Название: Cybersecurity and Third-Party Risk
Автор: Gregory C. Rasner
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119809562
isbn:
Bank of America (2020): Caused by an unnamed third‐party merchant, Paycheck Protection Plan (PPP) application business details, including Social Security numbers (SSNs), emails, addresses, and more, were released.
Citrix (2020): An undisclosed vendor disclosed Citrix's customer data, which was exposed on the Dark Web.
Marriott (2020): A Russian franchise operator was the reason for the second breach at this hotel chain in just two years. This time over 5 million records were compromised.
T‐Mobile (2020): An email vendor's breach was the reason that thousands of customer names, addresses, phone numbers, emails, rate plans, and more were exposed. This is the second public breach for T‐Mobile, with the last one occurring in 2015.
Radio.com (2020): Its cloud‐hosting provider misconfigured their instance, which resulted in its customers' PII being made public.
Chubb (2020): A third‐party service provider released internal sensitive data about Chubb.
General Electric (2020): Canon, which was used by GE for business processes, was breached, resulting in information on past and current GE employees and sensitive data being released.
Amazon, eBay, Shopify, Stripe, PayPal (2020): A third‐party application breach was the reason for the release of over 8 million records on sales information, customer names, emails, mailing addresses, and credit card information including the last four digits of account numbers.
SpaceX, Tesla, Boeing, Lockheed Martin (2020): Viser, a parts manufacturer, released partial schematics for a missile antenna and other restricted internal data.
Carson City (2020): Click2Gov caused the release of residents' names, addresses, email, debit/credit cards, card security codes (CVV), and bank account and routing numbers.
Idaho Central Credit Union (2020): A mortgage portal provider was hacked, releasing customer banking information.
Nedbank (2020): Nearly 2 million customer PII records were released by Computer Facilities (Pty) Ltd., a marketing and promotional firm.
Mitsubishi (2020): A large amount of internal restricted data was exfiltrated via an undisclosed vendor in China.
P&N Bank (2020): A third‐party customer relationship manager (CRM) hosting company caused the loss of nearly 100,000 customer records.
Ubiquiti Inc (2021): A maker of Internet of Things devices, it lost an undisclosed amount of customer names, email addresses, passwords, addresses and phone numbers due to a third‐party cloud provider.
Bonobos (2021): This men's clothing retailer had the data for over 7 million customers (addresses, phones numbers, account info, partial credit card information) stolen from its cloud data provider.
US Cellular (2021): The fourth largest wireless carrier in the U.S. exposed the private data of almost 5 million customers from its CRM software.
According to a Ponemon Institute survey in 2019, 60 percent of the companies surveyed admitted to not performing adequate cybersecurity vetting of their third parties. Thirty‐three percent replied they had no or an ad‐hoc cybersecurity vetting process. Fifty‐nine percent admitted being affected by a third‐party breach in the previous year. In that same survey, the companies also admitted to sharing their data on average with and requiring protection from a whopping 588 third parties. Following those numbers, this means over half the companies admitted to not performing their cybersecurity due diligence on nearly 600 third parties. Note, these statistics are pre‐COVID‐19 pandemic. However, post pandemic, the cyberattack increase was over 800 percent, according to the FBI as of May 2020. Prior to the pandemic, the problem was pronounced, with the breaches listed including Capital One, Home Depot, and others. However, the lack of due diligence and programs to review the cybersecurity of third parties by so many firms led to an explosion of breaches. And, as everyone is someone else's third party (i.e., every company is selling to someone and using vendors to assist in that effort), the problem was magnified to a boiling point.
Third‐Party Risk Management
Third‐Party Risk Management (TPRM) as a discipline is not very old. In the financial sector, it was not mandated by the Office of the Comptroller of the Currency (OCC) until 2013, when it regulated that all banks must manage the risk of all their third parties. OCC 2013‐29 defined “third party” as any entity a company does business with, including vendors, suppliers, partners, affiliates, brokers, manufacturers, and agents. Third parties can include upstream (i.e., vendors) and downstream (i.e., resellers) and non‐contractual parties. Other regulated sectors have seen similar requirements, often indirectly via privacy regulations. For example, General Data Protection Regulation (GDPR) or the California Privacy Rights Act (CPRA) require many companies subject to these regulations to perform due diligence on vendors who have access to their customer data. This may not lead to a full‐blown risk management division or group, but someone will be required to perform some oversight in an organized process, lest they get subjected to the extreme financial penalties both regulations require.
Other risk domains exist in TPRM: strategic, reputation, operational, transaction, and compliance domains. Why is the focus in this book on the cybersecurity domain exclusively? That is where the money is. While there are financial and reputational risks for the other domains, none of them provide the level of risk to a firm such as the risk of information security. As described previously, there are number of breaches that can be directly attributed to a cybersecurity breach at a vendor. It is not that these other domains aren't important, but none of them have the impact that a cybersecurity risk poses to a firm, financially or reputationally. Perform an internet search on the other domains, and you will struggle to find results. A similar search on cybersecurity breaches produces more results than one can list in a single page. Like any organization with more than one domain, if one of those domains presents a higher risk for practitioners, and evidence shows that Information Security does, then that domain needs more research, resources, and results.
While TRPM organizations struggle to keep up with the level of breaches and incidents with vendors, evidence shows most cybersecurity organizations are not taking a lead in this domain, and that TPRM groups do not have the expertise to address this gap. According to the Ponemon Institute “Data Risk in the Third‐Party Ecosystem” study (2018), only 40 percent perform any cybersecurity due diligence. Sixty percent perform none or only ad‐hoc cybersecurity reviews. The evidence indicates that a large percent of the 40 percent (i.e., those that perform some cybersecurity due diligence) do not do enough (as evidenced by the level of breaches/incidents). TPRM organizations must begin focusing more on the Information Security domain, and either directly bring cybersecurity experts into their organizations or partner with cybersecurity teams to address the gap. Doing so will also require that a cybersecurity team is able to understand the problem with third parties and address the risk.
While the fines and publicity for failure to follow TPRM guidelines are not as big, instances of regulators acting can be found:
In 2020, the OCC assessed an $85 million civil money penalty against USAA for failure to implement and maintain an effective risk management compliance.
In 2020, the OCC assessed a $60 million civil money penalty against Morgan Stanley for not properly decommissioning some Wealth Management business data centers.
In СКАЧАТЬ