Rupert Marais is recognized for his extensive expertise in cybersecurity strategies and network management. As our in-house Security specialist, he offers crucial insights into the evolving landscape of third-party risk management. The conversation delves into the key findings from a recent EY survey, addressing operational risk as the primary concern and exploring a myriad of other pressing risks associated with third-party vendors. Rupert sheds light on the impact of high-profile cyberattacks involving subcontractors, the reshaping of corporate definitions regarding critical third parties, and the transformative role of artificial intelligence in managing these risks.
Can you explain what the EY survey found about the primary concern in third-party risk management?
Operational risk emerged as the most pressing concern according to the EY survey. This reflects a fundamental misalignment in current third-party risk management with the new risk environment. Companies are realizing that operational impacts can ripple through their entire operations, causing disruptions and vulnerabilities that are sometimes overlooked in favor of more traditional risks.
What are some of the other top concerns in third-party risk management according to the study?
Besides operational risks, executives are also worried about financial, cybersecurity, privacy, and regulatory risks. Each of these areas poses significant challenges, especially when dealing with subcontractors who may not always adhere to stringent security or privacy practices. The multifaceted nature of these risks demonstrates the complexity of managing third-party relationships effectively.
How have high-profile cyberattacks involving third-party compromises impacted corporate worries about subcontractors?
High-profile cyberattacks have undeniably heightened corporate anxiety surrounding subcontractors. Incidents involving big names like SolarWinds and Kaseya illustrated the vulnerabilities inherent in third-party arrangements, compelling companies to scrutinize their partners more rigorously and reassess how they handle dependencies in their systems. This has led to a renewed focus on ensuring robust security measures are adopted across all partnerships.
Why is there a growing focus on analyzing and managing third-party risk in businesses today?
The increase in third-party compromises has served as a wake-up call for enterprises, driving them to invest more resources into analyzing and managing these risks. Businesses are recognizing that vulnerabilities in third-party relationships can lead to significant financial and reputational damage, making it critical to establish more secure and efficient protocols to protect their interests.
How are companies redefining what constitutes a critical third party?
Companies are redefining criticality based on the significance of business processes and functions rather than just financial impact. This shift acknowledges that certain functions are crucial to their operational continuity. As such, businesses have begun to prioritize those third-party relationships that directly influence their core activities, ensuring they are managed with enhanced diligence and care.
Why is the criticality of business processes and functions becoming more prioritized in third-party risk assessment?
The focus has shifted because businesses have started to realize that certain processes and functions are essential to maintaining smooth operations. If any part of these processes is compromised, it can result in operational downtime, loss of productivity, or even reputational damage. Hence, companies are increasingly prioritizing these aspects to avoid disruption.
Can you elaborate on how the Cybersecurity and Infrastructure Security Agency (CISA) is influencing corporate efforts related to business function criticality?
CISA has been instrumental in shaping corporate strategies that mirror national infrastructure protection goals. By highlighting critical functions and encouraging businesses to adopt similar prioritization in their risk assessments, CISA provides a framework for companies to align their security practices with broader national security objectives, bolstering resilience against potential threats.
What activities are companies outsourcing to third-party service providers?
Companies across various sectors are outsourcing an array of activities such as human resources, business intelligence, and supply chain logistics. These areas, while integral to operations, often require specialized knowledge and flexibility that third-party providers can offer, allowing businesses to focus on their core activities while leveraging external expertise.
How has the increase in outsourced operations affected third-party risks?
This outsourcing trend has elevated third-party risks by increasing the number of business functions exposed to potential vulnerabilities. With more operations reliant on external parties, companies must be vigilant about the integrity and security of these relationships to prevent disruptions that can affect their internal processes.
What role could artificial intelligence play in third-party risk management according to the EY report?
AI is poised to play a transformative role by automating several risk management tasks. It can help compile vendor lists, conduct due diligence, perform risk assessments, and analyze contract language for hidden risks. By streamlining these activities, AI can significantly enhance efficiency and accuracy in third-party risk management.
What are some specific activities that AI might automate in third-party risk management?
AI could automate activities such as compiling lists of vendors, conducting document reviews for due diligence, analyzing contract language for potential risks, and performing risk assessments based on past incidents. This automation allows companies to efficiently handle large volumes of data and focus more on strategic decisions.
What steps should companies take to effectively manage third-party risk according to the EY report?
The EY report suggests elevating third-party risk issues to a strategic level within organizations, understanding the benefits and limitations of AI, and preparing for technological “tipping points” that may change risk analysis methods. Companies should integrate these practices into their holistic risk management strategy to mitigate third-party vulnerabilities effectively.
How can companies leverage AI in third-party risk management to their advantage?
By embracing AI, companies can improve efficiency and precision in monitoring and responding to third-party risks. AI tools can sift through large amounts of data quickly, identifying potential vulnerabilities, thus enhancing an organization’s ability to fortify its defenses against threats distributed across its vendor network.
What are technological “tipping points,” and how might they affect risk analysis in companies?
Technological “tipping points” refer to moments when an innovation fundamentally changes how processes and systems operate. In risk analysis, these tipping points can revolutionize the way companies approach vulnerabilities, making traditional methods obsolete and necessitating new adaptive strategies that incorporate cutting-edge technology.
Why is it important for companies to elevate third-party risk issues to a high level within their organization?
Elevating third-party risk issues ensures that these concerns receive the attention and resources necessary to address them adequately. By engaging senior leadership, companies can integrate risk management into their strategic priorities, influencing organization-wide culture and practices towards improved security and resilience against third-party vulnerabilities.
