Raphael John-Lall

Man­ag­ing di­rec­tor ACE Strate­gic So­lu­tions and vice pres­i­dent of the ISC2 (In­ter­na­tion­al In­for­ma­tion Sys­tem Se­cu­ri­ty Cer­ti­fi­ca­tion Con­sor­tium) Caribbean Chap­ter, Ri­car­do Fras­er, is urg­ing lo­cal busi­ness­es to adopt third-par­ty risk man­age­ment (TPRM) prac­tices fol­low­ing the Mi­crosoft out­age in Ju­ly, which re­sult­ed in busi­ness­es af­fect­ed glob­al­ly, to the tune of bil­lions of US dol­lars.

In Ju­ly, Min­is­ter of Dig­i­tal Trans­for­ma­tion, Has­sel Bac­chus, was quot­ed by lo­cal me­dia as say­ing there was no ma­jor im­pact in T&T while the Bankers As­so­ci­a­tion of T&T (BATT), in a me­dia re­lease, said it was mon­i­tor­ing the sit­u­a­tion.

Fras­er ex­plained that TPRM, in this con­text, refers to man­ag­ing risks with re­spect to third-par­ty ven­dors, which may ex­pose the ac­quir­ing or­gan­i­sa­tion that use the ven­dors’ ser­vices to risk. As a re­sult, a holis­tic ap­proach must con­sid­er the le­gal, reg­u­la­to­ry, tech­no­log­i­cal, busi­ness con­ti­nu­ity, rep­u­ta­tion­al, strate­gic, fraud, fi­nan­cial, and cy­ber­se­cu­ri­ty risks as­so­ci­at­ed with work­ing with a ven­dor.

“Out­ages and busi­ness in­ter­rup­tion in­ci­dents such as the Mi­crosoft in­ci­dent due to Crowd­strike un­der­score the need for suit­able tech­nol­o­gy risk man­age­ment re­spons­es to third-par­ty ven­dors. Pri­or to on­board­ing any ven­dor, holis­tic third-par­ty risk as­sess­ments should be per­formed pri­or to de­ter­min­ing the cor­rect risk man­age­ment re­sponse for the life­cy­cle of the ven­dor-client re­la­tion­ship. It is of­ten over­looked that any ven­dor may pos­si­bly ex­pose an or­gan­i­sa­tion to tech­nol­o­gy or cy­ber­se­cu­ri­ty risks such as con­fi­den­tial da­ta breach­es, ser­vice down­time, or da­ta pro­cess­ing er­rors,” Fras­er told the Busi­ness Guardian.

Two weeks ago, the ISC2 Caribbean Chap­ter host­ed a we­bi­nar ad­vis­ing busi­ness­es on how to sus­tain their com­pet­i­tive edge through third-par­ty risk man­age­ment.

The ISC2 Caribbean Chap­ter is a non-prof­it or­gan­i­sa­tion of vol­un­teer mem­bers com­mit­ted to ed­u­ca­tion, train­ing, and ca­pac­i­ty de­vel­op­ment of cy­ber­se­cu­ri­ty in the re­gion. Mem­ber­ship is free and the chap­ter is a mem­ber of ISC2, the biggest glob­al­ly renowned body for cy­ber­se­cu­ri­ty world­wide.

Af­ter the we­bi­nar, Fras­er gave the Busi­ness Guardian ad­di­tion­al in­for­ma­tion on the lat­est trends in the world of tech­nol­o­gy and how busi­ness­es can pro­tect them­selves.

He gave ad­vice on what busi­ness own­ers may do in un­der­tak­ing third-par­ty risk man­age­ment prac­tices.

