• Current students
      • Student centre
        Enrol on a course/exam
        My enrolments
        Exam results
        Mock exams
        Learning Hub data privacy policy
      • Course information
        Students FAQs
        Student induction
        Course enrolment information
        Key dates
        Book distribution
        Timetables
        FAE Elective Information
      • Exams
        Exam Info: CAP1
        E-assessment information
        Exam info: CAP2
        Exam info: FAE
        Reasonable accommodation and extenuating circumstances
        Timetables for exams & interim assessments
        Interim assessments past papers & E-Assessment mock solutions
        Main examination past papers
        Information and appeals scheme
        JIEB: NI Insolvency Qualification
      • CA Diary resources
        Mentors: Getting started on the CA Diary
        CA Diary for Flexible Route FAQs
      • Admission to membership
        Joining as a reciprocal member
        Conferring dates
        Admissions FAQs
      • Support & services
        Recruitment to and transferring of training contracts
        CASSI
        Student supports and wellbeing
        Audit qualification
        Diversity and Inclusion Committee
    • Students

      View all the services available for students of the Institute

      Read More
  • Becoming a student
      • About Chartered Accountancy
        The Chartered difference
        What do Chartered Accountants do?
        5 Reasons to become a Chartered Accountant
        Student benefits
        School Bootcamp
        Third Level Hub
        Study in Northern Ireland
        Events
        Blogs
        Member testimonials 2022
        Become a Chartered Accountant podcast series
      • Entry routes
        College
        Working
        Accounting Technicians
        School leavers
        Member of another body
        International student
        Flexible Route
        Training Contract
      • Course description
        CAP1
        CAP2
        FAE
        Our education offering
      • Apply
        How to apply
        Exemptions guide
        Fees & payment options
        External students
      • Training vacancies
        Training vacancies search
        Training firms list
        Large training firms
        Milkround
        Training firms update details
        Recruitment to and transferring of training contract
        Interview preparation and advice
        The rewards on qualification
        Tailoring your CV for each application
        Securing a trainee Chartered Accountant role
      • Support & services
        Becoming a student FAQs
        Who to contact for employers
        Register for a school visit
    • Becoming a
      student

      Study with us

      Read More
  • Members
      • Members Hub
        My account
        Member subscriptions
        Annual returns
        Application forms
        CPD/events
        Member services A-Z
        District societies
        Professional Standards
        Young Professionals
        Careers development
        Diversity and Inclusion Committee
        Overseas members new test
      • Members in practice
        Going into practice
        Managing your practice FAQs
        Practice compliance FAQs
        Toolkits and resources
        Audit FAQs
        Other client services
        Practice Consulting services
        What's new
      • Overseas members
        Working abroad
        Working in Australia
        Overseas members news
        Tax for returning Irish members
      • In business
        Networking and special interest groups
        Articles
      • Public sector
        Public sector news
        Public sector presentations
      • Support & services
        Letters of good standing form
        Member FAQs
        AML confidential disclosure form
        CHARIOT/Institute Technical content
        TaxSource Total
        The Educational Requirements for the Audit Qualification
        Pocket diaries
        Thrive Hub
    • Members

      View member services

      Read More
  • Employers
      • Training organisations
        Authorise to train
        Training in business
        Manage my students
        Incentive Scheme
        Recruitment to and transferring of training contracts
        Securing and retaining the best talent
        Tips on writing a job specification
      • Training
        In-house training
        Training tickets
      • Recruitment services
        Hire a qualified Chartered Accountant
        Hire a trainee student
      • Non executive directors recruitment service
      • Support & services
        Hire members: log a job vacancy
        Firm/employers FAQs
        Training ticket FAQs
        Authorisations
        Hire a room
        Who to contact for employers
    • Employers

      Services to support your business

      Read More
☰
  • The Institute
☰
  • Home
  • Articles
  • Students
  • Advertise
  • Subscribe
  • Archive
  • Podcasts
  • Contact us
Search
View Cart 0 Item
  • Home/
  • Accountancy Ireland/
  • Articles/
  • News/
  • Latest News

Lastest news

Five steps to minimise your third-party cyber-security risk

Sep 11, 2020

Cyberattacks have always been around, but recently they've been on the rise, especially when it comes to third-parties. What is the best way to safeguard your company against these risks? Pat Moran gives five practical steps on the best way to manage third-party cyber-security plans.

