How well do you really know your third parties?
Canadian companies are more reliant on third parties for technology-related services than at any other time in history — a trend that has been accelerated by the rate of digital innovation throughout and since the COVID-19 pandemic. The reasons for this are severalfold.
One is that many organizations are struggling to find the expertise needed to manage technology at the rate they’re adopting it. This has been amplified by the ongoing labour shortage, which is forcing many IT functions to split their focus between recruiting for IT needs and supporting other areas of the business.
There are also numerous instances where it makes good financial sense to outsource IT support. New roles are emerging as the sector becomes increasingly specialized. Specialist expertise is also more expensive than ever, and it’s hard to justify hiring an employee whose skills may not be required on a full-time basis.
Moreover, the broad definition of third parties doesn’t just include the individual contractors and consultants who perform specialist work. Software-as-a-service (SaaS) providers are now ubiquitous, covering everything from day-to-day administrative tools (word processors, email, storage servers, etc.) to finance, inventory, and logistics systems.
Organizations trust external vendors with more information and network access than ever before. While there are certainly instances where this is logical, even necessary, the sense that this has become the new status quo can easily breed complacency.
Third-party liability clauses, managing third-party access permissions, and regularly conducting cyber security threat assessments cannot become another box to tick when a new third party is brought on board. These must be reviewed and stress tested regularly with the express purpose of finding and remediating the weak links associated with those third-party dependencies.
Related risks
- Cyber security and privacy risk exposure
- Fraud
- Quality and/or project management issues
- System outages
Key questions to ask
- How many new third-party contracts has your company set up since 2020?
- Does your organization complete a detailed risk assessment before setting up contracts with third parties? Is risk mitigation accountability identified in the contract?
- Do your business resilience and disaster recovery plans consider the accountabilities of specific third parties? Are these third parties prepared to act on your behalf when needed?
- Do the third parties you depend upon have appropriate response plans in place in the event of a disruption to their organizations? Have these plans been tested?
- What steps have you taken to ensure the operating effectiveness and resiliency of the third party you are relying upon?
- Do you have a customized code of conduct and training for third parties? Does this include cyber security expectations?
Red Flags
- Excessive complaints related to third parties
- Whistleblower tips
- System quality and performance issues