“Mea­sures or­gan­i­sa­tions may take in­volve con­trac­tu­al re­views, re­views of ser­vice lev­el agree­ments, re­views of in­de­pen­dent au­dits and cer­tifi­cates of at­tes­ta­tion, mon­i­tor­ing of ser­vices, and tech­ni­cal ar­chi­tec­ture re­views. In ad­di­tion, prop­er test­ing and change man­age­ment pro­ce­dures should be in place and crit­i­cal third-par­ty prod­ucts such as Mi­crosoft plat­forms, even if trust­ed, should be ver­i­fied pri­or to tech­nol­o­gy changes or patch­es. If third-par­ty ven­dors can af­fect crit­i­cal ser­vices, the ven­dors’ ser­vice should al­so be fac­tored in­to the in­ci­dent re­sponse, dis­as­ter re­cov­ery, and busi­ness con­ti­nu­ity plans of or­gan­i­sa­tions,” he said.

In Ju­ly, Mi­crosoft Win­dows users found them­selves un­able to ac­cess var­i­ous ap­pli­ca­tions and ser­vices, lead­ing to sig­nif­i­cant dis­rup­tions in busi­ness process­es across every in­dus­try, from air­port ter­mi­nals and shop­ping cen­ters to banks across the world. Even the Lon­don Stock Ex­change re­port­ed some ser­vice dis­rup­tions.

Tech­nol­o­gy web­site, Mi­trat­e­ch in a Ju­ly 23 ar­ti­cle on the top­ic, stat­ed that a new soft­ware up­date will like­ly be the fix of the out­age for most PC users, which some will do au­to­mat­i­cal­ly and some will need to do man­u­al­ly. But for all, the Mi­crosoft out­age serves as a “stark wake-up call” of the need for more ro­bust busi­ness con­ti­nu­ity strate­gies and third-par­ty risk man­age­ment tac­tics.

The tech web­site added that as busi­ness­es in­creas­ing­ly re­ly on ex­ter­nal providers for crit­i­cal ser­vices, iden­ti­fy­ing, as­sess­ing, and con­trol­ling risks as­so­ci­at­ed with this out­sourc­ing be­comes more nu­anced, busi­ness own­ers must stay one step ahead of their third-par­ty risk man­age­ment with by ven­dor risk as­sess­ment and due dili­gence.

Risks in­volved

Dur­ing the we­bi­nar, Fras­er said third-par­ty risk Man­age­ment is crit­i­cal for busi­ness­es be­cause their core busi­ness­es process­es, sys­tems and op­er­a­tions may de­pend on third par­ty ser­vices.

“These days, we are see­ing or­gan­i­sa­tions out­sourc­ing more and more of their ser­vices to ven­dors and it is there­fore im­por­tant that we en­sure that these or­gan­i­sa­tions do not ex­pose them­selves to un­due risk due to ven­dor fail­ure. To cite some ex­am­ples of that, re­cent­ly we had the Crowd­Strike in­ci­dent that caused air­lines to go down and ser­vices to be­come un­avail­able. Even pay­ment ser­vices be­came un­avail­able in the Caribbean. What could be done in those cas­es is to have a clos­er look at our ven­dors and go through the sce­nar­ios to see how our ven­dors could im­pact our or­ga­ni­za­tion. It is not on­ly Crowd­Strike but we saw the Na­tion­al Health Ser­vice in the UK which de­pends on di­ag­nos­tic ser­vices from firms that they out­sourced that ser­vice to and it led to a lot of de­lays in pa­tient care. Or­gan­i­sa­tions can ben­e­fit from third-par­ty risk as­sess­ments.”

The Crowd­Strike com­pa­ny that Fras­er re­ferred to is a key net­work se­cu­ri­ty provider that guards ma­jor in­ter­na­tion­al com­pa­nies in the air­line and bank­ing sec­tors from cy­ber­at­tacks.

Mi­crosoft, Crowd­Strike and Delta Air­lines have been in a war of words since the air­line hired a high-pro­file at­tor­ney to seek com­pen­sa­tion from Mi­crosoft and Crowd­Strike.

