While excellent ransomware guides and tools exist from various sources, our new guide (Third Party Focused Ransomware Strategy: An Enterprise-Wide Collaborative Strategy Guide for TPRM Professionals) and the related resources referenced throughout provide a Third Party Risk Management focused approach. The content is designed for both new and seasoned security and TPRM practitioners, with a short introductory Executive Summary to help inform C-Suite and Board discussions about defining the risks and guiding the allocation of sufficient resources with the appropriate breadth of experience and skills to manage them. The paper documents how those resources can be deployed to cost-effectively achieve organizational resilience across the enterprise.
To effectively manage the risk of ransomware attacks, organizations on both sides of the outsourcing equation must incorporate collaborative, enterprise-wide TRPM-focused ransomware strategy into the basic fiber of their risk management programs. This effort is an essential part of operational resilience. Not acknowledging the high probability that a ransomware attack can occur will likely result in more frequent and costly impacts. The structures and processes presented in this paper are equally relevant to effectively managing operational risk in general.
This paper was envisioned as a means of refining risk management efforts around ransomware—starting with the very first stages to prepare for any incursion—what your board needs to do, what processes you need to apply to your organization, where you need to be looking, the stages, the best tips, and importantly how you can establish a working partnership with your third parties.
Ransomware demands an emergency triage response. As our committee co-chair, Martin Freeman (Cyber Security and Compliance Managing Director, Calastone) notes, “Naturally, having a plan is key to preparing for ransomware attacks. However, what may not be as clear is the importance of exercising that plan across your entire team to work out the kinks and establish the muscle memory required to effectively run the plan during a high-stakes event. Build your ledge for safety as close to the top as possible—how far you fall will be determined by the quality of your preparation.”
As ransomware demands a skilled and agile response . The ultimate questions are:
- What can you afford to live without?
- Does your leadership/Board understand what capabilities and data may be unavailable, even with the best precautions?
- Do you have a trusted team—internal and external—capable of helping you recover your systems and data?
- Do you have defined criteria for how you will determine that a backup is viable for restoration?
This paper represents the work of the Shared Assessments Global TPRM Best Practices Committee and project team of SMEs who stepped forward to compile this guide. Globally our members and other industry leaders all face the same challenging issues in managing third-party risk. Shared Assessments offers opportunities for members and non-members alike to address global third-party risk management challenges through our committees. Our committee participants are leaders in their industries and integral to our global community of risk management professionals.
The best practice solutions that have evolved over the past two decades are brought together and refined by this group, which this year has chosen to focus on ransomware preparedness, reputational risk, and onsite best practices. The Global TPRM Best Practices Committee now has 260 individuals from 185 organizations spanning 15 time zones registered. This group is open to members and non-members. Examples of previously examined topics include complex supply chains, fourth (and Nth) party management, third party contract development, risk rating, and assessment scoping. If you would like to join, we’d love to have you.
Like all committee papers, this includes a Practitioner’s Guide that incorporates robust risk management targets, goals, and plans that are general and generic—all of which support a collaborative, enterprise-wide TRPM focused strategy. This material may be tailored to the organization’s unique settings in order to set targets and goals for best practice planning, documentation, and implementation in a manner consistent within the organization’s internal control framework and risk appetite.
The paper is available for download here.
Committees Registration: https://sharedassessments.org/committee-form/.
