EP 1: Third Party Risk Management

Episode 1: Third party risk management

Date: 19th February 2020
SpeakersPenny Flint (Host), Grant Waterfall (Guest), Paul O’Rourke (Guest)
Duration: 23m 23s

In this podcast episode our Cybersecurity experts Penny Flint, Grant Waterfall and Paul O’Rourke discuss how organisations like yours can work to mitigate third party risk in an age where all organisations are interconnected.

Listen on:  Apple PodcastsBuzzsprout

Penny Flint: Welcome to our podcast series, The Global Realities of Cybersecurity. I'm your host, Penny Flint. I work for PwC based in the UK. Each episode of the series will be inviting along some of our colleagues who are experts in their fields to discuss what they do at PwC, and what they're focusing in on at the moment, in the ever-changing world of cybersecurity. Today's conversation is centred around third party whisk management, and I'm joined by Grant Waterfall and Paul O'Rourke.

Grant Waterfall: Hi, I'm Grant Waterfall. I'm responsible for cybersecurity in EMEA.

Paul O'Rourke: My name's Paul O'Rourke, I'm based out of Australia, and I lead the Asia Pacific cyber and risk practise.

Penny Flint: Okay, well, thank you, guys, and thank you for joining us today. I know my clients have certainly been talking to me a lot around third party risk management, and I guess I'll ask my first question today, and I'll, maybe I'll start with you, Grant. What trends have you been seeing in the past year when it comes to third party risk?

Grant Waterfall: Well, Penny, just two weeks ago, and I think you might've been at the same event. We had a group of clients up for a panel, and we talked, we asked them what their top issues were. And across the group, and these were all big multinational clients, they all agreed that third party risk management, was one of their top three cyber issues, and rising.

Grant Waterfall: And one said, an insurance company, that they thought it would be the number one issue in the future. So I think we're seeing a trend of clients, we're realising how much of an issue this. And actually, one of them made the statement that 98% of spend at the moment is on internal cyber issues, and something like 60% of cyber incidents are to do with third parties. So there's a real imbalance and a need to probably rebalance.

Penny Flint: Wow, okay. That's a powerful statistic.

Paul O'Rourke: Just picking up from Grant's point, and I think it's a very key one. If we backtrack in cyber over, say, the last 10 years, most of the focus has been on internal security in improving the internal posture of the organisation. And I think there's one key aspect we need to look at here, and that is, we have management control around the internal organisation. We don't have management control around the third party supply chain. And I think that's really fundamental to a lot of the research that sits here today.

Paul O'Rourke: So most of the focus for organisations has been around technology uplift, process uplift, and capability uplift around their people, internally, and improving the governance and reporting. What's been missing in that equation is the third party supply chain, and Grant highlighted a really key point.

Paul O'Rourke: We're seeing the threat landscape move to the third party supply chain, but we haven't seen commensurate uplift around both management and governance of that supply chain. If that issue does not redress, I think we're going to see increasing risk, increasing exposure, and increasing impact emanating from the supply chain.

Penny Flint: Yeah, I mean, I think those are both really good points. And certainly what we're seeing from a UK wave, I think it relates on a global level, is just the systematic level of alliance and third parties to deliver services. The days have gone by, where it was just facilities management, and we're seeing core business activities actually being outsourced to third parties. So I think you've made really valid points around how we've been very focused on internal looking, but in the landscape, where there's ever increasing use of third parties, both with regards to volume, and also with regards to complexity.

Grant Waterfall: No, I, and actually if you look at it, Penny, there's a real variety, as in the threat landscape as, as Paul highlighted a second ago. So you'll all remember, NotPetya, which is a malware which hit a number of companies really hard, maybe a year ago. This was a third party issue, and the common denominator was that all of those companies were running a software package, an accounting software package, in the Ukraine.

