Third‑Party Risk Management for Cybersecurity & Compliance

• ISO/IEC 27036: A detailed look at the international standard for managing supplier security risks. This includes its different parts covering concepts, requirements, and guidelines.

• Other Core Frameworks: An introduction to complementary standards like NIST 800-161 (Supply Chain Risk Management) and ISO 27001 (Information Security Management).

• NIS2 Directive: Understanding its requirements for supply chain security and performing thorough supplier assessments.

• DORA (Digital Operational Resilience Act): Exploring its stringent rules for the financial sector, including mandatory audits and resilience testing for critical ICT vendors.

• CSDDD (Corporate Sustainability Due Diligence Directive): A brief on its implications for supply chain accountability.

• Governance & Responsibility: How regulations like DORA place responsibility on board-level management for TPRM policies.

• Establishing a formal, risk-aware vendor onboarding process.

• Defining the scope of the relationship and assigning clear roles and responsibilities to internal teams (e.g., Risk Committee, Procurement, Legal, IT).

• Conducting initial due diligence and risk assessments to evaluate a vendor's security posture.

• Vendor Segmentation: Classifying vendors based on their criticality and the data they access.

• Developing a risk-scoring model to prioritize and manage vendors effectively.

• Implementing background checks for contractors with access to client data.

• Requesting and reviewing security attestations and certifications (e.g., SOC 2, ISO 27001).

• Why contractual agreements are mandatory for any third party that accesses, stores, or processes your organization's data.

• Using contracts to enforce cybersecurity standards.

• Data Protection & Confidentiality: Clearly defining what data is confidential and how it must be handled.

• Minimum Security Standards: Specifying requirements like up-to-date antivirus, firewalls, and data encryption.

• Access Management: Mandating strong, unique passwords and multi-factor authentication (MFA).

• Incident Reporting: Establishing clear timelines for breach notification (e.g., within 48 hours).

• Right to Audit: Including a clause that allows your organization to verify the vendor's security practices.

• Data Handling and Storage: Outlining approved locations and methods for storing company data.

• Defining continuous monitoring as a proactive strategy that uses real-time data to assess vendor risk profiles.

• Key components: Real-time data collection, dynamic risk assessment, and automated alerts for stakeholders.

  
  

• Overview of automated solutions that track a vendor's risk posture across various domains (e.g., cybersecurity alerts, financial health, compliance changes).

• Leveraging collaborative assessment platforms to reduce "supplier fatigue" from repetitive questionnaires.

• The primary goal: Ensuring business continuity and accelerating recovery from disruptions.

• Key steps: establishing a program, defining reporting mechanisms, and promptly assessing incidents.

• Dedicated Response Team: Assigning roles and responsibilities to teams like IT, legal, and marketing before an incident occurs.

• Vendor Collaboration: Using Service Level Agreements (SLAs) to define how a vendor will cooperate during an incident.

• Training and Simulations: Conducting regular drills and tabletop exercises to test and refine your response plan.

The MOVEit Breach: Analyzing how a single vulnerability in a third-party tool had a cascading effect across hundreds of organizations.

The Accounting Firm Breach: Deconstructing the incident where a firm agreed to a $7.25 million settlement after its third-party IT provider was breached, exposing sensitive client data.