Skip to main content
Third-Party Cyber Risk: Navigating the Maze in Pharma and Beyond
CybersecurityLeadership

Third-Party Cyber Risk: Navigating the Maze in Pharma and Beyond

By March 12, 2024March 14th, 2024No Comments

The pharmaceutical industry, alongside countless others, thrives on collaboration with a network of external vendors. These partnerships unlock valuable opportunities but also expose potential vulnerabilities in cybersecurity. Throughout my career in cybersecurity, I’ve gained a comprehensive understanding of third-party cyber risk from both the customer and vendor perspectives, having served on both sides of the table – as the one assessing and improving supplier security and as the one being assessed. While I wouldn’t claim to have every answer, I’m convinced that current assessment methods, whether automated or manual, often fail to uncover the true extent of the risks involved.

Instead of abandoning third-party risk management altogether, we should challenge ourselves and the industry to adopt a smarter, data-driven approach, emphasizing business context and leveraging it effectively.

The Flawed Landscape of Managing Third-Party Risk

Traditional methods of evaluating third-party cyber risk fall short in key areas:

  • Program assessment questionnaires: While common, these questionnaires often fail to provide proper context and scope or validate responses with evidence. They also tend to be “yes” or “no” responses without a good way to understand how well the company is satisfying a control.
  • “Outside-in” scans: Though useful, “Outside-in” scans provide a limited perspective on a supplier’s overall cybersecurity posture. They primarily identify external vulnerabilities exposed on the internet, offering little to no insight into how the supplier internally manages and safeguards data through essential components like people, processes, and technology. While these scans can serve as an initial indicator of potential risk, they shouldn’t be solely relied upon for comprehensive third-party cyber risk management.
  • Supplier Audits: While vendor audits offer a valuable opportunity for in-depth assessment, they present some practical challenges. Firstly, their implementation relies on prior negotiation and inclusion within the contract, limiting their application to specific partnerships. Additionally, the scope and thoroughness of the audit can vary significantly. This is because access granted to the auditor can range from on-site visits with full documentation access to limited remote reviews. Finally, and perhaps most importantly, internal audit teams often face resource constraints. Juggling various internal audit demands, they are typically limited to conducting only a handful of vendor audits per year, hindering the scalability of this approach.

Contractual language requiring specific cybersecurity and data protection controls are common for companies trying to proactively manage risk. Some of the challenges I’ve seen with this include:

Concept Image of a Service agreement written by a lawyer.

  • Master Services Agreements (MSAs) contain unrealistic and/or unmet cybersecurity control clauses: In the quest to secure partnerships, both sides sometimes fall into the trap of unrealistic expectations. Suppliers, with good intentions, might agree to terms that exceed their capabilities, leading to potential compliance gaps and legal vulnerabilities down the road. From the supplier’s perspective, I’ve witnessed instances where large companies set unrealistic expectations for smaller vendors, who have little chance of fulfilling them. While some savvy suppliers might negotiate for more practical terms, others simply accept them out of fear of missing the opportunity. This can put them at significant risk, unknowingly taking on contractual obligations they struggle to meet. This highlights the need for a balanced approach to ensure both parties enter agreements with realistic expectations and a clear understanding of their respective roles and responsibilities.
  • Good intentions to “fix things” become “fumbles”: While some suppliers enter into contracts with the best intentions of meeting the required security standards, they often fall short of their goals. This “fumble” can occur due to various reasons.  Limited funding may hinder their ability to implement necessary security measures. A lack of expertise within the supplier organization can also impede progress. Additionally, competing priorities within the supplier might push security compliance down the to-do list. Perhaps the most pressing issue is the ongoing challenge of implementing and maintaining effective controls throughout the partnership. In the most concerning scenario, some suppliers, under the mistaken belief they won’t be caught, deliberately neglect their contractual obligations, leading to potential breaches and legal ramifications. It is crucial to address these challenges to ensure all parties involved are committed to upholding their security responsibilities.

It’s critical for both customers and suppliers to avoid a false sense of security when it comes to third-party cyber risk management. The worst-case scenario arises when customers knowingly set unrealistic expectations in contracts, and suppliers sign on despite lacking the capabilities to meet them. This situation, while uncomfortable to acknowledge, is far more common than we’d like to admit within the industry. Moving forward, fostering open communication and setting realistic expectations is paramount to building trust and mitigating potential security risks within the third-party ecosystem.