Grant Waterfall: And the malware was pushed through a regular software update to that accounting package in those companies, and it spread virally through the organisations, and took out major bits of IT. But once again we have a third party software update causing havoc in companies. So this can really come from many different angles.

Penny Flint: And it, and it's interesting and maybe a question to you, Paul, you're both using the language, "third parties," as opposed to, traditionally, I've had the word "suppliers." Is there a reason why you're using "third parties," and not the word "suppliers?"

Paul O'Rourke: Personally, I see that their words is fairly interchangeable around suppliers or third parties, but the, I think the terminology in the market now is much more around third party risk management. And I think the interesting issue here is, we're talking about risk management, which is fundamental, and it is fundamentally a risk. And it's a material risk.

Paul O'Rourke: Grant highlighted the point before, around volume, and we have seen increasing volume of the last, over the last few years. And that introduces a real complexity for organisations. If I don't have management control, I only have governance control, and I have increasing volume of third party suppliers, how do I manage the issue? How do I understand the risk landscape, how do I manage the risk landscape, and importantly, how do I govern it, as well? And I think, and it's part of the whole focus we're seeing in the market now, around the third party risk management approach, is really around materiality.

Paul O'Rourke: And I think materiality is key, and that is starting to segment the suppliers, into material suppliers, that, from a risk impact will have a material impact and effect on the organisation, even when there is a breach. And I think it's more likely, when there is a breach, than if there is a breach.

Penny Flint: Mm, no, I think that's really good point, I mean, but I'm still seeing some firms that I'm working with, who are segmenting their third parties, based on value, and based on spend. And we actually just worked with an organisation, who had a business critical issue.

Penny Flint: They had an IT outage, and when we actually looked at the root cause of that, it related to a piece of software, which only cost them $20,000. So it had fallen below the threshold by which they were monitoring, and having a heightened sense of governance, because they hadn't even segmented, based on the critical nature of that activity, in that piece of software.

Paul O'Rourke: And I think part of the problem there is, it's much easier to segment by value than by risk. Because by segmenting by risk means that we have a much greater emphasis and control over the third party supply chain. We're doing active management, active governance over that supply chain, and we're actually looking at a process view, rather than just a provision of service view, in doing a process view, to actually look at where the risk materially sits.

Grant Waterfall: Yeah. Just adding to that, where you started on this, Paul, with volume, I talk regularly to major clients, where we're looking at, 30,000, 60,000, 80,000 vendors that they have to deal with, or third parties. And the need to then stratify segment and work out where the risk is just becomes all the more important, because there's just no way you can deal with a programme without the right sort of prioritisation.

Penny Flint: Yeah. So I guess, what would we recommend to individuals that the first thing to work through is, exactly who, what your third party landscape is, who your third parties are, which might sound quite simplistic, when framed that way. But that's quite challenging for organisations to get to grips with that volume of third parties, particularly if you've had business-led procurement, and it hasn't necessarily gone through a centralised mechanism.

Paul O'Rourke: Yeah, I think the inventory issue is understated as a problem, understanding the full breadth of the inventory of third party suppliers. What is the definition of a third party supplier, is probably the first point. And then, the second is, is building a full inventory list, both from a technology view, and a business-led process view. And fully understanding that landscape is fundamental to really managing and governing this issue.

Penny Flint: And I think that's a really good point you're making around the different categories of third parties, because they could have different policies, which govern them, and you could have different responsibilities. You might have your procurement or head of third party responsible for your suppliers and your outsourcers, but you might have a different policy which governs your partnerships arrangements.

Penny Flint: I'm certainly seeing that that's becoming more important, just to give you an example around how firms are transforming, how you enter into arrangements with that party. So whereas traditionally, for, say, a Fintech company, you might have entered into that as a supply arrangement. And that was therefore handled by procurement and had a very clear policy.

Penny Flint: But now, firms are entering into those arrangements, say, as a partnership, and that you may have someone who's responsible for that, or you may not have any policies, or clear responsibilities over that arrangement. So how do you make sure that some of these third parties aren't falling through the cracks, I think is important.

