Security Ratings by definition, are produced by monitoring the internet space for information relevant to an organization’s internet exposed assets. There are many players in the industry that offer security rating tools (Security Scorecard, BitSight, Fortify Data, etc., to name a few).
These ratings have a considerable weightage (in the overall security assessment) when assessing the security posture of third parties. For that matter, any organization can subscribe to these ratings to understand the threat exposure. Since these ratings are non-intrusive, you only get to know the vulnerabilities external to an organization. But it doesn’t stop there, some of these tools give a lot of information about your third parties and also your fourth parties, which gives you an idea of how to manage third-party risk.
Using a tool also helps organizations monitor security posture, which is also a key factor as part of “Continuous Monitoring” as third-party risk assessments performed are point in time and only a small % of companies perform re-assessments within the same year.
Mergers & Acquisition (M&A) expose the organization to all the third parties of the merged or acquired company. If it’s not integrated (NIB), it’s still a bit easier to manage third-party risk. But, if the business is integrated, it requires a well thought strategy to ensure all third parties are:
- Risk assessed as per the existing security standards.
- Risks identified are mitigated or brought to an acceptable level.
- Re-negotiate the existing contracts on the basis of risk exposure.
- Ensure the necessary privacy and security language is embedded (Security and Privacy Exhibit).
- Add critical third parties to the continuous monitoring list.
- Have a defined criteria and procedure for re-assessment, this may need additional language in the contract.
and more..