Delta CEO, Ed Bas­t­ian lashed out at Crowd­Strike in a CN­BC in­ter­view two weeks ago and said the com­put­er prob­lems cost Delta US$500 mil­lion. Crowd­Strike’s flawed soft­ware up­date caused wide­spread com­put­er out­ages on Ju­ly 19 at Delta and hun­dreds of oth­er com­pa­nies around the globe.

Crowd­Strike then fired back, say­ing the air­line had re­fused of­fers of help to get through the out­age faster.

Fras­er al­so gave the opin­ion that many lo­cal and re­gion­al ven­dors who can car­ry out third-par­ty risk as­sess­ments for com­pa­nies are not do­ing this func­tion be­cause of the costs in­volved.

“What we have been see­ing as con­sul­tants and providers when asked to pro­vide a ser­vice is that the ven­dor may not see it as eco­nom­i­cal­ly vi­able to per­form a third-par­ty risk as­sess­ment and get the com­pli­ance and stan­dards just for a sin­gle cus­tomer. How­ev­er, we want to en­cour­age ven­dors to do it as ob­vi­ous­ly, if you do it for one cus­tomer, you can use that as­sess­ment, if done in­de­pen­dent­ly, and that com­pli­ance cer­tifi­cate for oth­er cus­tomers as well.”

He al­so spoke about the in­sur­ance side of it and the risks in­volved.

“This is a glob­al prob­lem and it does al­so af­fect what you call in­sur­ance such as cy­ber­se­cu­ri­ty in­sur­ance for the or­gan­i­sa­tions. If an in­sur­er with­in their pol­i­cy must cov­er to in­sure a ven­dor and every­one us­es such a ven­dor as Mi­crosoft then that ac­cu­mu­la­tion is a prob­lem for that in­sur­ance com­pa­ny. Bil­lion­aire War­ren Buf­fet in­di­cat­ed that maybe cy­ber in­sur­ance is a scam just like not cov­er­ing things like war. His opin­ion is he knows that these com­pa­nies will not want to pay for third-par­ty fail­ures that hap­pen be­cause of these ac­cu­mu­la­tion risks that oc­cur.”

Fras­er al­so spoke about what Gov­ern­ment bod­ies in T&T are do­ing to ad­dress the is­sue.

“The ISC2 Chap­ter has been meet­ing arms of Gov­ern­ment to help en­cour­age them to put what you call these min­i­mum stan­dards in place and some of the agen­cies have al­so been do­ing work in this re­gard. You have iGovTT and we saw the oth­er day a call for con­sul­ta­tion from the T&T Bu­reau of Stan­dards. There is a dead­line for con­sul­ta­tion in Sep­tem­ber on the ISO27001 stan­dard. SOC 2 Type 2 and ISO 27001 are two pop­u­lar in­de­pen­dent cer­tifi­cates of at­tes­ta­tion doc­u­ments or­gan­i­sa­tions can re­view from ven­dors as part of their tech­nol­o­gy third-par­ty risk as­sess­ment process. That is a clear sign that they are mov­ing to­wards some ver­sion of a stan­dard for Third Par­ty Risk Man­age­ment. It does not have to be the en­tire gamut and very com­plex be­cause it can in­crease the costs. So, we as pro­fes­sion­als can work to­geth­er with the agen­cies.”

Man­ag­ing di­rec­tor 800 TECH Lim­it­ed, Scofield Thomas who spe­cialis­es in guid­ing busi­ness­es through dig­i­tal trans­for­ma­tion who al­so spoke dur­ing the we­bi­nar en­cour­aged SME’s to un­der­stand the in­tri­ca­cies of third-par­ty risk man­age­ment.

“What we are see­ing in the SME sec­tor is that most times they do not con­sid­er that as a crit­i­cal part of their op­er­a­tions. The rea­son we are notic­ing that now is that be­cause there is a dri­ve with­in T&T es­pe­cial­ly to ex­port more. Some of them nev­er heard it be­fore, they do not un­der­stand the con­cept be­hind it. Ex­port­ing is not just about hav­ing good prod­ucts and ser­vices but it is al­so about com­pli­ance.”