The risk of a data breach due to a third-party supplier is nothing new. Organisations have long shared data with suppliers on the assumption it is secure. Much of that assumption was more wishful thinking than validation.
The list of third-party supplier breaches gets longer every year. Four examples of third-party supplier breaches covered by Enterprise Times recently are:
- Equifax – Apache Struts software
- Ticketmaster – Inbenta Technologies
- Toyota, Ford, GM, VW and 100 other manufacturers – Level One Robotics
- Costa Coffee and Premier Inn – HR SaaS company, PageUp
This is just a very small list of the breaches caused by a third-party supplier and the problem shows no signs of going away. So what can organisations do about it? The large cyber security providers all talk openly about the problem. They admit that customers are worried about the risk. However, when you ask for more details, such as how many ask for suppliers to be audited or looked at, it becomes clear that very, very few organisations want to go down this route. Quite why isn’t clear although cost and a lack of tooling are often mentioned.
Taking a different approach
Enterprise Times (ET) recently sat with Tom Turner, CEO, BitSight to talk about his organisations approach to this problem. BitSight creates Security Risk Ratings. Turner describes them as the IT security equivalent of Moody’s or S&P. He also uses another analogy, that of a consumer credit risk rating. The higher the number, the safer a supplier is to deal with.
Turner focuses on three different use cases.
- Understanding risks and third parties that customers deal with: “This is about vendor risk management and particularly IT security vendor risk management” says Turner. 23% of BitSight’s customers are banks and security companies. Financial services, in general, has a much more mature approach to IT risk management than other sectors. Turner points to the investment made by the sector in staff and tooling. Regulators have also played their part, especially in the US and Europe.
- Cyber insurance underwriting: According to Turner: “50% of the world’s cyber insurance policies are underwritten by BitSight customers today. They use BitSight ratings as one of the decision elements on how to define the policy and the premium.”
- Setting the tone and level for board level discussions on IT security: While most reports show that board level discussions around IT security are ineffective, Turner sees something else. This is almost certainly because BitSight talks about risk. Risk is something that boards deal with all the time. They can relate risk to the business. Businesses often compare themselves against other companies in their market segments. The ratings approach that BitSight uses allows the board to do the same when it comes to cyber security.
How do you rate your third-party suppliers?
The challenge here is scale. A company with just a small number of suppliers could take the time to talk to each supplier, examine their processes and gain an understanding of their cyber security stance. But what happens when you have 50, 100 or 1,000 suppliers? It is not possible to employ enough people to visit each supplier even if you review them just once a year. That brings in another challenge. Once a year us not enough. Periodic assessment creates too much risk of something going wrong. Effective assessment must be continuous.
Turner points to the financial services industry and its approach. He told ET: “People would tier vendors and base it on value. For example, who was plugged in to the network and who had access to the most sensitive data. Tiering was done to get around scale. Companies sent out questionnaires about practices, control points and then carried out some verification such as telephone audits or onsite visits. The best companies would hit 10-15% of total suppliers to find weakness. People understand their top partners but not the 1,000 others.”
This is why BitSight introduced ratings. They allow for greater scale. The top 2-300 vendors can be monitored all the time. The long tail, which is where the risk is greatest, can then be monitored using ratings and groupings.
The analogy that Turner used was: “In credit you don’t pick the individual company that is going to default. Credit risk is all about ‘what is the basket of companies I should pay more attention to?’ In this case, I have a thousand third party suppliers. They are ones that, no matter what they tell me, are not performing very well. It suggests to me that if I’ve got a set amount of money or resources to deal with the problem, that’s where I should focus.”
Some rating examples
An example of this when applied to an individual company could be something like this:
A supplier writes a mobile app and puts it on an app store for public use. The IT security team download the app and examine it. Has it been coded properly? Have industry best practices for secure coding been used? How well has it been configured? All of these act as indicators as to the skills and approach the organisation takes when it comes to software development. If they are all positive then the supplier is likely to be of less risk than if the code is buggy and just hacked together.
Another approach would be to group suppliers together and then monitor how that industry sector is viewed in terms of security. At present, there is a lot of attention around the Internet of Things. Companies are building devices that connect to the internet and share data. The majority of organisations in this space are not security experts. They don’t necessarily understand the challenge of secure connections. There is a lack of cyber security support for devices over time. Those suppliers in this group should be considered a higher risk,
Compare this to someone like Rolls Royce. Its aircraft engines are filled with sensors that grab data and send it back to the company. The company uses all that data to create a digital twin of the engine to ensure it works correctly. It allows engineers to adjust parameters remotely to maintain the best performance. As part of this, Rolls Royce invests heavily in secure connectivity and cyber security. It, and its peers, would be considered a low risk.
Collaboration is the key to BitSight ratings
One of the challenges of building ratings is data. To get a real understanding of the risk an organisation or groups of organisations pose requires a lot of data. That data also has to be valid. Turner believes that the best way to gather that data is through communities.
