Data Breaches and Third Party Risk

Materiality and Mitigation Approaches

Although most data breach headlines have centered on retail organizations continuing to expose payments related data, the reality is that data breaches are a fact of life in almost every economic sector. In its 2013 Data Breach Investigation Report (( Verizon notes that it saw breaches in restaurants, media companies, multi-national corporations, utilities, defense contractors, and governments among many others. Of course reasons for attacks are as varied as the data that’s being stolen. But the common element is that whether it’s intellectual property, medical records, payments related data or something else, that data is valuable to the fraudster. To date, industry has fought attacks by honing internal security and operating procedures (including outsourcing contracting) and system architectures. And now, especially as it relates to payments data, firms are beginning to take steps that will diminish the value any data that might be stolen in successful attacks.

Third party participation in data breaches can be viewed from many perspectives and unfortunately that’s clouded the role third parties have played in attacks. How big a threat are third parties? By one measure, not very big at all. Verizon’s 2013 analysis, for example, reported that in only one percent of the instances it examined did third parties play a direct causal role, taking on the label of what Verizon calls “threat actor.” But that measure assesses only one of the many ways third parties can play a role in triggering breach events.

The Trustwave Global Security Report ((2012 Trustwave Global Security Report, Page 6)) report, in a stinging condemnation of outsourced system administration practices , reported that in 76% of the cases it investigated a third party responsible for system support, development or maintenance introduced the security deficiencies later exploited by attackers.

Even the presence of sophisticated internal IT security teams are not a guarantee against a third party role of some type in successful hacks. In the recent Target data breach, credible reports indicated that hackers found their way into the company through credentials stolen from an HVAC contractor that had worked for the retailer and had network access. (( But that intrusion path isn’t the complete story. More than a year before the recent breach Target had purchased sophisticated malware detection software (FireEye) that successfully detected the intrusion and could have automatically eliminated the malware, but did not. Why? Target’s internal security team had turned that specific feature off, an action not as unusual as it may sound. ((

The important lesson is that third party roles in a successful breaches can be subtle, can come from the most unexpected directions, and most often represent only one of a number of factors that in combination open the door to successful malware incursions.

Most data breaches will not approach the expected hundred million dollar threshold that experts predict Target will see as a result of its recent attacks, but even smaller breaches can be quite expensive. The just released Fourth Annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute calculated that the average economic impact of data breaches for the health care organizations it studied was two million dollars. ((Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 2014, Page 2)) And in Ponemon’s 2013 Cost of Data Breach Study, it found that U.S. companies paid an average of $188/record for data breaches during its study period. (( Organizations would not be paying such a high price for data breaches if preventing them was easy – in today’s technology environment it’s anything but.

Preventing data breaches requires not only good third party vendor management, but good ongoing data security hygiene and operations risk management practices within the firms for whom third parties work. How can you evaluate your firm’s readiness to deal with today’s threatening technology environment? One place to start an evaluation is with the Shared Assessment Program’s Vendor Risk Management Maturity Model, which provides an excellent framework around five high level categories of vendor management: contract provision oversight, ongoing monitoring of service level agreements, potential changes due to the external environment, self-assessment and audit readiness, and independent testing. The model can help management better understand the gap between best practice and today’s practice reality.

Financial institutions (and others) will also benefit from the OCC’s updated October 31st 2013 Guidance on Third Party Relationship Risk Management. The OCC’s guidance explores key management practices through the third party risk management life cycle, and a summary of those elements is available here.

One of the biggest issues in third party risk management has been the natural tenancy for organizations to focus around periodic examinations, be they from regulators, internal or external auditors, Qualified Security Assessor (QSA) organizations, or others. Firms see these periodic exercises as tests to be passed or failed but not, unfortunately, as the periodic evaluations of ongoing process they should be. The good news is that there is broad acknowledgement of this issue, and as relevant regulatory guidance and security standards are being modified they are increasingly sensitive to ensuring appropriate ongoing risk management process.

Third party program risk management is an essential component of any organization’s risk assurance program. Although it may never be possible to completely stop data breaches, by leveraging an increasingly robust set of Third Party related risk management tools from Shared Assessments and others we can make real progress in limiting both the frequency and impact of these events.

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.