More Regulations, Bigger Expectations: TPRM Challenges and Opportunities

In an environment of new regulations and potential threats, assessing the security of third parties is no longer enough: organizations need to understand the full picture of what their third parties provide — and how they do it.

At AuditBoard’s 2022 Audit & Beyond conference, a lively panel of risk management leaders discussed how to tackle third-party risk management (TPRM) challenges. Amanda Pope (InComm Payments), Andrew Mahabir (Affirm), and Cameron Over (Cross Country Consulting) shared how they manage third-party risks and their plans to use more meaningful, real-time insights to build a robust third-party risk management program. From responding to security events with speed to threat actors engaging in “big game hunting,” read the top three key takeaways from the panel discussion below.

1. TPRM Will Play a Major Role in Complying With New Cybersecurity Regulations.

Even private businesses should consider their regulatory strategies and the role TPRM plays in the overall cybersecurity program. Amanda Pope, Senior Vice President of Audit and Risk Management at InComm Payments, explained: “We are a highly regulated private business with thousands of partners who rely on us to process their gift cards and protect their sensitive information, whether the transactions and information are in-house or subcontracted. For vendors, we ensure they have appropriate controls in place and document this using the AuditBoard TPRM module!” Amanda has found it increasingly important to understand contractual expectations and to determine how those expectations impact their vendor requirements.

2. TPRM Teams Leverage Vendor Inventories to Speed Responses to Security Events.

Panel members discussed how their teams have responded to recent threats and described lessons learned from those experiences. As Andrew Mahabir, Senior Manager and Head of Vendor Risk Management at Affirm, put it: “We recognized we could store data in a centralized way to support a rapid response to security incidents. We worked with stakeholders and leveraged prior assessments to assemble the information into a single vendor inventory — and think strategically about our response to threat incidents.” The process of implementing a TPRM software solution can be a great opportunity to assemble the vendor information that enables more rapid future incident responses.

3. “Big-Game Hunting” Threat Actors Look for Vendors With Many Customers

Third-party risk concerns not only the vendors that an organization may be using across its lines of business, but third-party vulnerabilities can also impact the organization’s data and reputation. “Threat actors look at vendors with lots of customers as what we call ‘big game hunting,'” explained Cameron Over, Partner, Cyber & Privacy at Cross Country Consulting. “We think about this as a force multiplier.” When bad actors seek out vendors with a lot of customers as a way to find victims, they look to gain access to many organizations by breaching one business that’s a vendor to many of them.

Understanding the Full TPRM Picture

Tackling TPRM challenges calls for keeping current with changes in regulations and vulnerabilities alike. It also calls for organizational knowledge through careful cultivation of relationships, adoption of best practices, and tools to manage vendor information. Fortunately, by leveraging best practices and purpose-built technology, TPRM leaders will be well-positioned to understand the full picture of what their third parties provide — and how they provide it.