When cybersecurity incidents result from your third- or fourth-party providers, who ends up taking liability?

Third Party Risk Management (TPRM)Risk ManagementVendor Management
316 views2 Comments
Sort By:
Oldest
VP, Director of Cyber Incident Response in Finance (non-banking)2 years ago
Sometimes companies have a third-party assessment organization that is responsible for managing its vendor relationships. Somewhere along the way, there could be a finding against that third party for their own failures. And there would likely be a contract penalty or clause that needs to be exercised in order to put them back in good graces.

I'm not very knowledgeable about how those third-party assessment programs work. There are a lot of challenges with third parties because, how do you trust, but verify what a third party says to you about the security of their environment and the processes that they use? They can tell you that they patch, monitor and respond but there's a point where you can't verify that without being onsite, or on their network. 
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
SVP in Finance (non-banking)2 years ago
Where the liability ends up when you’re dealing with third-party providers is a tough question that comes up a lot. The contracts can be written in a particular way to dictate that, but there's clearly a control gap in this situation. So how do you identify these risks that you have in a practical, operational way? SolarWinds and Kaseya are both examples of the same issue, it’s just in a different context. In both cases you have these third-party products that you're using, which are potentially using fourth parties or some number of internal contractors and developers, and you don't have control over that.

Content you might like

If you have had a negative experience with a vendor (without naming the vendor), what did you learn from it?

Financial ManagementVendor Management
VP of Global IT and Cybersecurity in Manufacturing6 years ago
Have clear business requirements up front, make sure the proposal includes items such as scope, timeline, cost, resources.
Read More Comments
22.1k views3 Upvotes28 Comments

What is your primary deciding factor in adopting enterprise search?

Strategy & ArchitectureCloudEnd-User Services & Collaboration+26 more

TCO19%

Pricing26%

Integrations21%

Alignment with Cloud Provider7%

Security10%

Alignment with Existing IT Skills4%

Product / Feature Set7%

Vendor Relationship / Reputation

Other (comment)

View Results
5.7k views3 Upvotes1 Comment

How do you ask your third parties to notify you if they have had a cyber incident? Does your process work efficiently?

IT Strategy & RoadmapSecurity Strategy & RoadmapThird Party Risk Management (TPRM)
Director of IT in Softwarea month ago
To ensure third parties notify you of cyber incidents, include specific notification requirements in your contracts, detailing the timeframe and method of communication. Define clear incident response procedures within the ...read more
1
Read More Comments
1.8k views3 Comments

What tools or frameworks have you used to visualize cybersecurity risks in a digestible way for the board?

Risk ManagementSecurity Strategy & RoadmapBoard Engagement
CIO in IT Services23 days ago
I used the NIST 800-53 Risk Management Framework. My program is wrapped around the framework, so that way they get to see risks on the registry. They understand the model for scoring risk, and then there's a decision factor ...read more
1
Read More Comments
188 views4 Comments

Single sign-on (SSO) increases the chance of a major network security breach.

Single Sign-On (SSO/SAML)Identity & Access Management (IAM)Third Party Risk Management (TPRM)

Strongly agree4%

Agreee59%

Neutral23%

Disagree12%

Strongly disagree1%

View Results
3.8k views2 Upvotes3 Comments