Building Resilient Third-Party Risk Management: Webinar Recap

BARR Advisory HITRUST Field Manager Brianna Plush recently joined HITRUST Vice President of Adoption Ryan Patrick for an in-depth discussion on how to build a strong and resilient vendor risk management program.

In the webinar, Plush and Patrick discussed the complex nature of the modern vendor risk landscape and explained how to identify, assess, and mitigate third-party risks before they impact your organization.

“Organizations are struggling to not just manage their vendors, but understand where the risks reside, what to do about it, how to overcome it, and how to work collaboratively with their third parties, their supply chain partners, and the like,” Patrick said.

“Third-party breaches are increasing year over year,” he added. One of the primary reasons for this is that “most organizations have a ton of vendors—tens, hundreds, thousands, tens of thousands depending on the size of the organization,” Patrick said. “The attack surface for some organizations is huge.”

For organizations aiming to mitigate third-party risk, having a thorough vendor review process is critical. But it’s not as simple as sending out a survey to each one of your vendors. Due to the volume of vendors that most organizations work with, it’s impossible for third-party risk management (TPRM) teams to rely on traditional security questionnaires.

“You shouldn’t ask a 500- [or] 600-question questionnaire to cover all of these things. It’s grossly inefficient,” Patrick explained. “TPRM teams don’t have the time, the resources, and in some cases the expertise to be, one, chasing vendors to get them to fill it out; two, get them to fill it out with enough specificity where it’s meaningful information; and three, doing some kind of due diligence based on those responses.”

So how can we close the gap? Plush explained the process should involve an initial risk assessment that begins with identifying potential vendors and tiering them based on risk level. “Because of the sheer number of vendors, there has to be some kind of triage,” Patrick noted.

“What function is this third party going to perform for our organization? Map these potential third parties to the systems and the data they’re going to access,” Plush advised. “This is going to help you set up a baseline for [understanding] the different types of risks the vendor might introduce into the organization once they start delivering services to you.”

Plush said TPRM teams must also understand the standards and regulations that apply to their organizations, and keep those in mind when conducting due diligence.

“Your organization should have an overall risk management strategy and an overall risk appetite,” Plush added. “Utilizing that criteria, evaluating these vendor risks based on how you’re going to be using this third party is the next step.”

She advised looking at compliance reports as one way to identify gaps in the vendor’s controls, as well as any vulnerabilities or weak spots in their overall security posture. This includes evaluating their ability to provide continuous services in the long term.

“If you think about the CIA triad for cybersecurity—confidentiality, integrity, and availability—historically, we’ve only really focused and paid a lot of attention to the confidentiality of data, especially in heavily regulated industries like finance and healthcare,” Patrick said. “But with the advent of ransomware, availability of data is becoming paramount,” he argued. 

“There could be service interruptions,” Patrick said. “You have to start asking questions like: If this vendor goes away, am I able to generate revenue? If the answer is no…you need to pay a lot of attention to them,” not just during onboarding, but throughout your relationship with the vendor.

The initial review process “is only just the beginning,” Plush emphasized. “Monitoring has to be performed over the vendor’s performance, their service delivery, their compliance posture, [and] their financial posture.”

Plush and Patrick also broached the topic of artificial intelligence (AI) and its role in vendor risk management. 

“In this day and age, I think we’d be hard-pressed to find many organizations that don’t utilize AI to some extent,” Plush said. “There’s a lot of good that comes with the use of artificial intelligence, but a plethora of potential risks and unknowns.”

This means organizations must tailor their risk assessments “to include AI-specific considerations and questions,” Plush said. “Not all AI tools pose the same risk. So when we’re classifying our vendors, we need to take into account how they are using AI at their company and then how that’s going to be impacting the services they provide for us and our operations.”

“It can seem a bit daunting,” Plush added. “Luckily, there are AI-specific frameworks…to provide some guardrails,” she said, pointing to standards like ISO 42001, the NIST AI Risk Management Framework (RMF), and the HITRUST AI Security Assessment and Certification.

According to Patrick, ISO 42001 and the NIST AI RMF take a high-level look at AI risk. For instance, “ISO 42001 is looking at all facets of responsible AI when it comes to AI management systems,” he said.

“Neither one of those two actually are digging into hard-nosed AI security threats and the controls that should be in place to address those. That’s where HITRUST comes in—not to supplant either of those, but to augment those for your AI-powered vendors and what they’re doing to protect the models,” he said.

“Don’t overthink this. AI security in the TPRM context is very similar to traditional security within the TPRM context. Leverage your existing policies, processes…and just layer in the AI stuff,” Patrick advised. “Trust what you already know about traditional security and apply those principles to the AI side of the house.”

To hear the pair’s full discussion, watch the webinar now on-demand.

Interested in learning more about how HITRUST can help you manage vendor risk? Reach out to us today.