Identifying and Mitigating Cyber Risks in Third-Party Relationships

Following several high-profile cyber breaches involving third parties at major UK retailers in recent months, the panel on “Identifying and Mitigating Cyber Risks in Third-Party Relationships” was one of the most anticipated sessions at our recent London Summit on Third-Party Risk Management.

Moderated by Ethixbase360 CEO Peter Sweetbaum, the session featured Katherine Kearns, Head of Proactive Cyber Services, EMEA at S-RM and Tristan Atkins, Chief Product and Technology Officer at Ethixbase360. Together, they offered valuable insights into the impact of recent breaches and shared practical strategies to help attendees strengthen their own cyber risk management practices.

Gartner has projected that by 2025, 45% of organizations globally will experience attacks on their digital supply chains. We’ve already seen the disruption caused by cyber breaches at major retailers like Marks & Spencer, the Co-op, and Harrods this year. With that in mind, the discussion opened by asking attendees how much responsibility for cyber risk falls within their remit—keen to understand whether the surge in cyberattacks has shifted how organizations are approaching and managing cyber risk.

In fact, for 65% of the audience, responsibility for cyber risk lies solely with their Security and Information teams. The remaining attendees were split between those seeing an increasing role in managing cyber risk and others for whom it is an emerging area of focus.

This set the stage for a compelling discussion. When responsibility sits within the IT function, the focus may be on technology partners. Companies need to ask themselves whether they have a full view of all their third-party relationships and associated vulnerabilities. Our panellists noted that the high-profile retailers hit by major cyberattacks this year had all likely invested heavily in protecting their own systems, however the real weakness lay within their supply chains. In other words, it was third parties that exposed them to risk. Marks & Spencer, for example, is estimated to have suffered a £300 million loss in profits as a result.

Having discussed the increasing dangers of cyberattacks, the discussion then turned to how organisations can best protect themselves against these threats. Announcing the exciting new partnership between Ethixbase360 and S-RM [Link] , Sweetbaum reinforced the need for companies to take ownership of a holistic, coordinated process involving procurement, legal, risk and compliance as well as security and IT, to protect against supply chain attacks that are extremely lucrative for criminals. He pointed out that the ultimate reputation damage is to the end company rather than the supplier that was breached.

Kearns then offered practical guidance to the audience in the form of a four-stage plan to help companies improve their protection against third party cyberattacks.

1. Identify – review your organisation’s third-party exposure and identify your key suppliers with regard to the potential impact on your business.

2. Assess – understand how and where your suppliers have access to your internal environment, sensitive data or critical technology.

3. Monitor – implement automated tools and threat intelligence to continuously monitor and be able to flag risks.

4. Prepare – implement business continuity and disaster recovery plans with your suppliers and ensure security obligations form part of your contracts.

To learn more about Ethixbase360 Third Party Risk Management, Powered by S-RM,