A company’s cyber defenses are only as strong as the weakest link in the network, and for most businesses, the weakest links are often third-party vendors.

The stakes are too high for CFOs to treat such cybersecurity risks as merely an IT concern.

The global average cost of a data breach between March 2022 and March 2023 was $4.45 million, a 15% increase over three years and an all-time high, according to a report from IBM and the Ponemon Institute.

Of the various types of breaches experienced, the third-party category was the most common. Forty percent of breaches were identified by a benign third party, 33 percent were identified by internal teams and tools, and 27% were disclosed by the attacker as part of a ransomware attack, the research found.

Perhaps even more alarming, a 2023 study by SecurityScorecard and the Cyentia Institute found that 98% of organizations worldwide had integrations with at least one third-party vendor that had suffered a breach within the prior two years.

Rising stakes

Today, companies that ignore their cyber vulnerabilities do so at their own peril. Besides potential business disruption and financial losses, such firms also face the possibility of reputational damage and lawsuits. It’s also an area where the federal government is paying more and more attention.

In May 2021, President Joe Biden issued Executive Order 14028 to modernize and strengthen cybersecurity standards in the federal government. After the EO was released, the Cloud Security Alliance published a blog post in which it predicted that the order would lead to vendor risk management coming under the microscope for many organizations.

“Improving the security of the software supply chain is a key component of the Executive Order and organizations must now look to verify they are working with secure vendors,” the blog post stated. “This will also likely lead to increased scrutiny of vendor risk assessments, potential security gaps in the supply chain, and the remediation policies that are currently in place.”

Vendor issues are also prominently featured in new cybersecurity rules that were finalized by the Securities and Exchange Commission last year. The rules require a “material” cybersecurity incident to be disclosed to the SEC within four days of a determination that it is material, among other provisions. The incident disclosure rule doesn’t exempt companies from disclosing third-party cybersecurity incidents that may have a material impact on the company.

“[W]hether an incident is material is not contingent on where the relevant electronic systems reside or who owns them,” the SEC said in the final rules. “In other words, we do not believe a reasonable investor would view a significant breach of a registrant's data as immaterial merely because the data were housed on a third-party system, especially as companies increasingly rely on third-party cloud services that may place their data out of their immediate control.”

Acknowledging that companies may have reduced visibility into third-party systems, the SEC said that any disclosures related to such systems should be based on available information.

Meanwhile, third-party issues can also have cyberinsurance implications. CFOs need a thorough understanding of an organization's and its third-party vendors' data management and cybersecurity measures to navigate the complexities of cyberinsurance, a necessary line item that is only increasing in costs these days. Businesses need to demonstrate to insurers an exacting standard of data handling and access management practices. Beyond initial approval, maintaining these high standards is crucial to avoid surging premiums.

Risk mitigation steps

For all of these reasons, companies today need to perform a thorough assessment of third-party vendors’ data management and cybersecurity practices. That process shouldn’t fall on the shoulders of IT and cybersecurity leaders alone. CFOs play a critical role as well.

Finance chiefs and their auditing teams need to dig deeper than surface-level questions about certifications. Are the vendor’s current defenses robust enough? What level of risk are we comfortable with? Do their data security standards match or go beyond ours? What happens to our data if we end our engagement? Will the vendor use our data to train an AI system? Who can access our data on the vendor’s side?

As part of the process of reviewing vendors for potential cybersecurity risks, companies should take the following steps:

1. Review incident response processes before onboarding third parties. Beyond standard due diligence, review past breaches and what caused them and ask what have they done to improve data security if they had an incident. Also, ask them about their response protocol to understand how they plan to alert you and what steps they will take in the event of an incident.
2. Have proper inventory of the data that will be accessed/generated by the third party. Classify data based on sensitivity and regulatory requirements and clearly define the scope of data access and usage rights for the third party.
3. Ensure that consistent identity access management, as well as proper organizational and security measures are in place throughout the relationship. Implement strict access controls and limit data access based on the principle of least privilege. Outline specific procedures for data return or destruction upon termination of the relationship. Regularly review and update data security policies and procedures in collaboration with the third party.

We live in a time when data breaches are not a matter of if but when, and by then it’s too late to conduct an analysis on the vendor’s data security measures. By ensuring diligent management of third-party vendor risks, CFOs will fortify both the cyber defenses and financial integrity of the business.