Third Party/Vendor Risk Management and Risks
ITnews reports the University of Wollongong’s Professor Alex Frino’s, research stating, “the media usually breaks the news of security breaches first.

As part of Professor Frino’s study, he compiled a database of cyber security incidents regarding the stock price impact of cyber incidents. Although, only in draft form, Professor Frino’s paper backups up existing evidence that supports the risk and exposure of third parties and vendors to associated organisations. In particular, cyber breaches that set out to compromise a third party or vendor with the intention to bring major disruption and financially cripple them. Other reports have identified that this type of cybercrime is on the rise:

IBM’s 2022 Cost of a Data Breach Report noted an increased cost and time of discovery arising out of third-party-caused data breach. As the research found, nearly one-fifth of breaches were caused by a supply chain compromise and these compromises made breaches more expensive and resulted in longer lifecycles.

Collating and analysing the data of over 230,000 organisations from Security Scorecard’s Automatic Vendor Detection, Security Scorecard, and the Cyentia Institute worked together to determine factors that exacerbate third and fourth-party risk.

A significant finding from the report was 98.3% of organisations are associated with or have an existing relationship with at least one third-party that has experienced a breach in the last two years. Additionally, 50% of organisations have indirect relationships with at least 200 fourth parties that have had breaches in the last two years.

More broadly:
The Australian Cyber Security Centre’s (ACSC) most recent annual Cyber Threat report highlights the ways in which threat actors use different tactics for cyber-attacks on supply chains, knowing the disruption it will cause.

According to Blackberry's research, four in five IT security professionals were aware of an attack or vulnerability in their supply chain in the last 12 months. Additionally, 80% of organisations across Australia were notified of a vulnerability or attack within their software supply chain.
“Compared to the global average, Australia suffered the highest rates of operational compromise and data loss. It proves cyber-security must go far beyond vendor trust.”

What has been less clear, until now, was the role that those compromised third parties are playing, specifically whether they are being transparent with respect to events occurring.  

Professor Frinos’ preliminary research provides tangible evidence of organisations seeking - for as long as possible - to keep breaches/events confidential, an act that could have significant consequences on organisations and people unknowingly impacted. 

Real-life example:
Medibank’s half-yearly results invariably addressed their well-publicised 2022 cyber event and associated data breach. Further insight into the event, has, for the first time, outlined that the threat actor obtained the user ID and password used as part of the intrusion from a third-party IT Services contractor.
In what may be a surprise to some, was the significant direct cost they are incurring from the event, with a $26 million half-year hit declared, and the expectation this is set to climb to between $40 million and $45 million over the full year. The intangible costs are estimated to be significantly more.

A deeper dive
Whilst beneficial, and an essential, undeniable, part of doing business in the modern economy, there are risks associated with outsourcing services or products. Unlike the services rendered, the risk and liability cannot be outsourced. 

If a third party fails to deliver or suffers a breach, the organisation that utilises the vendor will face the consequences. The impact can be fiscally, operationally, reputationally, and contractually significant. Data shared between external vendors (supplier, vendor, contractor, or service provider) can be exposed.

Supply attacks have had dramatic effects in the past, such as with the SolarWinds hack back in 2020, which saw cybercriminals exploit a vulnerability in the SolarWinds Orion platform that allowed them to impersonate users and accounts of the thousands of companies using it. SolarWinds’ clients included government agencies and multinational corporations. According to Microsoft, the Nobelium hacking group that was alleged to have carried out the attack gained access to around 3,000 email accounts across 150 organisations.

Identifying, assessing, and mitigating third-party risks is critical to ensure business resilience.

But what do terms like "third party" or "supply chain" mean? 
- Third Party Vendors
- Service Providers
- Supply Chain
- Cyber Supply Chain
- Digital Supply Chain
Used interchangeably, these terms refer to the utilisation of a third party for a service, function, or product.