Paul O'Rourke: That's a great point. The way I look at it, and the question I'm asking all of my clients at the moment, and based on the hypothesis, that every cyber programme really needs is a third party risk work stream in it right now. And it's amazing, when I asked that question of CSOs in particular, how many get a very worried or uncomfortable look on their faces.

Paul O'Rourke: So there's still a number of companies that haven't really done anything systematic about this issue. And where we do find companies have done something about it is probably in the more regulated sectors, like financial services, and then, in the more mature regulated markets, like the US and the UK. Because we're still finding that in some of, even in regulated sectors, in Europe, for example, this is still an emerging issue, and getting a lot of attention right now.

Penny Flint: Yeah, definitely.

Paul O'Rourke: And just picking up on that point, Grant, even those that have done a good job at both an inventory and a materiality view of third party suppliers, it's often at the Tier I suppliers or Tier II suppliers. One of the big changes we've seen from a risk landscape in the past five years, and particularly in the past two years, is right down to the input level, and that is a supplier of a supplier of a supplier. And where does the risk sit in the third party supply chain?

Paul O'Rourke: As an example, if an organisation has outsourced IT operations for a particular function to an organisation, that organisation has then outsourced various components. It could be segments of the delivery, and/or support models, and so on. And so, what we're seeing is, and particularly in some of the most complex supply chains, it is right down to fifth, sixth, seventh and even eighth level of supply chain risk. And organisations are really struggling with both understanding how to assess that, by through an approach, but also, fundamentally, how to govern it, going forward, as well.

Grant Waterfall: Yeah, that's spot on. And whenever I find, we get clients together to discuss this issue, it becomes a really, really heated debate. And everybody is so keen to understand what techniques others are using, what, how we can help them, how we can give them methodologies and processes. And of course, we do have all of those very well defined, and some tools to help clients do the sorts of, or address the sorts of challenges you're talking about, Paul.

Penny Flint: Yeah, I'd say.

Paul O'Rourke: Yeah. And I think one of the key areas in that is, this is where we've seen AI and automation, coming in, in a really big way, and probably the last 12 months. What's been the basis for third party risk management, for probably the past five to 10 years, has been manual assessments, site visits, and spreadsheets, primarily.

Paul O'Rourke: We're evolving that fundamentally now towards much more of an AI view, ingesting large amounts of data, from various sources, to actually understand the full landscape of suppliers, to the point before or around the nth level of suppliers. Who do these suppliers typically, and third party suppliers, typically have interrelationships with, to build a broad map of the broader supply chain? And then, to start to be able to both manage and govern that issue, going forward.

Grant Waterfall: Yeah. Paul, that's a great point. And if I just give an example, in a sector, if you look at automotive, most of the components in the head unit, and that's the unit that contains the entertainment, navigation and connected car functionality, are insourced. So they are all components that are bought in from different suppliers, and then put together in the car.

Grant Waterfall: And increasingly, these are needing software updates, because they're highly complex software, hardware products. But ultimately, the safety and the security of the car remains the responsibility of the motor company. So the need, then, for them to get comfort over this more complex supply chain, which has both hardware and software in it, is really complex. And you just cannot do that without automation, and the ability to test the software, through automated techniques, which, once again, we have some really good solutions for.

Paul O'Rourke: And particularly picking up Penny's point before, around inventory. To your point then, Grant, is how do I understand inventory of not only the Tier I suppliers, but the inventory right down to the smaller suppliers, all those components, within in the head unit of the car, a very complex issue, but one that organisations cannot and must not avoid, going forward.

Grant Waterfall: Absolutely.

Penny Flint: Yeah. No, I think those are really good points. And so, if I just do a little recap, on what I think I've heard, you said, so if I was approaching this for the first time, what I might be saying to an organisation is, one, start with your inventory. Try and figure out what your third party landscape is. What are the different third party categories that exist in your organisation? What policies are governing those third parties, and who are the responsible individuals for these third parties?

