How to manage third-party risk

How to manage third-party risk


By Neil Amato

Companies are increasingly outsourcing tasks to third-party entities or individuals not classified as full-time employees, putting trust in people outside the company’s real or virtual walls.

There are benefits to this approach, including cost savings and quick access to specialised talent. There are also risks: loss of sensitive data such as customer information or intellectual property, plus the reputational hit that can accompany such a breach.

Such risks are a worry for company executives worldwide, according to the CGMA report New Ways of Working … Managing the Open Workforce. The top risks were information and data security breaches (45%) and disclosure of competitively sensitive information (41%), according to a survey of more than 1,100 global executives conducted for the report in 2014.

The issue was underscored recently by the arrest of a government contractor who had a top secret national security clearance. Harold T. Martin III, an employee of consulting firm Booz Allen Hamilton, was arrested and charged with theft of government property and unauthorised removal or retention of classified documents or materials. Booz Allen also was the employer of Edward Snowden, who leaked US National Security Agency surveillance documents and was charged in 2013 with theft of government property, unauthorised communication of defence information, and communication of classified information.

After Martin’s arrest became public this month, Booz Allen reacted in a filing with the US Securities and Exchange Commission (SEC).

“Booz Allen is a 102-year-old company, and the alleged conduct does not reflect our core values,” the SEC filing said. “Thousands of our employees support critical client missions with dedication and excellence each day. Their professionalism, values, and ethics are what define our firm.”

The charges against Snowden and Martin illustrate the risks facing companies. Even if they trust the vetting of a third party, and even if they do their own vetting of a contract worker the same way they would a full-time employee, there remains a chance company information can be compromised. When data are shared with vendors around the world, the risks are multiplied.

“I’m not saying third-party vendors are bad,” said Torpey White, CPA/CITP, CGMA, a partner at Wipfli LLP’s risk advisory and forensic services practice. “But beyond the due diligence you do when you first sign them up, you should at least periodically check up on them to make sure that they’re agreeing and complying with the terms of the contract you signed with them.”

The process of checking up on third-party vendors might begin with a contractual agreement that includes a right-to-audit clause. But before that contract is signed, a company might start with an in-person inspection of an outside vendor’s servers if, for example, that vendor was going to offer data-hosting services.

An initial visit might first look at physical access to a building that houses servers, said Evan Sekeris, a partner in Oliver Wyman’s finance and risk practice. An inspection would also include a check of the vendor’s data security processes to make sure they meet company standards.

Seeing proper controls can help build trust between a company and a third party, but companies must remain vigilant even after the contract is signed.

“Trust, while very important, is not always sufficient,” Sekeris said. “Pressures exist, and while people might have the best intentions in the world, they might end up under pressure and cut corners. And they might think that cutting a corner is not very important, and they don’t realise the risk they could be exposing their client or partner to.”

A third-party provider of electronic billing and other services unwittingly provided a path for an intruder to install malware that affected US retailer Target. The data breach involved the theft of card data from about 40 million credit and debit card accounts, costing the company more than $200 million, according to Target’s SEC filings.

Risk rests with individuals

Sekeris recalled a recent visit he made to a bank for a consulting job. The bank took his fingerprints and ran them through a criminal database and looked at his credit history. Before he was given an access card to the building, he had to be physically searched. “And with that, I didn’t even have access to a laptop,” Sekeris said. “That would have required an additional layer of vetting.”

Sekeris makes the point that whether a company hires permanent employees or contractors, it is taking on risk when it gives people access to systems. By using third parties, companies are often ceding control of the vetting process. But even if they don’t use a contractor, some risk still remains.

“You could hire a salaried employee and expose yourself to the exact same risk,” Sekeris said. “The question is, by how much are you increasing that risk by going through a third party versus making a full-time hire?

“In banking, how many times have we seen rogue traders? Those are not third parties. They were hired by the bank and acted illegally while being employed by the bank. At the end of the day, the risk is with the individuals you hire. Once you’ve hired them, whether they’re a third party or hired internally, they have access to your systems. And having that access is your Achilles’ heel.”

Focus on data controls, not guest access

Organisations can better deal with third-party risk related to proprietary data by having stronger controls in place, regardless of who is using the data.

“There is no magic to handling contractor accounts that organisations shouldn’t already be trying to do when handling normal user accounts,” said Daimon Geopfert, national leader of security and privacy consulting at RSM US, formerly known as McGladrey. “This means the company should be more focused on controlling the access to, and dissemination of, sensitive data as a whole than they should be focused on trying to control one user subset’s access to that data.”

If third parties do need to interact with sensitive data, Geopfert recommended they do so on systems where they can see the data but not extract them. User privileges should be limited and subjected to enhanced monitoring, such as generating an alert when a user attempts to access systems or data not directly related to their role.

Neil Amato (namato@aicpa.org) is a CGMA Magazine senior editor.