Managing director ACE Strategic Solutions and vice president of the ISC2 (International Information System Security Certification Consortium) Caribbean Chapter, Ricardo Fraser, is urging local businesses to adopt third-party risk management (TPRM) practices following the Microsoft outage in July, which resulted in businesses affected globally, to the tune of billions of US dollars.
In July, Minister of Digital Transformation, Hassel Bacchus, was quoted by local media as saying there was no major impact in T&T while the Bankers Association of T&T (BATT), in a media release, said it was monitoring the situation.
Fraser explained that TPRM, in this context, refers to managing risks with respect to third-party vendors, which may expose the acquiring organisation that use the vendors’ services to risk. As a result, a holistic approach must consider the legal, regulatory, technological, business continuity, reputational, strategic, fraud, financial, and cybersecurity risks associated with working with a vendor.
“Outages and business interruption incidents such as the Microsoft incident due to Crowdstrike underscore the need for suitable technology risk management responses to third-party vendors. Prior to onboarding any vendor, holistic third-party risk assessments should be performed prior to determining the correct risk management response for the lifecycle of the vendor-client relationship. It is often overlooked that any vendor may possibly expose an organisation to technology or cybersecurity risks such as confidential data breaches, service downtime, or data processing errors,” Fraser told the Business Guardian.
Two weeks ago, the ISC2 Caribbean Chapter hosted a webinar advising businesses on how to sustain their competitive edge through third-party risk management.
The ISC2 Caribbean Chapter is a non-profit organisation of volunteer members committed to education, training, and capacity development of cybersecurity in the region. Membership is free and the chapter is a member of ISC2, the biggest globally renowned body for cybersecurity worldwide.
After the webinar, Fraser gave the Business Guardian additional information on the latest trends in the world of technology and how businesses can protect themselves.
He gave advice on what business owners may do in undertaking third-party risk management practices.
“Measures organisations may take involve contractual reviews, reviews of service level agreements, reviews of independent audits and certificates of attestation, monitoring of services, and technical architecture reviews. In addition, proper testing and change management procedures should be in place and critical third-party products such as Microsoft platforms, even if trusted, should be verified prior to technology changes or patches. If third-party vendors can affect critical services, the vendors’ service should also be factored into the incident response, disaster recovery, and business continuity plans of organisations,” he said.
In July, Microsoft Windows users found themselves unable to access various applications and services, leading to significant disruptions in business processes across every industry, from airport terminals and shopping centers to banks across the world. Even the London Stock Exchange reported some service disruptions.
Technology website, Mitratech in a July 23 article on the topic, stated that a new software update will likely be the fix of the outage for most PC users, which some will do automatically and some will need to do manually. But for all, the Microsoft outage serves as a “stark wake-up call” of the need for more robust business continuity strategies and third-party risk management tactics.
The tech website added that as businesses increasingly rely on external providers for critical services, identifying, assessing, and controlling risks associated with this outsourcing becomes more nuanced, business owners must stay one step ahead of their third-party risk management with by vendor risk assessment and due diligence.
Risks involved
During the webinar, Fraser said third-party risk Management is critical for businesses because their core businesses processes, systems and operations may depend on third party services.
“These days, we are seeing organisations outsourcing more and more of their services to vendors and it is therefore important that we ensure that these organisations do not expose themselves to undue risk due to vendor failure. To cite some examples of that, recently we had the CrowdStrike incident that caused airlines to go down and services to become unavailable. Even payment services became unavailable in the Caribbean. What could be done in those cases is to have a closer look at our vendors and go through the scenarios to see how our vendors could impact our organization. It is not only CrowdStrike but we saw the National Health Service in the UK which depends on diagnostic services from firms that they outsourced that service to and it led to a lot of delays in patient care. Organisations can benefit from third-party risk assessments.”
The CrowdStrike company that Fraser referred to is a key network security provider that guards major international companies in the airline and banking sectors from cyberattacks.
Microsoft, CrowdStrike and Delta Airlines have been in a war of words since the airline hired a high-profile attorney to seek compensation from Microsoft and CrowdStrike.
Delta CEO, Ed Bastian lashed out at CrowdStrike in a CNBC interview two weeks ago and said the computer problems cost Delta US$500 million. CrowdStrike’s flawed software update caused widespread computer outages on July 19 at Delta and hundreds of other companies around the globe.
CrowdStrike then fired back, saying the airline had refused offers of help to get through the outage faster.
Fraser also gave the opinion that many local and regional vendors who can carry out third-party risk assessments for companies are not doing this function because of the costs involved.
“What we have been seeing as consultants and providers when asked to provide a service is that the vendor may not see it as economically viable to perform a third-party risk assessment and get the compliance and standards just for a single customer. However, we want to encourage vendors to do it as obviously, if you do it for one customer, you can use that assessment, if done independently, and that compliance certificate for other customers as well.”
He also spoke about the insurance side of it and the risks involved.
“This is a global problem and it does also affect what you call insurance such as cybersecurity insurance for the organisations. If an insurer within their policy must cover to insure a vendor and everyone uses such a vendor as Microsoft then that accumulation is a problem for that insurance company. Billionaire Warren Buffet indicated that maybe cyber insurance is a scam just like not covering things like war. His opinion is he knows that these companies will not want to pay for third-party failures that happen because of these accumulation risks that occur.”
Fraser also spoke about what Government bodies in T&T are doing to address the issue.
“The ISC2 Chapter has been meeting arms of Government to help encourage them to put what you call these minimum standards in place and some of the agencies have also been doing work in this regard. You have iGovTT and we saw the other day a call for consultation from the T&T Bureau of Standards. There is a deadline for consultation in September on the ISO27001 standard. SOC 2 Type 2 and ISO 27001 are two popular independent certificates of attestation documents organisations can review from vendors as part of their technology third-party risk assessment process. That is a clear sign that they are moving towards some version of a standard for Third Party Risk Management. It does not have to be the entire gamut and very complex because it can increase the costs. So, we as professionals can work together with the agencies.”
Managing director 800 TECH Limited, Scofield Thomas who specialises in guiding businesses through digital transformation who also spoke during the webinar encouraged SME’s to understand the intricacies of third-party risk management.
“What we are seeing in the SME sector is that most times they do not consider that as a critical part of their operations. The reason we are noticing that now is that because there is a drive within T&T especially to export more. Some of them never heard it before, they do not understand the concept behind it. Exporting is not just about having good products and services but it is also about compliance.”
