Background
15th October 2024

A Guide to Third-Party Cyber Risk Management for Retail

Third-Party Cyber Risk Management is essential for a business partnering with external vendors. Read this to learn how to implement it in your retail business.

Scroll
Article Image Circle Circle

Home  »  Articles  »  A Guide to Third-Party Cyber Risk Management for Retail

A Guide to Third-Party Cyber Risk Management for Retail
Protecting User Privacy and Secure Internet Access

Cybercrime is not only a very real threat to online activity, it’s also growing at an alarming rate. With a projected cost of $9.22 trillion in 2024, that figure is expected to rise to $13.82 trillion by 2028. Cybersecurity experts are continually trying to fight that encroaching tide, with measures from awareness training to programs to detect cyberattacks. 

Like any war, the effort against cybercrime is being fought on many fronts, and input is needed by businesses, governments, and individuals, as well as cybersecurity experts. One area gaining more attention is the threat from interactions with third parties and the need for more stringent third-party cyber risk management.

So, what is cybercrime, and how can third-party cyber risk management help? 

What is cybercrime?

Image sourced from Statista.com

Cybercrime refers to any form of criminal activity targeting computers, computer networks, or any device linked to a network. In most cases, cybercriminals are looking for financial gain, but there can be other reasons for their activity, from industrial espionage to political or personal reasons. 

While some cybercriminals act alone, the majority work together, either as part of organised crime syndicates, or as groups who have come together over the internet. There are also many different types of cybercrime with varying degrees of malice and/or potential damage. These include:

  • Internet-based fraud (including via emails).
  • Identity fraud.
  • Industrial espionage (stealing and selling corporate data).
  • Cyberextortion (demanding money from a business to prevent attacks such as DDoS— Distributed Denial-of-Service); this also includes ransomware. 
  • Financial crimes (including theft of card or bank details). 
  • Theft of financial or card payment data.
  • Cyber-espionage (the theft of government data or information).
  • Copyright infringement. 
  • Illegal pornography.

This list is not exhaustive, which shows you just how widespread and problematic cybercrime has become in this digital era. 

What is third-party cyber risk management? 

Image sourced from ox.ac.uk

Third-party cyber risk management (TPCRM) is the process of identifying, assessing, and managing (or mitigating) any potential cyber threats that may arise due to interactions with third parties. Those interactions could occur anywhere in your online activities, from your supply chain to working with affiliates. 

TPCRM looks to provide a robust wall of protection against cybercrime by implementing policies that cover all online interactions with third parties and ensure that those parties follow a number of rules and regulations.

We’ve listed some of these below:

  1. Comply with any regulations you may decide on or which are part of your sector’s regulatory framework. 
  2. Avoid any unethical or questionable practices.
  3. Ensure that all confidential data and information is protected and not released into the public domain or passed on to others. 
  4. Build a high level of security within your supply chain. 
  5. Have contingency and mitigation plans in the event of cyberattacks, including a disaster recovery plan. 
  6. Provide a safe working environment and raise cybersecurity risk awareness amongst employees. 

Why is third-party cyber risk management essential? 

Image sourced from cybersierra.co

In today’s world, where digital innovation technology is commonplace, things are rarely a linear path from business to customer. Most organizations have some form of third-party involvement. Those third parties can range from shipping or logistics providers to external digital marketing agencies and other suppliers or vendors. 

As the saying goes, “if more than one person knows something, it’s no longer a secret”, though in this case, the more people/businesses in your online chain, the greater the chance of a weak link being prone to a cyberattack. Businesses want to eliminate operational risks and other threats or, at the very least, minimize those risks and mitigate any potential scenarios that may arise as a result of any risk. 

When a cybercrime does occur, a business may be exposed to potentially serious damage. That can range from financial losses to a major data securiy breach. You also need to consider that when a business admits to any form of serious attack, its reputation may be damaged, and it will have to work hard to rebuild consumer trust

There is also the question of any applicable laws and regulations, and a business may face hefty fines as a result of the attack. 

Common types of third-party cybercrime

Image sourced from statista.com

While there are many types of cybercrime, there are common ones that arise as a result of a weak third-party link in your chain. These are the ones that organizations need to be most aware of when bringing a new third party into your business network. 

