The Intersection of Third Party Risk and Insurance

Posted by Mark Greisiger

A Q&A with Matthew Cherian of BitSight
Third party data security risk continues to grow and even mature enterprises struggle to contain this unwieldy challenge. For cyber insurers, it’s becoming increasingly urgent to find better tools for assessing third party vendor risk when underwriting for a policy. To learn more about why and how this should be done, I spoke with Matthew Cherian, Vice President of Strategic Partnerships of BitSight. 

From the perspective of enterprises, most risk comes from third parties. Why has this problem become so critical?
A recent study by the Ponemon Institute showed that nearly 60 percent of organizational data breaches happen through third parties. A good example of this was the Target data breach where the hackers reached Target through a third party HVAC vendor. This problem is only getting worse because it’s increasingly common for companies to outsource nonessential functions, yet they haven’t done a good job of assessing vendor security credentials. Not only do vendors often have weaker information security, but in many cases they’re getting access to the crown jewels in terms of valuable data. As such, there has been an increase in bad actors targeting third parties, triggering cyber insurance claims. Over time, more data has been processed by third party vendors, with more data elements potentially compromised. A lot of damage has been done as a result of poor risk management practices, whether that’s data loss or ransomware attacks or other incidents.

How should insurers account for third party risk when underwriting policies? How can third party risk be made more transparent?
Insurers need visibility into companies’ dependencies and all of the associated risks at play before underwriting cyber policies that could get triggered as a result of third party weaknesses or actions. It’s a two-step process. First, the company must reveal who their third party vendors are, and then the insurer can rely on this information while engaging in a “trust and verify” process. They want to make sure they’re making accurate underwriting decisions using a reliable tool. BitSight offers third party risk management solutions that allow cyber insurers the capability of assessing third party security posture.

When insurers look at this problem, who are the stakeholders in that third party ecosystem?
Stakeholders will include the insurer, the organization and any third parties involved.

What kind of behavior should insurers demonstrate and expect from enterprises to reduce the risk of having a claim stemming from their third parties?
All three of these groups can work together to reduce the risks if the insurer can put the right incentives in place. If the insurer takes third party risk seriously and engages with the enterprise to help reduce risk with better insurance products and services, chief risk officers can do their part to work with third parties to develop robust risk management programs. Third parties in turn must take action to ensure that customer data is not compromised, fixing whatever security gaps are identified along the way. Third parties should also be transparent about their own cyber coverage so that their clients are not left holding the bag in the case of a breach. In order for this ecosystem to work and create optimal outcomes, each group needs to make sure that they’re working in good faith to reduce and manage risk.

In summary…
I’d like to thank Mr. Cherian for his insights into third-party vendor risk. This is especially important as the majority of organizations continue to outsource data/computing and not just to one third party vendor but often to many. The question companies need to be asking is this: What do we know about the cybersecurity readiness of the service providers we trust with our most sensitive business information and operations? As Mr. Cherian points out, this question is of huge importance to the cyber risk insurance community which is concerned about aggregation and systemic risk—ultimately insuring not just the policyholder but data wherever it resides. And to make things even more complex, one needs to also understand fourth-party risk, your vendor’s vendors, too, often outsource. For this reason, many insurers are leveraging cyber risk intelligence companies such as BitSight, a leader in this space.