Gregory C. Rasner - Cybersecurity and Third-Party Risk

Hundreds of examples like this have occurred over the last decade, across the world, and in every industry: Ticketmaster, Capital One, Tesla, Under Armor, Boeing, PayPal, Chubb, nearly every major worldwide automaker, Sears, Best Buy, Entercom, and T‐Mobile. In the case of FireEye or a customer of Zyxel, these companies lost protected data as a result of a third (or fourth) party. No one in the public realm remembers that third party; they simply remember the company they trusted with their data who let them down. Such breaches cost these companies large amounts of money, which directly affected consumers, and extensively damaged the companies' reputations. In areas where there was a heavy regulatory presence, the breached firms were often left holding fines as well. In August 2020, the Office of the Comptroller of the Currency (OCC) assessed an $80 million civil penalty against Capital One for failure to establish effective risk assessment processes prior to migrating significant information technology operations to its public cloud environment. It is expected to cost Capital One up to $150 million, and it cost the company's CISO his job at the firm.

The secret is out: If you want to attain protected data as a hacker, you do not attack a big company or organization that likely has good security. You go after a third party that more likely does not. Companies have created the equivalent of how to deter car thieves: Ensure that your car looks difficult enough to break into so that thieves move onto the automobile with its doors unlocked and keys in the ignition. When a burglar sees a car with a car alarm, they know that they can look and eventually find a target that isn't so well protected. Exploiting the weakest link is not new. A bank robber could go to the bank to steal money, but a softer target would likely be the courier service as it brings the money into and out of the bank.

To date, cybersecurity and third‐party risk teams have not often collaborated or understood the common threat, instead focusing their security on their own silos. In most regulated industries, this has led to the typical rush to the bottom to meet the regulatory requirements; meaning, rather than create a security program that secures their data and network, they do just enough to keep the regulators happy. Regulators are never considered to be on the leading edge. Whether it is in financial fraud or cybercrime, they simply do not lead in best practices for any field. However, it is not their responsibility. Regulations are typically designed to limit the behavior of a company that may cause financial or bodily harm. The most highly regulated industries, such as energy, biotechnology, finance, telecommunications, aerospace, and many others, have robust Third‐Party Risk Management and cybersecurity teams. However, if these industries rely on doing what the regulators require of them, they are not going to be performing their best practices.

The most successful companies at preventing their systems from being compromised go beyond what a regulator or regulation mandates them to do for compliance. The regulations and their enforcers get involved after something bad has already occurred. Sarbanes‐Oxley (SOX) was a financial regulation designed to lower the risk of financial fraud by publicly traded companies after the damage done by the tech bubble crash in the early 2000s. The Dodd‐Frank Wall Street Reform and Consumer Protection Act was passed in 2010 after the financial meltdown leading to the Great Recession. These widespread changes in regulation occurred as a reaction to the excesses and missteps that lawmakers felt led to the meltdown. Nearly every regulation passed is due to a previous misstep, not in anticipation of the next misstep or mistake

Being reliant on the government to set the standard for what to do and how to do it is a recipe for disaster. This is not to say, however, that regulations are without their merit when enforced correctly. The argument here is not about whether there should be regulations, but more about if organizations should be advised to view those regulations as the bare minimum to perform. In the case of cybersecurity and third‐party risk, regulations provide some excellent guidance on what is important for organizations. However, if a cybersecurity or third‐party risk team only relies on regulators for the best practical procedures to follow, there's a high likelihood their companies will be hacked. In fact, the likelihood is that they will be hacked quite a bit faster than those companies that view regulatory requirements as their starting point.

To illustrate the point, we can look at the Payment Card Industry Security Standard (PCI‐DSS), which is the payment card standard (using credit and debit cards), to guarantee consumer financial data protection. PCI‐DSS has very specific recommendations and is regularly updated for how to secure networks, protect user data, require strong access controls, perform network security tests, and regularly review information security policies. PCI‐DSS is tested regularly, and its standards are considered rigorous. It is not regulated by the government; instead, it's a group of companies that standardized their practices. Meaning, private companies collaborated to create what is nationally viewed as a success in security.

Third‐party risk, or what another company is doing to lower risk to your company, might seem like it places a CISO and the cybersecurity organization at a disadvantage because they cannot control what goes on at another entity. However, that is a myth. While a third party cannot be directly controlled, there are ways to direct and monitor their behavior and choices to greatly reduce your risk. Anyone who has ever been taught risk or worked as a risk professional knows the mantra: Risk can never be zero. In fact, anything is possible. Regardless of whether your company is using all the fancy technology and expensive software, or employing hundreds of cybersecurity professionals hunting for vulnerabilities, there still is a chance, or risk, of a breach.

The goal is reduce risk to a level that is commensurate with your company's effort to reduce it, based upon its risk appetite. This risk reduction effort of a third party requires a change in a company's cybersecurity approach and attitude. As we dive into the numbers, it will become apparent that not enough companies perform the required due diligence. Out of those that do, some do not perform it at the level necessary to reduce the risk. Often, risk reduction is performed as a compliance effort, and merely viewed as a checkbox to complete in order to keep regulators and auditors at bay. This attitude of “ignoring the risk” or “doing it as ‘checkbox’ security” has caused cybersecurity Third‐Party Risk Management (TPRM) to be absent from adequate attention and activity.

Compliance is not security, yet security is an important piece of compliance. By definition, being compliant is when your organization meets the minimum requirements for specific regulations at a specific moment in time. If we look at many of the companies on the recently breached list, it's likely all were meeting their regulatory obligations for compliance in their respective industries. In the case of Target when its payment system was hacked, it had just completed a certification of its PCI‐DSS. Most regulations are simply a form of deterrence (of things like insider trading or dumping chemicals into a river). Regulations discourage bad behavior either by people or companies.

Security is an ongoing activity—a continuously occurring activity and not one that occurs at a point in time. Compliance activities are performed as a checklist by internal or external auditors to verify that a company's team is following regulations. It's is an important activity that helps prevent bad acts. Employees and companies see these checks being performed, then are discouraged from doing bad things, such as ill‐gotten gains via insider trading or killing fish by dumping chemicals. Security has the dubious distinction of being sure data is not lost. Once data is lost, it cannot be retrieved—it is gone forever into the Dark Web or other places. The deterrent must come from the company's cybersecurity efforts, not the government regulators.