How third-party risk management enhances your approach to systemic risks
Talking about systemic risks can be very uncomfortable, as it involves many unknowns. The understanding that a failure somewhere in the supply chain could impact our businesses, even when we have no visibility over it, can lead us to believe that we cannot do anything about the problem. But that isn't always true.
The reason we should keep systemic risks in mind is that they're far from being just hypothetical. The recent CrowdStrike incident, which crashed millions of computers with a faulty update to their "Falcon" sensor, is a good example.
Looking at the news coverage, travelers and airlines appear to have suffered the most from the CrowdStrike crash. The widespread delays and cancellations left travelers with no options to get to their destinations as planned. Delta Airlines stated that the mass cancellations resulting from this incident cost them US$ 550 million.
For some, this incident was a wake-up call. For others, it was just bound to happen in the current landscape. But why would that be?
An ongoing problem
The CrowdStrike issue highlighted a potential weakness in the travel industry, However, many businesses do not look at airlines or hotels as "vendors." This can be problematic because these companies can be targeted by threat actors and present a risk to company employees and executives. At the very least, travel data could be exposed, leaking information regarding a company's deals or strategies. At worst, executives could be targeted by an evil maid attack.
Travel is not the only sector frequently overlooked in cybersecurity. Utilities, for example, are often outside the scope of vendor risk management. However, in some countries, businesses are starting to see the value in mitigating risks related to essential services outside of the data center environment. In November last year, São Paulo, the largest city in Brazil, contended with a week-long blackout after a storm left millions without power. South Africa has been seeing rolling blackouts for over a decade, and China has also had similar issues in the past few years.
In 2018, a political dispute caused the frequency of the European power grid to dip, causing some clocks to fall six minutes behind (they later ran the power grid at a higher frequency to get those six minutes back). In the United States, there was the Texas power crisis in 2021, and the Cybersecurity and Infrastructure Security Agency (CISA) has warned critical infrastructure operators about hacking activity from actors like Volt Typhoon.
Climate risks, geopolitical instability, and the ability of each of these organizations to recover from failures all impact businesses on a large scale.
While many of these sectors are regulated, everyone relies on vendors — especially software vendors that, as a rule, are not liable for faults in their products. This creates a challenge for everyone tasked with building an affordable and reliable service on top of potentially unreliable software.
Market forces, incentives, and TPCRM
U.S. regulators have been touting the idea that software vendors should follow quality standards or be liable for any issues they create. CISA Director Jen Easterly has been saying this for at least a year and reiterated this perspective at a conference in September.
It's intuitive that new regulations might drive the market in a different direction, but that's not the only force at play. Indeed, the fundamental issue lies with market incentives: businesses rarely (if ever) take into account the security of the software products they buy — and many organizations don't even have the means to assess the security of the software they're buying.
The imbalance in this relationship – where the customer does not have complete visibility into the product – makes it very challenging to buy and to sell secure software. This market failure, where the "best" product could be unable to compete, creates negative externalities where unrelated companies might be forced to bear the cost of the widespread adoption of insecure solutions.
Many cyberattacks leverage hacked infrastructure, so it's quite easy to see how insufficient security barriers end up harming and creating costs for everyone else.
This is where third-party cyber risk management (TPCRM) has a pivotal role. When businesses actively engage with vendors to assess their security and demand that they provide secure products and services, the incentives begin to shift. As it sweeps along the chain, the demand for more security has the potential to transform our ecosystem.
As the saying goes, a rising tide lifts all boats.
It's easy to lose sight of this, especially since TPCRM programs tend to have humble beginnings — usually seeking to understand the related aspects of the business that were not fully documented, such as how many vendors the company relies on and the nature of each relationship. Nevertheless, the value of this exercise will become apparent every time a new vendor is hired or an existing relationship is reevaluated, as it will ensure that the company knows what it can – and should – demand.
By becoming better buyers, businesses will be doing a favor not only to themselves but to the whole market. And if the market falls behind, those businesses are the most likely to get ahead.
Becoming aware of the limits
CISA recently released a guideline, "Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem." While somewhat related to the point we're making here, we think that businesses that do not already have a TPCRM program could find it difficult to follow this advice.
Since evaluating security features in software can be time-consuming, a foundational understanding of third-party risk and the benefits of demanding higher security standards make it much easier. Therefore, companies should start by mapping their risks and needs—especially concerning cybersecurity—and then evaluate their suppliers. Based on this analysis, they should then be able to develop specific criteria to identify the relevance of each third-party in their value chain, with the goal of developing a strategic approach for assessing and managing cyber risks effectively.
Even then, it's hard to say with certainty that market forces will be enough to sway the entire IT industry. The future is always challenging to predict, and conditions in cybersecurity in particular can change very quickly. The more we understand about TPCRM, the easier it will be to find our pain points and identify the risks we cannot mitigate with our efforts alone.
When regulators come knocking, we should hopefully be able to build a constructive relationship. There is a good example to follow: the CrowdStrike incident was only as shocking as it was because airlines and aerospace companies have a long history of successfully cooperating with regulators to strengthen the security of air travel across the board, boosting their whole sector with it.