Quantifying the exposure:
Referencing again The Cynetia Institutes research, it is helpful to get a glimpse of the complex web of third and fourth-party relationships for just one small company. The anonymous company chosen in their research and used by way of example developed code that plugs into websites to determine what users are doing on their site. According to Automatic Vendor Detection, about 12,500 organisations have this code running on their sites. Not insignificant, but certainly not universal like you’ll soon see for behemoths, like Google and Microsoft. When Cyentia extended the aperture to fourth parties that share a relationship with those 12,500 organisations running the example company’s code, “universal” does indeed become an apt description of the scope of potential exposure. A full 98.7% of the 232,000 organizations in their sample had an indirect, once-removed relationship with this company. 

In other words, an organisation may not directly use them, but it’s near-certain that others in their supply chain do. Representing that if that code were compromised, or subverted, for nefarious purposes, an organisation would experience some level of exposure.

Real-life example:
In 2021, Frontier Software experienced a ransomware attack, whereby the South Australian Government, the Indigenous Land and Sea Corporation, Workskil, infrastructure business APA Group, and agribusiness Viterra all emerged as victims, with the South Australian Government revealing 80,000 of its employees may have been impacted. Two years later, NSW Health has only recently learned that some of its data was compromised during the Software ransomware attack in 2021.
In a recent FAQ posted to its website, NSW Health said the breach impacted staff or former staff who were “employed by the Ministry of Health, as a senior executive of NSW Health, or in the Mental Health Review Tribunal, Health Professional Councils Authority, Official Visitors Program, Health Infrastructure, and the previous NSW Institute of Psychiatry between 2001 and 2015”. The data affected by the breach may include name, residential address, and telephone, date of birth, tax file number, BSB, and financial institution (bank) account number.
Frontier's most recent update to customers, 16 months post the initial notification, is a stark reminder of how beholden organisations can be to their digital supply chain. Customers have been impacted by the Frontier breach to varying degrees, fiscally and reputationally, with most having notified their own customers of a data breach.

Regulatory and D&O Liability focus
More specifically we believe the focus will shift from a regulator focus on what organisations are doing with respect to their internal cyber security practices, to how they are managing external, third (and fourth) party exposure, i.e. their digital supply chain. This is foreshadowed by ASIC Commissioner Danielle Press below.

"[Cyber] Measures taken should be proportionate to the nature, scale, and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes the reassessment of cybersecurity risks on an ongoing basis. ASIC also expects this to include oversight of cybersecurity risk throughout your organisation’s digital supply chain."

CPS 230 is another example of ongoing action from Australian regulators to expand the scope of privacy and cybersecurity obligations, and specifically address third-party provider risk management.

APRA is focusing on regulated entities that are placing increased reliance on third parties to undertake critical operations on their behalf. CPS 230 looks to enforce, amongst other obligations, ongoing monitoring, testing, and assurance of the risk management controls implemented by third-party service providers, utilised by regulated entities.

Internationally, last September, the Office of Management and Budget (US) issued deadlines for improving the software supply chain, at least when it comes to the government. The memorandum requires each Federal agency to comply with National Institute of Standards and Technology guidance when using third-party software on the agency’s information systems. By September 14 of this year, the memorandum said, agencies will have to collect attestation for all software subject to the requirements. The software supply chain can be compromised by deliberate attack, as in the SolarWinds case, or it can be affected by an unintentional flaw that goes undetected for years, as in the case of the Log4j vulnerability, he said.

In the US, the Office of Management and Budget has issued deadlines to improve the software supply chain most specifically, within the government. The directive is for each Federal agency to comply with National Institute of Standards and Technology guidance when using third-party software on the agency’s information systems. The US Office of Management and Budget’s memorandum said: 

“Agencies will have to collect attestation for all software subject to the requirements. The software supply chain can be compromised by a deliberate attack, as in the SolarWinds case, or it can be affected by an unintentional flaw that goes undetected for years, as in the case of the Log4j vulnerability.”

What’s next?
So, what is next for third-party risk management? How do we evolve as the utilisation of third and fourth parties increases, and we see large-scale breaches and hacks on a regular basis? There are a few essential elements to addressing third and fourth-party risk.

Fundamentally, third-party/vendor risk management is a program, not a project. It is an ongoing and constantly evolving area of risk that must be addressed that way.