PH panel addresses third-party risk management

PH panel addresses third-party risk management

CYBERTHREATS constantly evolve, so securing third-party and supply chains is very important. In a recent webinar, a panel of top Philippine experts discussed the twin challenges in supply chain and third-party risk management.

Featuring insights from Philip Kwa, Academic Programs director for the Masters in Cybersecurity at the Asian Institute of Management; Rei Nikolai Magnaye, chief information security officer (CISO) of Equicom Savings Bank; Kevin Paul Abu, testing control manager at Standard Chartered Bank; and Gabriel Punsalan, acting internal audit group head at Bank of Makati, this discussion offered a deep dive into strategies and best practices for safeguarding enterprises from these complex risks.

Kwa referenced the National Institute of Standards and Technology (NIST) Special Publication framework, explaining that third-party management directly oversees relationships with suppliers, vendors, or consultants. In contrast, supply chain risk encompasses a broader network, including operational processes like manufacturing and logistics. "When you look at third-party risks, you are looking at these external entities — your suppliers and your vendors," said Kwa. For supply chain risk, "the processes are spread across different levels of interactions — getting your raw materials from your suppliers and producing it to a finished good all the way until it reaches your customers. It includes third parties as well as your internal operational processes." These risks are integrated components of the broader enterprise risk landscape.

Abu highlighted the distinct focuses of third-party and supply chain risks. He provided examples to clarify: outsourcing data destruction represents third-party risk without directly impacting the supply chain, whereas machinery breakdown in a plant signifies supply chain risk without involving a third party. He recommended categorizing vendors based on their service type, operational impact, and the data they process to manage third-party risk effectively. This approach helps prioritize cybersecurity assessments for higher-risk vendors.

Magnaye emphasized the importance of considering the broader impacts of third-party failures, including operational and reputational risks.

Punsalan noted that organizations often use terms like "external stakeholders" to encompass suppliers and vendors and emphasized that many enterprises do not perform governance tests of their third parties and lack a copy of the vendor's plan for internal controls.

Best practices for risk management

Abu highlighted the importance of categorizing vendors based on service type, operational impact, and data processing needs. This categorization allows for tailored cybersecurity assessments. The risks of over-relying on certifications like the International Organization for Standardization (ISO) or Service Organization Control (SOC) were also emphasized.

Kwa and Punsalan pointed out that these certifications might only cover some necessary controls, and it's essential to understand their scope.

Magnaye noted that certifications often have defined scopes and do not always show everything controlled by a third party, advising to look at the applicability statement regarding ISO standards. He warned against the "out of sight, out of mind" mentality when outsourcing tasks, emphasizing the need for continuous monitoring and governance of outsourced processes.

Kwa highlighted the importance of not neglecting lower-risk vendors, as their risk profiles can change over time.

Choosing the right framework

Abu advised selecting frameworks for third-party management that fit the organization's operating model and business objectives.

Kwa supported an integrated approach, ensuring the chosen framework aligns with business governance and technical requirements.

During the discussion, the panelists shared various approaches to third-party risk management and best practices for auditing third-party vendors. Punsalan pointed out that many enterprises must perform governance tests of their third parties and a copy of the vendor's plan for internal controls.

Abu recommended performing procedures, including tabletop exercises and MK Denial (a Denied Party Screening database from Descartes) reviews, to determine whether the third party has any sanctions. He suggested using third-party questionnaires and conducting pre-audits when possible.

Magnaye noted that certifications often have defined scopes and do not always show everything a third party controls. He advised looking at the statement of applicability regarding ISO standards.

Given the growing interconnectedness of systems and operations, the panel concluded that robust corporate capabilities are essential to address supply chain risk. They emphasized that supply chain and third-party risk management will continue to be vital, evolving alongside technological advancements like AI.