In this episode we talk with Jake Olcott, BitSight’s VP of Communications & Government Affairs, about the cybersecurity regulation landscape today, and the impact it can have on organizations building or operating their vendor risk management programs.
Listen now to hear more about notable and emerging cybersecurity regulations, how to build a vendor risk management program around them, and what businesses can expect from regulators in the upcoming months.
Alex: Welcome to the BitSight Risk Review. During each episode, we'll be discussing current events in technology in the security and risk space. Thanks for tuning in and let's get started.
Hi everyone. Welcome back to the BitSight Risk Review. I'm your host, Alex Campanelli. Today I have Jake Olcott, BitSight's V.P. of Strategic Partnerships, on the line with me to talk about creating a strong vendor risk management program with cybersecurity regulations on the rise. Jake, thanks for dialing in.
Jake: Alex, absolutely. Happy Thanksgiving to all.
Alex: Thank you. Thank you. Okay, so in our first episode we talked with Stephen Boyer about using security ratings for vendor risk management, or what we call VRM. And essentially we're talking about the importance of controlling the risk your vendors or third parties pose to your organization. What are some of the numbers surrounding third party breaches and some of the major instances that we might have seen in the news?
Jake: Well, I think anybody who's listening knows that third party risk has become a major issue. You know we're opening up the newspaper on a daily basis and we're seeing breaches, many of them have third party connections to them. And so certainly something on the rise. BitSight has done a lot of research on this working with a lot of different research firms. And we found a few sort of interesting statistics having done lots of different surveys.
In the last 18 months, we have seen one out of five businesses that claim to have experienced significant risk exposure from third parties just in the last 18 months, so almost 20 percent of organizations. In recent years, almost two thirds of all data breaches have been linked directly or indirectly to third party access issues. Two thirds, 66 percent, again two thirds of IT decision makers don't know how many vendors have access to their networks, which obviously poses significant risk to the organization. And the final statistic that is really shocking when you think about it is that 89 different vendors on average access the average company's network weekly. So we're seeing lots of different breaches involving third parties, an environment where we don't really know who has access to our network. And then also widespread vendor access to the network.
All of those things put together pose significant problems, you know, to companies in all sectors. And I think that all we have to do again is just sort of open up the paper and see that these incidents are having a significant impact on organizations. You know I just sort of think back to the last few months, you know the Wall Street Journal the other day front page story on a series of cyber attacks targeting the defense sector. We've seen major management consulting firms, you know, some of the Big Four saying that they have been affected. Of course, you know, these management consulting firms have a lot of sensitive data that they're keeping on behalf of their customers. And one final one to mention just sort of interestingly enough. When the Securities and Exchange Commission several weeks ago announced that they had been the victim of a breach impacting the Edgar filing system, this is obviously very impactful to companies who provide the SEC with some very sensitive data about their financial reporting. So whether it's a third party vendor or a third party organization like your regulator like the SEC. This is an issue on your mind.
Alex: So what types of third parties should organizations be concerned about?
Jake: Well Alex, the way that I like to think about this is in a couple of different ways. I like to break things down in thinking about organizations that are isolated from our first party organization, or organizations that are directly connected into our environment. So let me start with the direct network connection because I think that that is probably something that people sort of understand. Organizations that are directly connected into our environment. Think of this as the Target and HVAC vendor issue. So we're working with a third party organization, a third party vendor, that has direct network access into our environment. And obviously you know in the situation with Target, it was the third party HVAC vendor, bad guys break into that organization, they rode that network connection directly into Target's infrastructure and the problem that we discovered later was that the HVAC vendor had not been properly segmented from the rest of the Target infrastructure. So when the bad guys broke in, they were essentially able to gain access to whatever they wanted to access inside of the Target environment. So organizations need to be really concerned about the types of third parties, the vendors, the contractors that they're giving direct network access to. And so, you know, we want to think about, you know, who are we working with. You know, who within the organization actually has this access. And have we been able to segment that access in our own environment as much as we can?
Because obviously we're going to be working with folks that we do want to provide direct network access into our environment, but we want to be able to sort continuously monitor them as best as we can. So I think of those organizations that are directly connected that's usually, you know, when folks are sort of thinking about which are the third parties that I need to sort of prioritize. People typically start with organizations like that. However, we have seen in recent years that the bad guys are not just targeting those types of organizations, they're really interested in stealing the data, your sensitive data, wherever it lies, wherever it lives. And so for that reason, you should also be concerned about what I would otherwise call the isolated third party. These are third parties, vendors, business associates, contractors that you are giving sensitive data to, or they're working on a sensitive project on your behalf. But they do not have direct network connection into your environment. And so when we think of, you know, earlier I mentioned the management consulting firm, or the law firm, or perhaps the payroll provider, the contractor who's working on some sensitive work on your behalf, maybe even folks doing some IT security work for you. All of these types of organizations may have sensitive data of yours, but they do not have that direct network connection. So these are also folks that you want to be thinking are critical to your organization and you want to make sure that they are implementing the best security measures that you can.