Data breaches

This is now a very common form of cyberattack that happens because of third-party involvement. The risk of such attacks has grown as more businesses switch to cloud-based services and increasingly look to external security teams or IT providers, as well as more use of SaaS products. 

Whenever you contract with a third party, you should ask yourself two main questions: “what is the risk of a data breach involving this entity”, and “what is IT risk management going to do to help with any risk?”. You should always look at potential third-party risks and damage and work closely with any new partner to eliminate or minimize that risk. 

Ransomware and DDoS attacks 

In 2023, there were a staggering 317.59 million attempts at mounting a ransomware attack. With a ransomware attack, malware steals or encrypts crucial business data and then holds it for ransom (usually to be paid in cryptocurrency). While the number of ransomware attacks declined in 2023, payments made reached a record high of more than $1 billion.

DDoS attacks can take a single machine, a website, or an entire network offline. Many of these attacks are malicious in nature but can cost businesses an average of $6000 per minute in lost revenue, as well as a damaged reputation, customer churn, and IT costs. 

Compliance 

If you handle any sort of sensitive data, such as customers’ financial information, compliance with applicable laws and regulations, including the use of consent forms, is essential to ensure data privacy and security. This requirement holds not only for your internal operations but also mandates that third-party vendors adhere to similar standards. 

You may have stringent in-house cybersecurity measures to protect that data, but can the same be said for the third parties you interact with? Do they meet compliance requirements? 

You have direct oversight via policies such as HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and others. These may govern not only how you manage data, but also how you grant access to third parties. Failure to comply can lead to financial penalties and a reduction in trust from your customers. 

You may already have SOC 2 compliance so that is a step in the right direction, but is it something your third-party vendors and suppliers have too?

TPCRM challenges 

Image sourced from consultrnr.com

Everything you do comes with a certain level of challenges or difficulty; every new technology, every new process or system, and TPCRM is no different. One of the cornerstones of an effective TPCRM policy is recognizing those challenges and meeting them head-on. While factors such as the sheer volume of IT infrastructure and evolving laws and regulations are out of your control, there are other factors you can do something about. 

If you look back even 10 years, you can see how much has changed when it comes to IT and technology. AI (artificial intelligence) was still mostly in the realm of science fiction, while today, artificial intelligence is an integral part of the business landscape. 

You need agile IT policies to meet that changing landscape and the increased volume and complexity of cybercrime. 

  • Relationships. With an increasing number of third parties in most companies’ business networks, there is a related increase in all parties relying on technology as well as an increased risk of cyberattacks. You should first audit the security measures of any potential new partner, then include cybersecurity-related clauses in any contract or SLA (service-level agreement). 
  • Changes. As mentioned, the business landscape is changing, and the regulatory environment is constantly evolving. Businesses should keep up to date with general data protection laws as well as any industry-specific regulations. 
  • Monitoring. Most businesses may conduct an initial audit of a potential partner’s cybersecurity measures, but you must revisit that assessment irregularly. Assessments should be conducted regularly to ensure that your partner complies with all requirements and has updated protection when available. 

What should you include in your third-party cyber risk management policy?

You likely have several risk mitigation policies—including operating risk management—within your organization. When it comes to the risk levels of cyberattacks, you should have several crucial steps in your policy, both in the first steps to a relationship and on an ongoing basis. 

Evaluation

Once you have identified a potential partner, risk profiles should be your first step in establishing a relationship. You want to identify any risks that may occur if the relationship moves forward, as well as security ratings. However, remember that your vendor risk assessment may lead to the third party improving things to meet your requirements. 

Engagement

The next step in any relationship—especially if the assessment of the potential partner has exposed some weaknesses—is to engage with them and suggest improvements that can be made to their security controls. 

In these discussions, emphasizing pricing transparency is crucial. It ensures that all costs associated with cybersecurity measures are clearly outlined and agreed upon, preventing any hidden charges and fostering trust in the partnership. 

This can be an essential step if there is an applicable regulatory framework they need to comply with. You will also want to know how robust their internal security is. 