Penny Flint: I think I've heard you both then talk about segmentation, and what do you care about? What's business critical to your organisation? And that's where you need to focus your oversight on those particular third parties. And then, I think I've heard you go on to make some really valid points, with regards to sub-outsourcing, and really understanding your supply chain, and how and how you could have a, an impact, through that supply chain.

Paul O'Rourke: And so one area we probably haven't touched on as much, then, is around governance and reporting, is once we have an inventory, once we have a full view of the recent landscape, from a segmentation and a materiality view, how do we gather that information, both from a manual view, and also an automation, as we just touched on before, and pull that together into highly rich contextual management and governance reports? And that's something, that if we're to get much better handle as an organisation, going forward around the third party risk, we need to get much better at the governance and reporting, and actually to be, not only leg reporting, but predictive reporting is fundamental around understanding risk.

Paul O'Rourke: An example is, particularly around predictive reporting, if you have a supply chain, right down to third, fourth, fifth level suppliers is, what happens if something happens in one of the fifth level suppliers? An example I was dealing with recently was, a typhoon in a country that actually wiped out supply in various factories.

Paul O'Rourke: If you understood your supply chain, and the materiality view, and the interrelationship between your suppliers, you would understand much better, going forward, from a predictive view, that that impact on that factory, and that supplier, would have a downstream impact on your production, going forward, in terms of supply. This organisation ultimately did not know that at the time. They didn't even understand, this fifth level supplier was a supplier in their supply chain.

Paul O'Rourke: And it had a downstream impact, a few months later, on their their production. And I think that's where getting much greater context and rich reporting, both from a leg and predictive, is fundamental to governing and managing managing this issue, going forward.

Penny Flint: I think that's such a valid point. If you think of, if there was an issue, in say, India, with regards to natural disaster, how long would it take a lot of the firms that we work with, to understand how they'd been impacted from that? And I think if your answer is, "It's going to take you at least a week," that's too long, as opposed to, your know your inventory clearly says, you know what geographical location that service is being delivered out of, and either through a direct supplier relationship, or through subcontracting.

Paul O'Rourke: One area we haven't probably touched on is how to improve the relationship with the suppliers, as well, and let's talk the material suppliers. One of the key issues is, if we are talking materiality, it means there's a much greater interalliance and interdependence between the core organisation and those material suppliers.

Paul O'Rourke: So that means, there's an onus on the organisation to better understand those third party suppliers, from materiality view, understand how they are looking at cyber, how they're managing the cyber risk, how they're governing it, but very importantly, how they're reporting it.

Paul O'Rourke: If and when there is an issue, the organisation needs the third party supplier to be very upfront, report the issue, and work collaboratively and cooperatively to actually readdress the issue. What we've seen is where that relationship isn't as strong as what it should be.

Paul O'Rourke: The third party supplier is worried about contractual implications, and often tries to hide, or subterfuge around the issue. And that ultimately ends up, often, in greater impact to the core organisation.

Penny Flint: One point for firms to consider, is with regards to GDPR, and how your third parties are supporting you with you meeting your regulatory obligation. So here in the UK, you've got a 72-hour period to report through to the regulator any breach of loss of personal identifiable data. So how has that been translated into the contract? Have you asked your third parties to report through to you on a 24-hour period, so you've got sufficient time to meet that 72 hour deadline?

Grant Waterfall: Yeah, well, just to just add one point to that, Penny, you raised GDPR, but really, if you look across various regulatory agendas around the world... So, privacy regulation, which is not just GDPR, there's similar sorts of regulation being adopted everywhere, in virtually all cases, third party risk is a part of the regulation.

Grant Waterfall: And likewise, if you look at a lot of the sector specific, specifically, financial sector regulation, this is probably the biggest focus of the cybersecurity regulation. And we're expecting a lot of activity, particularly in the banking sector here in Europe right now.