Alex: Well I think that was important to set the stage, so thank you, Jake. Let's get down to today's main topic. I want to talk about increasing cybersecurity regulations. Over the past several years, we've seen a definite increase in regulatory activity with a significant amount of it happening in the finance industry especially. So can you talk more about those regulations and what they might mean in a business context?
Jake: Well, sure. So I think you know anyone who is doing business today is sort of increasingly running into cybersecurity regulations, and we've certainly seen it in the financial industry. And this is not just in the U.S. but also I would also say this is a global phenomenon that more and more financial regulators are really stressing the importance of not only financial institutions protecting themselves and creating more castle walls, as it were, around their own infrastructure. But increasingly financial regulators are focusing on third party risk. And so we've seen it, you know, here in the U.S. with a lot of the national regulators, the Office of the Comptroller, the currency, the Federal Reserve, the Securities and Exchange Commission, the FDIC. All of these major federal regulators have in recent years announced new regulatory requirements for third party risk management, focused on building the vendor risk management program and that includes, you know, identifying critical vendors, negotiating contracts to include security and the key term ongoing monitoring of those third parties during the lifetime of the relationship. This has really been a major point of emphasis by these financial regulators. They've not only adopted new requirements, but they are increasingly asking questions during regulatory exams. We know that this has been a priority for all of those financial regulators that I mentioned in 2016, 2017. And I think that a number of them will be announcing their priorities for 2018 in the next couple of weeks. We certainly expect that third party risk is going to be a major issue into 2018 also.
Alex: A new regulation just emerged from the New York Department of Financial Services, correct? So many organizations have headquarters or offices in New York, and what does that mean for them?
Jake: Yeah, New York is another one, absolutely. You know this is sort of another interesting thing that we're seeing is that states are increasingly trying to insert themselves into this discussion as you mentioned, Alex, certainly a lot of presence by major financial institutions in New York. Obviously the other sort of crucial thing here is not only a presence in New York, but working with New York customer information. And so when we think of, you know, the DFS regulations, or even I think another issue on people's minds is GDPR, which is the new EU requirement. Basically what we're seeing is all these different approaches in different regions all focus on protecting consumer data or customer data. But again the emphasis for many of these regulations is on third party risk management. So again organizations are going to want to be focusing on building a vendor risk management program focused on identifying those critical vendors, you know, assessing the risk and the security posture of those vendors, addressing the relationship with those vendors in the contract, and then also doing this ongoing monitoring of those parties during the lifetime of the relationship
Alex: Stepping back, we've talked about the finance industry, but besides the finance industry, who are regulators most interested in?
Jake: Well, with respect to this idea of third party risk, we're certainly seeing it throughout a number of different sectors. So in financial sectors, it's obviously most obvious, but I would also say that in healthcare. You know in organization in healthcare is used to dealing with third parties in that context, they call them business associates. And so you know healthcare organizations have seen that in HIPAA for a number of years, again sort of a major issue in health care. If you're in the defense sector, you're focusing on what the defense sector calls supply chain risk management. But it's just again that's another term for third party risk management there. You know organizations like the DOD, the Department of Defense, are placing obligations on their, you know, major systems integrators and DOD contractors to create third party risk management programs and flow some of these security provisions down to the smaller contractors and subcontractors. We see this in a variety of areas and certainly in the consumer, you know where consumer data is the focus. We've seen that the Federal Trade Commission among other state attorneys general are also sort of focused on this third party risk issue. So really across the board, not a sector sort of remains untouched by these ideas and certainly as I mentioned with the GDPR coming out, you know, in the months ahead, that is going to continue to expand. So this has become, you know, really the major issue in cybersecurity for most, if not all sectors. Not to mention the electric sector. I don't want to leave the electric sector out of this. New regulations in place from FERC and NERC focused on supply chain risk management again. So seeing it across all different sectors.
Alex: We've seen these major regulations come out. You know in 2018, in May, we'll see the GDPR come out and start becoming enforced. But when we're thinking about third party risk management, or vendor risk management, what are the top three or four pieces of advice you have for companies who are looking to build their VRM program around these regulations that we're talking about? And you touched on this earlier, but I wonder if you could go into a little more detail.