There are working example of those communities in business. For example, insurance companies share details on claims to prevent fraud. Financial services regulators have allowed banks and others to share details of cyber-attacks and threats. This community driven data gathering is far more effective than anything a single company could deliver.
Turner told us that: “BitSight has over 12,000 customers in its community. They are actively monitoring over 100,000 unique third parties and sharing that data with BitSight.” There is overlap in the data when a third-party is working with multiple suppliers. It allows BitSight to have deeper insight on individual companies. It also provides a lot of detail on groups of companies allowing visibility on attitudes and risks to their sector.
Risk requires context
Information, on its own, has no context and when assessing risk, context is critical. BitSight not only shares information with its customers but the software is available to the downstream suppliers. This has brought 26,000 new users into the platform beyond those who are BitSight customers.
Take the example of a third-party supplier who has a breach. How do you assess the breach? Does it mean the supplier cannot be trusted? Does it raise the cyber insurance risk for anyone dealing with that company?
This is where context and investigation comes in. Turner says when you are aware of a breach you talk to the company affected. You discover what the breach was, how long did it last, what caused it and has it been resolved.
Talking to the affected company may disclose that this was about a breach in a wireless guest network. If that affected no internal systems it would not be that serious, especially if it is closed. A more serious issue would be a known vulnerability in a system that cannot be taken offline. However, if the company has put in place effective and compensating controls then the severity is immediately reduced.
This is where the sharing of data between BitSight customers and their supply chain has significant value. As Turner points out, the old approach of questionnaires would not have uncovered this context and would have created a false risk value.
The costs of not dealing with risk can be significant
Failing to address third-party supplier risk is not an option. New laws around data protection, such as GDPR, have toughened up liability. When a breach happens, and it will, everyone will look at how an organisation assessed and dealt with risk. Turner points out the problem organisations face when it comes to the public apportionment of blame.
“The way they do that at the moment is you look at the two companies involved. The one with the bigger brand name goes on the front page of your publication.” He jokingly continued: “If you are going to screw up, always work with companies with bigger brand names.”
Beyond the regulator there is the threat of legal action. The UK has not seen the type of class action lawsuits that happen in the US. That is changing. The data breach at supermarket chain Morrisons has seen a class action lawsuit against the company. That is due before the court in October 2018.
Turner makes the case that even if the lawyers win just £50 per member of staff, the costs to the company will be huge. Details of 100,000 staff were leaked and Morrisons has already been told it will be liable for at least 40% of the court costs. That would mean a minimum bill of £5 million plus costs and it is likely that staff will win much more than £50.
Turner warns: “Law firms are gearing up for this. The next time you have a lawsuit, expect them to be on your doorstep. This will cost far more than the reputation damage.”
The cost of cyber insurance set to rise
There has been significant growth in cyber insurance. However, unlike traditional insurance, cyber insurance providers lack the staff, time or knowledge to know what they are insuring. There are no visits to site or assessment of processes. This raises the question of how they can make any real judgement on cyber risk in the supply chain.
According to Turner: “The cyber insurance market is very profitable at the moment. They are managing the margin spread between the premiums and the claims. Right now that margin spread is very significant in cyber insurance. It is also so competitive right now that a lot or premiums are being written without the full assurance that you would expect.”
Turner believes that this will change when the gap between premium and claims narrows. He points to two key factors; a more stringent approach to disclosure and claims starting to approach the premiums. In addition, we have yet to see the first fines around GDPR which could well be high as regulators look to set a benchmark for future cases.
BitSight has relationships with all of those organisations that build insurance models to predict costs. Turner said that there is an acceptance in the market that it is all a bit “wild, wild west” right now.
The impact of risk rating
As cyber insurance rises and boards become more aware of cyber risk, it will colour how they engage with third-party suppliers. The ratings run from 250-900. Dealing with a company whose rating is below 400 means that they carry 5x more risk than a company with a rating of 700.
Boards and cyber insurers will start to pay attention to these numbers. They will look at the context around which the rating has been created. Insurers, in particular, will look at how many of these companies are in the supply chain and what they are handling in terms of data. This will allow them to refine their models and price in the increased chance of a breach.
What does this mean
Main boards understand risk. It informs their decision making process. They look at different levels of risk across the business and make decisions based on that. What they don’t understand is cyber security. They have no way to rate it, to value it, to understand what the investment brings. All they see is a black hole that seems to increase costs.
Introducing a risk rating approach for third-party suppliers when it comes to cyber security make sense. It delivers numbers and a basis on which decisions can be made. The way that BitSight compiles it risk ratings, based on the details from its customers, is important. It aligns with the way that other ratings are created and the analogy of credit rating works well for business leaders.
As the penalties for a cyber breach continue to risk, organisations need to know who they can trust. More than that they need to know how much they can trust their supply chain and with what type of data.