Navigating the Maze: Tips for Both Sides

Identifying challenges is a crucial first step toward improvement, but it’s only the beginning. While a one-size-fits-all solution for managing third-party cyber risk remains elusive, there are actionable steps companies can take to be more effective on both sides of the equation. By implementing these strategies, we can move beyond simply identifying issues and work towards creating a more secure ecosystem for all involved.

For Assessor/Reviewing Parties (Customers/Corporations):

  • Move beyond generic questionnaires: Conduct deeper assessments that involve:
    • Tailored inquiries: Craft questions specific to the supplier’s services and data access. “Following the data” can be a good exercise to consider where the actual risk exists within a supplier. I like to challenge the convention of coverage vs depth.  Perhaps teams could send 15 questions that go into data, business process, information handling relevant specific controls versus covering 200+ questions on every cybersecurity program element.
    • Evidence-based validation: Request a sample of documentation, controls, and evidence to support the supplier’s responses. This one can be tricky and may have some contractual limitations, but I like to design a focused live session between cyber leaders to discuss key aspects of the program and necessary controls.
    • Risk-based scoring: Develop a scoring system to prioritize risks based on the potential impact on your organization. I’ve seen some companies that send questionnaires and don’t really look at the results (other than confirming that they are fully completed). This adds no value beyond demonstrating a paper trail of diligence. However, the volume of review work and limited resourcing can often create corner-cutting and limited focus.
    • Action plans and issues management: While identifying risks is crucial, it becomes a liability if not accompanied by a plan for remediation or improvement. This perspective, often emphasized by legal professionals, highlights the inherent risk of ‘check-the-box’ assessments. They argue that uncovering vulnerabilities without addressing them creates a greater risk than remaining unaware altogether. While this viewpoint stems from a litigation-focused lens, it underlines the importance of actionable risk management that goes beyond mere identification and translates into concrete steps for mitigation.
    • Engage in ongoing dialogue: Establish regular communication channels with your suppliers to discuss risk updates, mitigation strategies, and progress. It also helps to make sure you are talking to an actual cybersecurity person than a sales representative completing the risk assessments to close their deal or “make it go away.”

For Suppliers:

  • Understand the MSAs you sign: Don’t get locked into unmanageable security obligations! Before signing an MSA, assess your ability to meet its cybersecurity clauses. As a fractional CISO, I’ve seen many suppliers struggle with this. I recommend prioritizing your top contracts and aligning their MSA terms with your actual cybersecurity controls. This often-overlooked step can prevent future headaches.
  • Be transparent and proactive: Communicate your limitations openly and proactively engage with the reviewing party to discuss potential solutions and adjustments to the MSA.
  • Invest in your own cybersecurity posture: Continuously improve your internal security controls, including people, processes, and technology, to manage data effectively and minimize vulnerabilities. This sounds obvious in today’s age of cyber threats, but many companies (especially within certain types of suppliers) are lucky if they are even doing the basics.

The Future of Third-Party Cyber Risk

While I share the hope for a future where managing third-party cyber risk becomes less tedious and more streamlined, I believe a “silver bullet” solution, like a magic bullet SaaS tool, isn’t realistic. The complexities of business context, processes, people, and legal contracts are deeply ingrained in these risks.

At Reveal Risk, we champion a context-driven approach that resists the urge to over-standardize and reduce everything to high-volume paperwork. This resists the temptation to “boil the ocean” and ensures that assessments remain relevant and actionable, ultimately preventing the risks from becoming just another administrative burden.

Beyond Pharma: A Broader Relevance

While my career focus as a corporate practitioner and in consulting has been within the pharmaceutical and life sciences industry, my comments, concerns, and ideas throughout this article are largely applicable to other industries as well. By adopting a more business risk-focused and collaborative approach to third-party cyber risk management, both reviewing parties and suppliers can build stronger, more secure partnerships, ultimately protecting sensitive data and upholding compliance.

Remember, effective communication, realistic expectations, and continuous improvement are key to navigating the complex landscape of third-party cyber risk.

 

At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com

317.759.4453  

 

About the Author

Chris is a recent practitioner with 20+ years of security risk management experience and over 15 years working in pharma and life sciences organizations.  He’s worked in the cybersecurity programs at Merck & Co., Inc., C.R. Bard/Becton Dickinson, and Catalent Pharma Solutions.  Chris specializes in program development across several domains in cyber security, including strategy, internal/third-party risk, vulnerability management, engineering, operations, incident response, and data security.​

Leave a Reply

Close Menu