Jake: Yeah, sure. Well you know it's unfortunate we have so many different terms for this idea of managing third party risk and sometimes all these terms can become very confusing to people. And so one of the things that I get to do in my job is to try to understand all these different things that are happening and try to determine if there is some overlap. And the good news I think is that there really is a lot of consistency in the way that a lot of these different regulators are approaching this problem. And I say that's good news because you know a lot of companies, they don't just participate in one sector. They don't just participate in the U.S., right? There's a lot of multinational companies out there. So I think the good news for organizations is that there is a lot of consistency. There's a lot of consistency international, as well. And so specifically what is consistent? So just think of this in terms of the framework here. So you know all of these different regulations, regardless of whether they talk about supply chain risk, or third party risk, or vendor risk they're really talking about the same type of approach that one should take in order to get a better handle on this. And so you begin with understanding who your critical third parties are. And this is usually defined by... there will be different definitions for this, but think these are the organizations that have our sensitive data, or could have a material impact on our organization if this data was lost or compromised. So that's really where we want to start is the third parties that are most critical to our organization.
Second step is we have to assess the security of these organizations prior to going into business with them. And this is commonly referred to as the diligence process. You know, how do I do cyber diligence over an organization before I enter into a business relationship with them? And of course there are a variety of different ways to do that, BitSight's security ratings are used in that diligence process, as are questions, you know, you see a questionnaire. Perhaps you'll ask somebody to provide you with a self-assessment, or the results of recent audit, but you're looking for data that demonstrates the security posture of the organization. So that's the diligence process. How do we go about doing diligence?
The third major step that, again, most regulators talk about is we've got to build contractual requirements for our third parties. And sometimes regulations are very specific about what you should be requiring your third parties to do. Other times they're not, they're more general. But again, it's all about examining the contractual relationship that you have, examining the legal documentation that you've put in place, and making sure that you're holding your third parties to a certain standard or a certain level of security.
The next step, again that is really consistent across all regulations is this idea of doing some sort of monitoring of that third party organization, with respect to security, after you've gone into business with them. And the reason for this is obvious, security changes. We live in a dynamic environment. And so increasingly regulators, whether it's the financial sector or otherwise, are really emphasizing this idea of doing ongoing monitoring. Sometimes they call it continuous monitoring, but it's usually referred to as ongoing monitoring of your third parties. And again, this is really where BitSight is helping folks out here is to do that more sort of dynamic monitoring of your organization to understand when things change and then to be able to collaborate with your third parties when things do happen.
And then the final step that again most regulations sort of talk about is the termination process. Organizations should be terminating relationships when bad things, if and when bad things happen with respect to security. So there's usually some sort of notification process that a regulator is going to put into play where they want you... they want some sort of notification when there's been an incident affecting a third party. Third parties should be notifying first parties when that's happening. But this is sort of the framework and I think if anybody just kind of pauses to think about your own vendor risk management program, you'll probably find that there's a lot of common ground there between some of the things that regulators are asking your organization to do and probably some of the things that you're already doing.
Alex: Absolutely. I want to kind of scale it back for the last question and I like to end each podcast talking about the bottom line, or the big picture. So what can businesses expect with these regulations moving forward, Jake?
Jake: Well, I guess I would say a couple of things. First of all. You know I think that there have been a lot of incidents in the news, we talked about that at the beginning, I think that that has really encouraged a lot of organizations to create some of these vendor risk management programs to begin with. But if you haven't been motivated by the news, the regulations are probably a good motivator as well. And this is certainly, again, the trends that we're seeing, this is only becoming a bigger issue for regulators, again not only here in the U.S., but also internationally. So take a close look at your regulator, your state or national regulator, very good chance that they've been working on some sort of third party risk management requirements. And a very good chance that they'll be doing some sort of assessment or examination of that in the months and years ahead. So now's the time really to sort of get out ahead of that, show your regulator that you take this seriously, and that you have a good program in place. I think that's really what regulators are looking for at the end of the day. As a former government employee myself and having spent a lot of time working with regulators over the years, they're really... they're not looking to burn folks as much as they're looking for some sort of demonstration of accountability and responsibility. And I think organizations can really do a lot of good by showing that they have a strong program in place and be able to answer the mail when the regulator comes.
Alex: Definitely. Something for organizations to keep in mind moving into 2018. Well, that looks like all the time we've got. Jake, thanks for chatting with me.
Jake: Thanks Alex. Thanks to everyone for listening.
Alex: All right, thanks for joining us, everyone, and we'll see you next time on the BitSight Risk Review.
Thanks for tuning in to the BitSight Risk Review. Head over to www.bitsight.com for more episodes and other great security ratings content. Feel free to connect with us on Twitter, LinkedIn, and Facebook. We'll see you next time.