Expectations on an organization's cyber hygiene and the maturity of their compliance program have ratcheted up in the past couple of years. In response, many tech companies are already making the investments to strengthen their third-party risk management program and shift towards a continuous approach to compliance. Hyperproof's Dec. 2021 survey found that 51 percent of all surveyed organizations plan to expand their third-party risk management program in 2022.
Expectations on an organization's cyber hygiene and the maturity of their compliance program have ratcheted up in the past couple of years. After suffering numerous devastating attacks for years, organizations have finally begun to step up their own cyber defenses and oversight of vendors. In fact, 90 percent of respondents in Hyperproof's latest IT Compliance Benchmark survey reported their organization had been negatively impacted by a third-party incident in 2021.
Knowing that third-parties represent a weak spot in many enterprise risk management programs, regulators have begun to put requirements on organizations to have strong governance over their third-parties.
EU's General Data Protection Regulation (GDPR)
GDPR's scope includes all European Union organizations that collect, store or process the personal data of any person residing within the EU, as well as non-EU organizations that offer goods and services to European residents or non-EU organizations that process personally identifiable data. EU organizations (data controllers) that leverage non-EU data processors must make sure their data processing vendors are also following GDPR guidelines.
Under GDPR, data processors have a duty to protect data in a manner that ensures the security of all personal data.
California's Consumer Privacy Rights Act (CPRA)
The CPRA, which will go into full effect on January 1, 2023, imposes a similar set of requirements on data processors. It obligates organizations that collect data (e.g., any company with consumers who reside in California) to hold their service providers accountable for protecting all personal data.
The Cybersecurity Maturity Model Certification (CMMC) program was created in 2020 by the Department of Defense to verify that all companies in the Defense Industrial Base have sufficient security and privacy safeguards in place to protect federal information within their care. The higher risk companies need to go through independent audits. The lower risk companies can self-attest (or perform a self-assessment). However, to ensure that no one makes false claims in their security self-assessment, the Department of Justice has the legal power to investigate government contractors who allegedly submitted "false claims" regarding their cybersecurity practices under the False Claims Act (FCA). The DOJ can impose hefty fines on entities and individuals who are found guilty.
All in all, companies today face significantly more liability, due to their role as a supplier and as a party that procures goods and services.
To reduce this potential liability when taking on a new customer, it's important for organizations to fully understand the requirements they're asked to meet and implement the controls necessary to meet those legal and contractual requirements. Organizations should validate their security and privacy controls and collect proof on an ongoing basis to show customers (and regulators) that they are meeting their contractual obligations.
In fact, many tech companies are already making the investments to strengthen their third-party risk management program and shift towards a continuous approach to compliance. Hyperproof's Dec. 2021 survey found that 51 percent of all surveyed organizations plan to expand their third-party risk management program in 2022.
On the flip side, organizations should examine their contracts with existing vendors to ensure there is clear language describing what the vendors are obligated to do to safeguard data and keep it confidential. Further, gather the proof that vendors truly have those safeguards in place.
In addition to legal risk mitigation, continuous review and management of controls is critical for maintaining resilience.
At this junction, organizations must rise to a new challenge. They need to build the capabilities necessary to operate under a continuous assurance model. This includes finding a way to scale the activity of implementing controls. Organizations will need to stand up a structured, repeatable, continuous approach for training the right people, assigning ownership of controls, assessing compliance to controls and remediating gaps.
To be successful in operating in a continuous assurance model, organizations will need to use technology to centrally manage their compliance program and distribute responsibility of operating controls to people within multiple business functions. Technology will empower people to perform control activities properly, on time and efficiently. This model of continuous assurance is a big departure from the audit-centric model of yesterday. Organizations who rise to the challenge of operating in a continuous assurance model will be trusted and beloved by their customers.