The recent Accellion-related breaches (a recent one here) are shining a light not just on third party risk management (TPRM), but fourth party risk management (FPRM).
When we bring on a new service provider, in a healthy TPRM program, we assess the service provider’s security (and maybe privacy) programs to see whether their security posture is something we can live with. I see a new set of questions to be asking our third parties, including:
- What third-party service providers do your third-parties send your data to?
- What third-party service providers are used to facilitate data transfer and other aspects of your service?
TPRM managers – these recent incidents should be sending us back into our methodologies to ensure we don’t have blind spots.
That is all.