Third-party threats are real and now. That’s according to a Cybersecurity Collaborative task force of chief information security officers who developed a framework with supporting tools to build, manage and scale a management program covering third-party risk.
Sheldon Cuffie and Andy Fiumefreddo of American Family Insurance reviewed the program during a recent webcast with Cybersecurity Collaborative’s Tom Scurrah, vice president of cybersecurity programs and content.
In response to a Ponemon Institute study on third-party ecosystems, Fiumefreddo said it was a surprise to see that only three-quarters (76%) of respondents said third-party incidents would increase.
“That means they are not paying attention to the news,” said Fiumefreddo, enterprise IT third-party risk manager at American Family Insurance. “That means they are not paying attention to what’s going on, and they’re not paying attention to those threats seriously.”
Fiumefreddo said the SolarWinds supply chain hack changed everything. “The new capabilities that were realized by those threat actors and what they could do — not just to the government or larger institutes — but smaller ones, as well.”
Cuffie, CISO at American Family Insurance, said the company has seen 18 of its suppliers hit by some kind of ransomware in the past 20 month, which had an operational impact to some part of the company, whether it was a call center or tax provider or one of the big four IT service providers.
Third-party risk management should no longer be thought of as people reviewing contracts, Cuffie said. “This is much more than that. This is a connected piece in our cyber defense as a company.”
Watch the full briefing of the Third-Party Risk Management Program 2021 Implementation Guide and Toolkit below.