Supplier Risk Monitoring

Third-Party Cybersecurity Risk: CIOs Must Step Up to the Plate

Written by John Bree

Third-party risk has traditionally been the domain of TPRM, vendor management, and governance professionals. A variety of parameters – financial, governance, legal, client losses, people risks – provide risk and governance professionals a lens through which they understand and manage risk from third parties.

As third parties become more integrated with the enterprise and its systems, governance has started realizing the importance of instituting additional controls. This is the reason real-time and continuous monitoring of third-party risks is fast becoming the norm among enterprises with successful governance practices.

However, there is a specialized aspect of third-party risk that extends beyond its traditional domains – cybersecurity risk.

The Cybersecurity Risk of Third Parties: The Wipro Incident

Just last week, KrebsOnSecurity reported a breach at Wipro, one of the largest IT Service Providers from India. The breach is cause for significant concern. Wipro is home to 170,000 employees and serves the world’s largest companies, across diverse industries. KrebsOnSecurity says that the intruders phished employee accounts at Wipro and then used Wipro networks to get into their customers’ systems.

One of the customers, according to KrebsOnSecurity, is a large retailer who said the hackers used their access to perpetrate gift card fraud at their stores.

While Wipro is still conducting a forensic audit with outside experts, it is reasonable to categorize this as a critical cyber security risk incident arising from a prominent third-party. Wipro is facing many challenges in handling the incident and customers must expect some reputational fallout from the incident and its aftermath.

This is Not a One-Off Incident

Unfortunately, the Wipro incident is not alone. Remember the third-party data breach that affected thousands of patients’ data from Emerson hospital?

Similar to the Wipro incident, Citrix revealed recently that cyber criminals had gained access to the internal Citrix network.

There are hundreds of other incidents, which should cause concern among governance professionals. Take a look at our monthly Cybersecurity Risk newsletter, where we capture  cybersecurity risk incidents.

Third Parties Multiply Cybersecurity Risk

A host of vulnerabilities exist in even the most secure systems. Often, the very companies that are entrusted with network infrastructure and security become targets for attackers, who then use them as jump-off points for intruding into customers’ systems.

Reports of incidents at sourcing partners are an alert for further review. For example, if Wipro is one of your third parties, or you have other third parties providing similar support, did your governance and risk management processes immediately trigger an independent, third-party cyber risk assessment?

Are you satisfied these third parties are not posing a business and operational risk?

Do you know where additional security audits are needed?

Do you have a risk monitoring program that alerts you about possible cybersecurity risk incidents at your third parties?

If you did not answer ‘Yes’ to all the above questions, you are not alone.

While outsourcing to third parties is not going to stop, governance must establish controls that acknowledge the threats posed by cybersecurity incidents. However, governance professionals are often not equipped to understand, respond, or mitigate fallout from third-party cybersecurity risks.

The CIO and CISO partnership: CIOs and CISOs realize that cybersecurity threats from third parties will be ever-present, and require a robust response mechanism driven by both process control and technology.

CIO and CISO offices are working more closely with vendor management, risk, and governance teams. They play an active role in assessing and responding to cybersecurity risk incidents internally as well as at your third parties.

To support these collaboration efforts, governance teams must run periodic cyber risk assessments on all critical third parties through specialised cyber risk assessment providers.

Put your third parties on real-time monitoring for cyber risk incidents. If your third-party is breached, hacked, phished, or subjected to a malware attack, immediately ensure objective oversight. Run an external cyber risk assessment that tells you more about the cybersecurity posture of the third-party and recommends further action.

When it’s about cyber risk, eternal vigilance and robust response is the answer.

CIOs and CISOs:

Work with your governance teams to include cyber risk assessments as part of their overall third-party risk monitoring programs. Provide training on how to evaluate alerts and incidents and act on them! Insist on real-time cyber incident monitoring for all your critical third parties, and trigger additional assessments based on reported vulnerabilities as well as actual incidents.

If your organizations Governance and TPRM function uses a real-time risk intelligence and monitoring solution like Supply Wisdom, they must be receiving real-time incident alerts and cyber risk scorecards as part of multi-category risk health reports.

If there is no such program in place, or it is time to enhance your current program, please visit us at for a demonstration of Supply Wisdom’s real-time risk monitoring program and its focus on cybersecurity risk.

This post was originally published on LinkedIn.

Announcing Supply Wisdom® Exuma

The next evolution in Automated Risk Management is here. Now you can automate risk mitigation across the entire risk management lifecycle, from Risk Identification to Risk Decision to Risk Action.