Remediation

You may find yourself at a fork in the road at this point. If a potential partner presents unacceptable levels of risk and won’t address them, then walk away. However, if the partner recognizes the risks, they may work with you to remedy them. 

Decision

Your penultimate step is to walk away or to sign a contract or SLA with the vendor. Any contract should include the specific steps the vendor should take to address any identified risks. 

Monitoring

Once you have moved into an actual business relationship, you should still be diligent about cybersecurity, especially if the initial evaluation identified potential risks. Once that relationship has started, the vendor may have access to critical systems and sensitive information, and continuous monitoring and audits are essential elements as third-party relationships move forward. 

Third-party cyber risk management best practices

When you develop a TPCRM policy, there are several best practices that you should include in any plan. 

1. Define your goals

    You should be looking at how your TCPRM plan aligns with your organizational goals and other management and risk policies you have. For example, ask yourself what is corporate performance management (CPM) going to contribute to your TCPRM. Identify any and all relevant risks within your organization that may affect your cybersecurity. 

    You can also think about how other risks such as geopolitical or financial risk may increase the risk of cybercrime. Develop an overall third-party risk management framework that recognizes where there are interrelationships and places your TCPRM at the center.

    2. Involve all stakeholders

      For any TCPRM plan to be effective, you need to involve all the stakeholders, both those within your organization and the relevant personnel at any partners. Foster a high level of collaboration through efficient communication and, if possible, regular meetings in person or as video conferences. It can help to have that high level of involvement from the beginning. 

      3. Implement robust monitoring strategies 

        The importance of monitoring potential threats cannot be stressed enough. You should be monitoring both your business partners and your internal business operations. It should also be a regular activity and any identified risks should be shared between all stakeholders. This sharing of information should also extend to factors such as essential software security updates. 

        Monitoring can be especially important when initial evaluations have identified risks, even when the vendor has taken action to remove or mitigate that risk. 

        4. Categorize identified risks

          Not all risks are created equal, but they’re still risks. This extends to the third parties you partner with, and you can also determine how important that provider is. For example, if your fulfillment center was in an area with no other logistics providers, then the vendor you choose would be of more importance to you than one in an area where there were lots of alternative service providers. 

          Businesses tend to divide their third-party partners into one of three categories.

          • Tier 1 – a vendor with a high level of importance to your business and also with high risk. 
          • Tier 2 – Medium importance and risk. 
          • Tier 3 – Low importance and risk. 

          Of course, it can be a little more complicated than that. A vendor may be of high importance but carries low risk, and so on. This is why the evaluation process is so important. By identifying how important and the level of risk a potential partner is, your organization can prioritize which vendors and issues to deal with. 

          The takeaway 

          It doesn’t matter whether you are a large enterprise or a small business, cybercrime is a very real risk. It can present operational, financial, and reputational risks. Your cybersecurity posture needs to be a strong one, especially when onboarding a new third-party partner. Look at how regulatory requirements could penalize you, and you will understand how important stringent cybersecurity is. 

          Evaluation and ongoing monitoring can provide you with actionable insights and can highlight weak links in the chain. Effective third-party risk management is crucial for any business that works with external partners. When security risks do happen, you want to ensure business continuity with a strong third-party cyber risk management plan.

          Categories: Articles, Cyber Security

          Plane
          Quarterly Newsletter

          Sign up to our quarterly newsletter to receive the latest and most relevant updates, interviews and opinions from finance’s leading lights.

          Subscribe
          Covers
          Explore Previous Issues

          View the latest issue of the Wealth & Finance digital magazine which features business profiles of leading industry insiders who are thriving in the finance and investment sector.

          See Latest Issues
          Trophy
          Explore Previous Awards

          Click here to view our current and archived Award programmes.

