By Gabriella Halasz-Clarke, VP, Governance Solutions, Nasdaq
A recent study by SecurityScorecard found that 98% of companies utilize third-party vendors that have experienced a cyber breach in the last two years. From increasing efficiency to decreasing costs, there is much benefit in using third-party resources – but with these advantages comes risk.
While third-party risk is nothing new for most companies, it has been in the limelight in recent years. Covid and geopolitical issues accentuated the importance of a resilient and diverse supply chain. The increase in data breaches and cybercrime is showing businesses and leaders how essential it is to ensure that every part of a business is resilient.
Companies that fall within the information services sector use, on average, 25 vendors, while companies in the finance sector utilize 6.5 on average, SecurityScorecard reported. With each third party that the company chooses to engage with, it takes on a new set of risks – including but not limited to cybersecurity risks, regulatory and compliance risks, operational risks, reputational risks and financial risks.
Boards, specifically audit and risk committees, play a crucial role in ensuring the companies they oversee are performing the due diligence necessary to assess any risks that third parties pose to the company and its operations. There is no one-size-fits-all for what a board’s composition should look like, but in an interconnected world where transformative technologies are emerging at an accelerated pace, boards need access to timely and relevant insights on artificial intelligence, cybersecurity, data privacy and data governance to ensure the company is prepared to manage any potential risks.
When looking at best practices, boards and management should work together to ensure:
- Risk guidelines are clear: A board has a responsibility to clearly establish the company’s risk tolerance. If the risk tolerance is explicit and straightforward, management will be able to better decipher what risk factors fall within the company’s risk tolerance and which factors must be escalated to the board. In assessing a company’s risk threshold, it is important to look beyond regulatory requirements and consider stakeholders’ expectations. Additionally, performing regular benchmark exercises is a great way to see how the company compares to main competitors in the industry
- Comprehensive tabletop scenario trainings are in place: Tabletop scenarios help boards prepare for potential challenges that may come their way. Having a defined strategy for how the board would react if an issue was to arise is helpful, but simulating the experience to ensure the board knows exactly how it should behave if the situation were to occur is much more beneficial. Boards can utilize tabletop scenarios to test a range of scenarios: from whether directors know what to do if a major obstacle prevents a third-party supplier from being able to deliver, to a security breach that completely halts business.
- There is a strong director education program: Boards should be educated through both an extensive onboarding and orientation process, as well as through annual training to ensure that new directors are aware of the risk register, as well as all 10-K risks. The board should also be periodically updated as to where the company’s risk register has increased or decreased and what remediation plans are in place.
- Open communication: There must be an open line of communication between the board and management. The board should feel confident that management is transparent and surfacing all the risks that they should be made aware of, while management should feel confident that the board is asking probing questions for the better of the company. A cooperative, collaborative and trusting relationship is key to an effective board.
- Thorough whistleblower programs are established: Whistleblower programs are vital to running an organization that is based on accountability and transparency. Establishing a hotline in which employees can anonymously call to report issues enables employees throughout the company to be able to speak out immediately about a potential issue they see. Employees must know that they are free to come forward without fear of retribution or retaliation. If an issue is raised through the hotline, the issue must be investigated and resolved.
Overall, it is important to evaluate the third parties that enable companies to flourish while also looking at the risks they pose to companies. Overreliance on a certain third-party provider can be very dangerous. Management and the board should constantly be evaluating the factors that could impact the third party’s operations and asking themselves:
- What would happen if this third party went out of business?
- What would happen if this third party experienced a data breach?
- What would happen if this third party was at the center of a huge scandal?
- What would happen if a geopolitical issue arose where this third-party is located and prevented it from being able to conduct business?
- What would happen if this third party’s suppliers were unable to operate?
- Are we looking closely at who we are doing business with and what data the third party has access to?
- Are we inadvertently creating incentives or deprioritizing a focus on third party controls?
When reflecting on the answers to these questions, consider if/how the scenario would impact operations, what the company would do in the situation and how the board and management could work together to mitigate these risks.
If any of these scenarios makes the board wonder if business would be able to continue functioning, that is a clear indicator that the board is not properly prepared.
It is important to treat third parties as an extension of your own company. Third parties have the power to help rapidly grow your company, but the board and management should work to ensure they do not have the power to take down the company as well.
For more leadership insights and educational resources, join the Nasdaq Center for Board Excellence—a convener of board and executive leaders dedicated to strengthening corporate governance in the boardroom and beyond. Join our community.
The views and opinions expressed herein are the views and opinions of the authors and do not necessarily reflect those of Nasdaq, Inc.
Nasdaq Center for Board Excellence
A community dedicated to strengthening corporate leadership