October 21, 2020
Managing Third Party Service Provider Risks
Loss or theft of customer, financial, or employee data, even if not financially material, could cause permanent operational and reputational damage to companies. Companies that collect and maintain significant amounts of sensitive nonpublic information are susceptible to Cybersecurity attacks and are required to implement controls to mitigate the risks of unauthorized access to nonpublic information. Large scale data breaches generally make the news; however, the size of the company does not reduce the risk of a cybersecurity breach. Companies of all sizes face similar risks.
It is important for organizations to identify and understand vulnerabilities that threaten their assets (information, people, technology) and implement security precautions to minimize the likelihood and impact of a cybersecurity event. Many organizations rely on third party service providers to supplement their control environment and support their Cybersecurity program.
Third Party Service Providers Do Not Replace Internal Controls
Supplementing internal controls with third party service providers does not reduce an organization’s ownership of their risks.
Third party service providers should be assessed to determine whether their access to the organization’s information or systems pose a risk and how unauthorized access, via the third party service provider, would impact the organization.
Examples of services provided by third parties include:
- Managed Security Services
- Computer Hosting Services
- Claims Processing and Administration
- Policy Administration
- Information Technology Management
- Payroll and Benefits Administration
- Enrollment and Billing
- Physical Security and Infrastructure Administration
Managing and Monitoring Third Party Service Providers
Companies should implement procedures to manage and monitor third party service providers. For many companies, this is a regulatory requirement. For example, for Insurance Companies, the New York Department of Financial Services (NYDFS) enacted a cybersecurity regulation and the National Association of Insurance Commissioners (NAIC) has adopted a model law that specify companies must implement controls to risk rank, assess, and manage third party service providers. Companies are also expected to perform due diligence procedures to gain comfort over the controls implemented at third parties.
Companies should also ensure third party users with access to company data and systems are subject to security awareness training and education. Security awareness is one of the most important controls any company can implement. Companies may implement the most secure infrastructure, but if users are not educated on the importance of employing and adhering to secure measures, Cybersecurity risks remain a serious threat to the company.
Third Party Service Provider Assessments Should Include:
- Documented policies and procedures for contracting, managing, and monitoring third party service providers
- Thorough review and vetting of third party service providers prior to contracting
- Identification of systems and/or data that third party service providers would access or process and assessment of the controls
in place at the third party service provider to determine whether their controls are sufficient to securely access and/or process company systems and/or data
- Continuous monitoring controls at the third party service provider, including System and Organization Controls (SOC), penetration testing, vulnerability scanning, and other related security assessments
- Due diligence procedures to monitor third party service providers subsequent to contracting
Management of third party service providers is critical for all companies and organizations, regardless of industry. Implementation of formal policies and procedures to assess and monitor third party service helps companies reduce cybersecurity risks associated with third party service providers.
To discuss Johnson Lambert’s services for assessing third party service providers, contact our team here.