Gregory C. Rasner - Cybersecurity and Third-Party Risk

While TRPM organizations struggle to keep up with the level of breaches and incidents with vendors, evidence shows most cybersecurity organizations are not taking a lead in this domain, and that TPRM groups do not have the expertise to address this gap. According to the Ponemon Institute “Data Risk in the Third‐Party Ecosystem” study (2018), only 40 percent perform any cybersecurity due diligence. Sixty percent perform none or only ad‐hoc cybersecurity reviews. The evidence indicates that a large percent of the 40 percent (i.e., those that perform some cybersecurity due diligence) do not do enough (as evidenced by the level of breaches/incidents). TPRM organizations must begin focusing more on the Information Security domain, and either directly bring cybersecurity experts into their organizations or partner with cybersecurity teams to address the gap. Doing so will also require that a cybersecurity team is able to understand the problem with third parties and address the risk.

While the fines and publicity for failure to follow TPRM guidelines are not as big, instances of regulators acting can be found:

In 2020, the OCC assessed an $85 million civil money penalty against USAA for failure to implement and maintain an effective risk management compliance.

In 2020, the OCC assessed a $60 million civil money penalty against Morgan Stanley for not properly decommissioning some Wealth Management business data centers.

In 2020, the OCC assessed a $400 million civil money penalty against Citibank for failures in enterprise risk management.

In 2020, the Federal Reserve announced an enforcement action against Citigroup Inc., requiring that the firm correct several longstanding deficiencies.

In 2020, the OCC assessed an $80 million civil money penalty against Capital One for not establishing an effective risk assessment process, which led to the breach in its public cloud.

In 2013, the U.S. Security and Exchange Commission (SEC) lowered the burden of proof for proxy disclosure enhancements on risk management inadequacy from fraud to simply negligence. This means that boards of directors and senior management of publicly traded companies can no longer claim they had no knowledge about a risk.

In 2019, the SEC and Commodities Futures Trading Commission (CFTC) charged Options Clearing Corp. with failing to establish and maintain adequate risk management policies, forcing the organization to pay a $20 million penalty.

Cybersecurity as a field is also very young, though it is older than TPRM. Cybersecurity is often thought to have begun after the first cyberattack was thwarted in 1986 in the Soviet Union, when Marcus Hess hacked into 400 military servers and the Pentagon. Intending to sell the information to the KGB, Hess was foiled by American Clifford Stoll.

In the 1970s, several attacks occurred on the early internet. For example, Bob Thomas created the first computer worm named Creeper, which traveled between early APRANET terminals with the message “I'M THE CREEPER: CATCH ME IF YOU CAN.” Also, in the same decade, Ray Tomlinson created the worm, Reaper, the first antivirus software that could find copies of Creeper and delete them. However, the one that finally illustrated the need for information security at the doorstep of the novice IT industry was the Morris Worm.

In 1988, Robert Morris, like all curious computer scientists, wondered “how big is the internet”? And like all good curious computer scientists, he decided to write a program to find out the answer of “how big?” The answer was found by his worm, which traveled through networks like wildfire, invaded Unix terminals, and crossed domains faster than a speeding bullet. His worm was so good at replicating that it would infect the same computer multiple times, and each additional infection would continually slow the computer down to the point of damaging it. Robert Morris was charged under crimes covered by the Computer Fraud and Abuse Act. Enacted in 1986, this act was an amendment to the first federal computer crime law and addressed hacking. This act continues to be updated, but only as recently as 2008, which reaffirms our earlier point that regulators are not considered to be at the cutting edge, and that good cybersecurity programs should not be designed to meet regulations. Such programs should exceed these regulations in order to have any hope of being successful. If we consider the 1970s as the start of cybersecurity, it is only within the last 20 years that companies have had Chief Information Security Officers (CISOs) and divisions, groups, or teams who reported directly to them.

Cybersecurity, like any other discipline, has developed several frameworks, associations, testing accreditors, credentials, and subdisciplines over those 20+ years. ISC2, ISACA, and EC‐Council, are just three of the credential/testing accreditors. CISSP, CIPM, CISM, CompTIA Security+, and countless other managerial, technical, and administrative certifications are also available. For the purposes of demonstration on the complexity of the cybersecurity subject matter, we use the Certified Information Systems Security Professional (CISSP) as the best example. This certification is still the gold standard in the industry, and can be proven by study after study indicating that the demand vastly outstrips the supply of certificate holders of CISSP.

Within infosec, they have developed clear subdomains (citing the CISSP 8 domains):

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communications and Network Security

Identity and Access Management

Security Assessment and Testing

Security Operations

Software Development Security

Further subdomains can be found within these cybersecurity domains. For example, let's look at the Security and Risk Management domain:

Security and Risk Management Domain: It comprises 15 percent of the CISSP exam and is the largest domain found in CISSP. The latest editions of the study guides for this exam detail the following:The Confidentiality, Integrity and Availability of informationSecurity governance principlesCompliance requirementsLegal and regulatory issues relating to information securityIT policies and proceduresRisk‐based management concepts

This information is in Chapter 1“Security and Risk Management” in the CISSP All‐in‐One‐Exam, 8th Edition by Shon Harris. Notice there is one bullet on risk‐based management concepts. Within those study guides, none of them have more than two pages on “Supplier Management” or “Vendor Risk Management Process,” depending on how it is listed in the index. The focus of these guides is on the management of a process and compliance language, such as service‐level agreements (SLAs), legal concerns, and privacy regulations. Supplier management is viewed as something belonging to a process team, which certainly some of the work will be, but it misses the opportunity to take an aggressive approach, such as in a Security Operations domain.

However, this is not the responsibility of the CISSP body of knowledge or necessarily any other cybersecurity certification. These guides are designed to give frameworks and a library of information that the cybersecurity profession can then use to manage the risk. Hundreds of specialties and job roles exist in cybersecurity and except for job‐specific certifications, the study guides and exams are not prescribing how cyber organizations run their operations and programs. In this case, the cybersecurity industry has been largely focused on securing internal networks. TPRM professionals have spent the last 10 years growing their profession. The gap has been widening over time, but the COVID‐19 pandemic made the problem more pronounced. The approach for this domain must evolve into a field of its own, mimicking cybersecurity operations more than cyber Governance, Risk and Compliance (GRC).