controls, duplication of efforts, and ineffective risk management strategies.

In addition to these factors, traditional third-party risk management programs often suffer from these pitfalls:

• Limiting risk management scope to IT vendors/service providers
• Not involving risk teams early enough during third-party selection and contracting
• Failing to screen third parties thoroughly
• Failing to classify third parties based on their criticality
• Not covering risk management throughout the third-party life cycle
• Not communicating third party terminations to key stakeholders quickly
• Not creating a holistic view of third-party dependencies and their risks

To overcome the current crisis, organizations must look beyond traditional third-party risk management and adopt practices that uncover hidden patterns and anomalies for risk analysis. Then, they must proactively monitor and manage third-party risk while considering the changing enterprise risk landscape – i.e. adopt an integrated approach that: 

• Transforms point-in-time views into real-time views of third-party risk posture
• Extends third-party risk coverage     (360° risk view) across enterprise risk domains
• Collects and aggregates third party-related internal/external data for risk analysis
• Enables governance with clear responsibility, authority, and accountability
• Eliminates subjectivity
• Provides a nearly real-time, actionable understanding of third-party threats and issues alerts via pre-built feeds

Integrated third-party risk management extends third-party risk coverage throughout the third-party lifecycle from onboarding to off boarding with increased scope -- i.e. non-traditional areas such as geo-political, human rights, social media, and more. In addition, it enables organizations to collect real-time insights on third-party activity. Using these insights, it proactively detects potential threats and fraud involving third parties on the dark web and clear web.

In nutshell, integrated third-party risk management equips organization with intelligence to identify, prioritize, and manage critical third parties to minimize the impact that third-party ecosystem changes have on an organization’s ability to resume operations in the post-COVID world. Also, it enables organizations to direct their limited resources, efforts, and budgets to maximize third-party risk management coverage during unprecedented times.

How can we help?

With deep roots in technology, as well as domain expertise in risk and compliance, we are uniquely positioned to help organizations implement risk and compliance programs successfully.

We leverage years of rich experience helping organizations – from developing third-party risk management strategies and programs to performing risk assessments, implementing TRPM solutions, and providing TPRM as a service that proactively manages and monitors third party risk.

Our TPRM framework and solution set is technology agnostic and deployable on multiple GRC tools, helping you jumpstart your journey to adopt an integrated approach to managing third parties – all while accelerating your return on investment via “TPRM as a Service.”

Sesh Vaidyula

Sesh heads Risk, Compliance and Assurance practice for America’s geo. He is a seasoned professional with 20+ years of experience in advising companies on cybersecurity, risk, compliance, and audit matters.

Sesh is a subject matter specialist in GRC with multi-domain experience in enterprise/operational risk, cybersecurity, third-party risk, internal audits, systems audits, fraud investigations, business cycle and ITGC reviews, and compliance with a focus on Sarbanes-Oxley, HIPAA, CCPA, and the like.

Email: seshagiri.vaidyula@wipro.com