          See Our Awards
          Other Articles You Might Like
          See All Articles
          WORLD’S FIRST P2P CURRENCY EXCHANGE PLATFORM WESWAP HITS 500,000 USERS, LAUNCHES £2.3M FUNDRAISEREAD MORE
          Articles15th July 2019WORLD’S FIRST P2P CURRENCY EXCHANGE PLATFORM WESWAP HITS 500,000 USERS, LAUNCHES £2.3M FUNDRAISE

          This morning, WeSwap, the award-winning peer-to-peer currency exchange platform, announces that in tandem with the launch of a £2.3 million funding round on leading investment platform Seedrs, it has hit 500,000 users. This raise will support the Series B investment round led by IW Capital, WeSwap’s lead investor, who has invested an additional £3.7 million […]

          Stephen Campbell on the Growth Capital MarketREAD MORE
          Articles13th March 2014Stephen Campbell on the Growth Capital Market

          Stephen Campbell, Partner of Panoramic Growth Equity, gives his predictions on the growth capital market in 2014

          How Can the Banking Industry Emerge Stronger from The Covid-19 Pandemic?READ MORE
          Articles21st August 2020How Can the Banking Industry Emerge Stronger from The Covid-19 Pandemic?

          With growing levels of unpredictability around how the pandemic will unfold, there is a societal expectation that access to comprehensive digital services will continue and improve. This expectation is particularly prominent in the banking industry, which rolled out an expanded range of digital services during the early stages of the pandemic to enable customers to manage their finances safely from home.

          New Appointment to Rockefeller Foundation BoardREAD MORE
          Articles7th July 2014New Appointment to Rockefeller Foundation Board

          The Rockefeller Foundation, now in its second century of advancing the well-being of humanity, has announced the appointment of Ravi Venkatesan to its Board of Trustees.

          IVA or bankruptcy: what is the best solution for your debts?READ MORE
          Articles23rd November 2018IVA or bankruptcy: what is the best solution for your debts?

          If you are suffering from severe cash flow issues, you may be considering both bankruptcy or an individual voluntary arrangement (IVA). Bankruptcy and IVAs are both legally-binding and formal insolvency options between you and your creditors. However, while they might appear similar, there are some vast differences to consider before entering into one of the […]

          Hargreaves Lansdown release QE tips for investors in EuropeREAD MORE
          Articles23rd January 2015Hargreaves Lansdown release QE tips for investors in Europe

          After the ECB propose to inject at least €1.1 trillion into the eurozone economy, investment service Hargreaves Lansdown outline its implications.

          Keeping your Payment options open, by Anderson ZaksREAD MORE
          Articles7th November 2018Keeping your Payment options open, by Anderson Zaks

          EPOS, MobilePOS, Pin on Glass, Pin on Mobile – there’s a lot to choose from for today’s merchant. Adina Ahmed, Chief Technology Officer at Anderson Zaks explains some of the latest options. “In many emerging economies, people are by-passing traditional bank and card accounts altogether and adopting mobile payments” Mobile phones have revolutionalised the way […]

          Crossroads Systems Regains NASDAQ ComplianceREAD MORE
          Articles8th April 2014Crossroads Systems Regains NASDAQ Compliance

          Crossroads Systems has announced that it has received notice from The NASDAQ Stock Market that it had regained compliance with Listing Rule 5550(b)(1).

          Most Companies Now Taking Steps to Minimise Excise Tax ExposureREAD MORE
          Articles17th October 2014Most Companies Now Taking Steps to Minimise Excise Tax Exposure

          A new pulse survey from Aon Hewitt, the global talent, retirement and health solutions business of Aon plc (NYSE: AON), reveals that a significant number of U.S. employers are taking immediate steps to avoid triggering the excise tax on high cost health plans when it goes into effect in 2018.

          Adar Capital Partners: Hedging Their BetsREAD MORE
          Articles4th January 2017Adar Capital Partners: Hedging Their Bets

          Adar Capital Partners (ACP) specialises in asset management and wealth management, seeking strong returns for investors by identifying undervalued opportunities that markets sometimes assign without basis. We invited Diego Marynberg to tell us more about the firm and its investment strategy.

          Arrow

          Wealth & Finance International is part of AI Global Media

          Discover our 10+ brands covering different sectors
          APAC InsiderBUILD MagazineCorporate VisionEU Business NewsGHP NewsAcquisition InternationalNew World ReportMEA MarketsCEO MonthlySME NewsLUXlife MagazineInnovation in BusinessThe Business Concept