FustCharles_Risk_Compliance.jpg

Tags:

One of Your Vendors Was Hacked - Now What?

26 July 2024

As cyber criminals use more and more sophisticated techniques and have access to improved hacking tools and technologies like AI, debilitating cyber events are on the rise. Cyberattacks and data breaches can be extremely costly to organizations. They can bring operations screeching to a halt, cause massive financial losses and hefty fines, and irreparably damage your organization’s reputation. 

Companies are asking themselves: how effective is our third-party risk management program to deal with a potential breach at one of our vendors or third-parties? Companies need to not only be prepared against internal breaches, but to the impact of cyber-attacks on their vendors and the third-parties they do business with. 

Given the increasingly complex and interconnected nature of operating in today’s business environment, organizations have more vendors and third parties now than ever before. This means that whether your organization is aware of it or not, you’ve also increased your organization’s risk exposure and the potential for cyber-attacks and data breaches. This not only means a greater risk for your organization, but also greater risk to your customers and your stakeholders.  

It’s important for organizations to understand the security and data privacy risks that comes with doing business with vendors and third- parties. Having a robust third party risk management strategy can help organizations mitigate their risk exposure and make better business decisions. Some important things to consider when performing due diligence and evaluating vendors and third-parties:

  • What sensitive customer or proprietary data do your vendors have access to?
  • How are your vendors securing and protecting that data?
  • Where is the data being stored?
  • Does your vendor have a System and Organization Controls Report (e.g. SOC 1, SOC 2, etc.)?  
  • Do your vendors outsource any of their functions to additional third-parties?
  • If so, what controls and procedures are in place for those third-parties?
  • How is your organization assessing and monitoring the risks introduced by your vendors and third-parties on an ongoing basis?

A key tenet of effective third party risk management is understanding that just because a function has been outsourced to a third-party, management does not also outsource its responsibility over that function.

The roles of SOC 2 reports in Third Party Risk Management

Organizations need to have a clear understanding of what type of data is being shared with their vendors, how that data is being handled and stored, and what measures their third-parties are taking in order to secure it. If vendors have access to data, organizations should be proactively obtaining   and reviewing their vendor’s latest SOC 2 report. SOC 2 reports are an important tool that gives insight into the controls in place at a vendor and provides assurance that vendors are adhering to the latest industry standards over data security, data privacy, data availability, data confidentiality, and data processing integrity. 

Additionally, a SOC 2 report demonstrates that the vendor has been assessed by an independent CPA firm  and has implemented sufficient controls to manage and protect the data they handle. SOC 2 reports can give your organization peace of mind knowing that your vendor takes data security seriously.

At FustCharles, we understand the importance of safeguarding your organization's data and maintaining an effective third-party risk management strategy. If you’re not sure where to start, our Risk Assurance team can help guide you no matter where you are in your journey. 

We offer comprehensive SOC Reporting (SOC 1,SOC 2, SOC 3) services as well as Enterprise Risk Management Assessments to help you navigate the complexities of operating in today’s environment. Contact us today and see how we can help your organization. 

Learn more about our Risk/IT Assurance Services
 

Meet Our Expert

Jeffrey R. Ritchie, CPA - Principal

 

Jeff Ritchie is a risk and controls specialist with over 11 years of experience helping both public and private organizations assess and manage their risk Ritchie.pnglandscapes. Jeff’s expertise across both operational and IT control environments allows him to provide a unique perspective and insight to clients, which is tailored to their specific risks. This allows organizations to make better decisions and provides a comprehensive and streamlined way to identify and manage their risks.

Jeff has extensive experience in System and Organization Controls reporting (SOC 1 and SOC 2), enterprise risk management, internal control transformation projects, SOX 404 compliance, IT control assessments, process improvement and control readiness assessments.

Jeff is a CPA licensed in New York and is a member of the American Institute of Certified Public Accountants (AICPA). He obtained his B.S. and M.S. in Accounting from Siena College and resides in Syracuse.

 

Contact Jeff for a discussion on how we can help your organization.

jritchie(at)fustcharles.com

315.928.7445

 

Back to News