Cyberattacks and data breaches are rarely out of the news, and when they do occur, they have wide-ranging impacts. In response to an ever-evolving cyberthreat landscape, many Irish firms have made significant investments to strengthen their cybersecurity capabilities. I’ve seen clients deploying new technologies, developing new capabilities, and implementing new security processes, all to increase the cyber-resilience of the organisation.

However, focusing on what's inside your company is only part of the challenge. Any firm's security posture is only as strong as its weakest link. And very often, the weakest link exists outside your organisation.

While it's not a new concept, more and more firms are engaging with third parties to reduce costs, enhance performance or avail of a specific skill set that they don't have. The term 'third party' can be used interchangeably with 'vendor', 'supplier', 'partner' or 'outsourced provider'. Regardless, they mean the same thing: an increased risk of cyberattacks for your organisation.

The COVID-19 crisis has only reinforced how dependent most organisations are on an interconnected ecosystem of third parties to run their business. We've seen firms across all sectors struggling to get visibility on the resilience of their supply chain to ensure that the lights can be kept on. Suppliers are facing the same challenges of getting their workforce connected securely, adhering to security policies and maintaining a culture of cybersecurity awareness. All of this is against the backdrop of a heightened threat landscape. Opportunistic cyber-thieves are looking to take advantage of the uncertainty created by the crisis.

When you're operating in an interconnected environment with third parties, the attack surface is expanded for cybercriminals to launch an attack.

You can outsource almost everything but accountability

PwC’s Global Economic Crime and Fraud Survey 2020 highlights that one in five respondents identified vendors and suppliers as the source of their most disruptive external fraud.  Half of the respondents lacked a mature third-party risk management programme and 21% had none at all. This highlights the size of the challenge faced by firms. And when a third party has an incident that impacts the security of your customers' data or impacts your ability to deliver a service, your customers don't see the distinction. You can't outsource accountability.

To compound the matter further, all of the above is happening in the face of the pressures of reducing costs and improving efficiency, along with increased regulatory expectations.

To navigate some of the above challenges, below are some practical steps your organisation can establish to manage the risk of cyberattacks caused by engaging with third parties.

1. Establish your operating model

Developing your operating model and framework is the foundation of effective third-party risk management. The operating model should outline the governance and reporting requirements over your third parties, how to determine the criticality of each third party, and what technology can be leveraged. For mature or regulated entities, a centralised program likely already exists, but the security team should be active participants. For less mature organisations, the security team might be the driver.

2. Identify your inventory

Creating a complete and accurate inventory of your third parties is a prerequisite for effective risk management of your supply chain, including your fourth and fifth parties (also referred to as chain outsourcing).

3. Plan before you engage

Before you bring a prospective third party on board, invest time in understanding their security posture. Do they meet your minimum security expectations and standards? If not, do they have other mitigating plans or processes that will give your organisation more comfort?

Not all products or services lend themselves to outsourcing, so make sure to develop a robust planning process, where assumptions can be challenged, to ensure that outsourcing or engaging a third party is not outside the risk tolerance of the firm. Security requirements should be baked into contracts and service level agreements.

4. Monitor, monitor, and then monitor some more

The most time- and resource-consuming activity is typically your ongoing monitoring and governance. The security team should be included in weekly or monthly operational meetings for critical third parties, and risk assessments should be performed at least once a year for all your third parties. Tooling and ratings services are now common on the market to support this.

5. Exit gracefully

With all the right intentions and robust processes in place, surprises still happen. Be prepared with a backup plan if services cannot be provided by a third party, or if you need to exit the arrangement with little notice.

Pat Moran is a Partner in PwC.

The latest news to your inbox

Useful links

  • Current students
  • Becoming a student
  • Knowledge centre
  • Shop
  • District societies

Get in touch

Dublin HQ

Chartered Accountants
House, 47-49 Pearse St,
Dublin 2, Ireland

TEL: +353 1 637 7200
Belfast HQ

The Linenhall
32-38 Linenhall Street, Belfast
Antrim BT2 8BG, United Kingdom.

TEL: +44 28 9043 5840

Connect with us

CAW Footer Logo-min
GAA Footer Logo-min
CARB Footer Logo-min
CCAB-I Footer Logo-min

© Copyright Chartered Accountants Ireland 2020. All Rights Reserved.

☰
  • Terms & conditions
  • Privacy statement
  • Event privacy notice
LOADING...

Please wait while the page loads.