Don’t Forget to Cover the Middle Ground
Third party firm leaks 10 years of confidential auto manufacturing records
This summer, the automakers Chrysler, Ford, GM, Tesla, Toyota, and Volkswagen, along with automotive supplier ThyssenKrupp, had 157 gigabytes of confidential data leaked inadvertently by their shared third party robotics firm, Level One. Ten years of assembly line schematics, manufacturing robotic control settings, internal IDs, and VPN-request forms were made publicly accessible, in turn exposing these companies to potential sabotage and possibly providing competitors with an unfair advantage.
“69% of respondents say they definitely or possibly suffered a security breach resulting from vendor access within the last year.”
Facebook, Target, Panera Bread, Best Buy, and Delta Airlines also made headlines this year when they announced data breaches stemming from third party vendors, but data leaks and breaches are not the only risks businesses face when choosing to outsource critical functions.
Factory Collapses, Smartphones Burst into Flames, Airbags Firing Shrapnel
Global clothing brands, retailers, and their third party vendors were held responsible for the Rana Plaza tragedy – the collapse of an eight-story factory building in Bangladesh that killed 1,134 adults and children and injured hundreds of others.
In what the National Highway Traffic Safety Administration has named “the largest and most complex safety recall in U.S. history,” approximately 37 million vehicles from 19 automakers were equipped with defective Takata air bags that can injure or kill vehicle occupants upon deployment.
More Outsourcing, Increased Risk
It’s clear that businesses are increasingly relying on third party relationships to save on labor and costs, free up infrastructure, and compete locally and internationally. As the scope and complexity of these relationships increase, the related risk goes up as well.
“More than 90% of all FCPA enforcement actions over the last forty years have been linked to the misconduct of third parties.”
Under the Foreign Corrupt Practices Act, businesses are accountable for activities involving both their internal and external relationships. Organizations find themselves tasked with ensuring third parties comply with harsher regulations, on top of existing internal priorities: to protect their IT data, avoid unethical practices, keep up a safe and healthy workplace, secure their supply chain, handle disruptions, and sustain high-quality products and performance levels.
Third Party Risk Factors
- Reputational
- Financial
- Compliance
- Legal
- Operational
- Security
Globalization
Companies operating internationally, or in emerging markets, are more susceptible to third party risks like licensing and human rights violations, product safety, loss of intellectual property, and business integrity. They are also faced with a multitude of rules, policies, data, standards, and regulations when working with a global third party network.
Emerging technology and social media
Businesses should also consider the risks of using emerging technologies like the IoT, cloud, virtual data centers, and hosted apps from third parties. These services pose an increased risk of exposure to hackers, as they utilize cloud technologies and social media to collect information about their customers.
Apparel manufacturer Under Armour confirmed in March that data from its MyFitnessPal app was hacked. Disclosed information included usernames, emails, and encrypted passwords of more than 150 million people. The Pentagon has even gone as far as banning the use of geolocators on mobile technology like smartphones and fitness trackers that could provide the user’s location and reveal the locations of personnel around the world. Although emerging technology brings along potential security risks and privacy concerns for business-critical information, a well-vetted vendor that continues to be monitored can reduce your risks.
Proactive Vendor Risk Management
Prioritize critical relationships
Mitigate third party risks by performing the appropriate level of due diligence on all agents, vendors, internal and external consultants, distributors and resellers, partners, and subcontractors. The extent of research conducted should be commensurate with the level of risk a potential third party may represent. Also, consider the capacity in which the third party will be representing your business.
Compliance best practices
Regulatory compliance is considered one of the most challenging areas to address for several reasons. Global third party networks cross many borders and are accountable to the regulatory requirements of each country. In addition, organizations must deal with a continuously evolving set of sanctions, watch lists, and PEP list.
At minimum, vendors should carry professional liability insurance and be vetted to uncover past criminal activity. Set realistic goals to meet compliance best practices and assess your current capabilities to manage and oversee third party compliance.
Invest in screening, due diligence, and continuous monitoring
Assessing the trustworthiness and reliability of a third party prior to contracting work allows organizations to meet their compliance obligations, satisfy internal requirements, and mitigate future damage to their reputation.
To create a culture of compliance, companies are establishing robust third party due diligence programs, consisting of screening and onboarding procedures, risk assessments, ongoing monitoring, and corrective or preventive actions. While initial due diligence may expose current trouble spots, it cannot guard against or predict future behavior. Organizations that take a holistic and proactive approach to risk by incorporating all categories of third parties and all areas of risk in their programs, can save themselves the headache of performing damage control in the future. Proactive due diligence may seem like an uphill task at times, but it remains a vital one.
Explore how our Third Party Due Diligence capabilities can help limit your business’ exposure to external risks you didn’t know you had.
Sources:
https://threatpost.com/leaky-backup-spills-157-gb-of-automaker-secrets/134293/
https://frsecure.com/blog/15-eye-opening-vendor-risk-statistics/
https://www.metricstream.com/insights/best-practices-third party-mgmt-program.htm
https://www.bitsight.com/blog/vendor-risk-management-principles
https://www.wired.com/2017/01/why-the-samsung-galaxy-note-7-kept-exploding/
https://www.lexology.com/library/detail.aspx?g=e75614f3-02c1-4152-a117-c2f2c98f7ecb