The ‘seven deadly sins’ are a classification scheme established by the Roman Catholic church in the 15th century. It is these seven sins from which they believe all immorality is rooted — pride, greed, lust, envy, gluttony, wrath, and sloth. Similar to the religious seven deadly sins, we have enumerated the seven deadly sins of third-party cyber risk management. It is from these sins that programs fail to lift off the ground, die a slow death, or limit the value they provide to the organization. Let’s take a look.
First Deadly Sin: Believing that you can outsource your risk
Too many enterprises believe that it is solely the responsibility of the vendor to manage the cyber risk related to the outsourced data and services. This is simply not true. The regulators have consistently made it clear that you can outsource your systems and services, but you can’t outsource your risk. In 2008, the Federal Deposit Insurance Corporation stated vendor risk management requirements in this way:
“An institution’s board of directors and senior leadership are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.” (www.fdic.gov)
Other regulatory bodies have issued similar guidance — the U.S. Department of Health & Human Services, the European Union, the New York Department of Financial Services, and the Office of the Comptroller of the Currency, among others (See: A regulatory guide to third-party cyber risk).
While your vendor contracts may have financial data breach penalties, or you may have cyber insurance, financial mitigation is not the only risk. You have other risks to consider as well, including regulatory, reputational, and operational risks. You can outsource your systems and services, but you can’t outsource your risks.
Want to read about the other deadly sins?