Penny Flint: Yeah, it's true, and with the privacy, there's no materiality, right? You harm one customer, you suffer data linkage, you have a responsibility to that individual, and you have to report it through you. So it takes you back to that segmentation to make sure you're not segmenting based on volume of customer data and you know, eliminated someone that you may not oversee because a, they're not hitting a volume threshold for instance. Okay. And then,

Paul O'Rourke: and a number of the areas we've touched on earlier have almost been around hygiene, which is things like inventory and materiality and segmentation. But what we're seeing from the regulators is absolutely, they expect hygiene, but they expect maturity as well. And that is moving much more into now governance and risk management. And I think that's the key issue that we will see probably in the next 12 to 24 months is regulators get much more active around how organisations are appropriately executing their, both their management and governance roles over their third party supply chain.

Penny Flint: No, that's great. And it sort of leads us into the final segment, which I was going to pose the question to both of you around focusing on the future, you know, how does a growing organisation work to mitigate the third party risk? And I think you've just touching upon some of that pool with what you were just saying there.

Paul O'Rourke: Yeah. And the other point I'd add to that is there's a big focus here in skill sets as well. Often organisations haven't had the right skill sets internally to to appropriately obtain the inventory assists, managing, govern the risks going forward and also report on it. So what we're seeing also, and I think one of the key issues in the market now is really focus on core skills around third party risk management governance. And I think that'll be one of the big growth areas in the market in the next 12 to probably 24 36 months.

Grant Waterfall: Yeah. You know, and, and Paul, I totally agree with that. And, and then on top of that, I think we both mentioned it is you know, with the sorts of volumes we have and the increased complexity and the fact that we are dealing with and hardware and various things through the supply chain, that point of automation just becomes so much more, more important and we're not going to be able to do this with without it. So we are seeing a number of solutions being developed and certainly our focus is on helping our clients move in that direction.

Paul O'Rourke: Yeah. I would say the largest organisations without automation or fundamentally struggle with this issue going forward. And what we have seen, it's akin to the last five years we've, we've automated a lot of the security functions internally. Everything from the SOC through the data management, data lakes, et cetera. That maturity is now moving to the third party supply chain. A lot of the core functionality and approach that we've done internally with a lot of our clients globally. We're now doing within the third party supply chain. And I think that's to Grant's point, one of the big focus areas going forward to, to appropriately addressing this issue.

Penny Flint: Okay, great. Well just as a closing comment, Paul and grant, if you were to say, you know, just one thing that someone should, should focus on having listened to this podcast, what would be the first activity you'd recommend that they did? I'll start with you Paul.

Paul O'Rourke: Yeah. The one area we haven't touched on, which I think is really important is, is the organisation hierarchy. Making sure that the C suite and board a fully assessed and a at the risk landscape around the third party supply chain and there's appropriate governance processes in place around that going forward. So yeah, the last thing an organisation needs is a surprise and fundamentally as this is a big risk issue is appropriately assessing in governing and also making the, the right stakeholders aware of both the problem statement and also the approach to address it.

Penny Flint: Yeah, I think that's a great point. If there is a breach or an incident, what we've certainly seen that as when the regulator have come in, they've certainly interviewed C-suites and the board members and they've also looked back around the governance over that particular third party and the level of involvement with regards to the board and some of the decision making that took place. A great point. And grant

Grant Waterfall: Look, I just go back to every cyber programme should have a third party risk work stream embedded in its, and I think, I think that's the place to start and understand, you know, how, how that has been always being implemented.

Penny Flint: Okay, great. Well thank you both of you and thanks again for joining us today. It's been great having you with us. Remember to subscribe to our podcast series so you don't miss out on future episodes. If you have any questions about what we do here in cybersecurity, please reach out to our guests.

Contact us

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC United States

Follow us