Sponsored content is premium paid-for content produced by the Irish Times Content Studio on behalf of commercial clients. The Irish Times newsroom or other editorial departments are not involved in the production of sponsored content.

Cyber risk is never someone else’s problem

Mazars director Alex Burnham says shifting IT operations to an outsourcing partner does not mean responsibility for managing cyber risk transfers with it

Rising costs and skills shortages are forcing a growing number of organisations to outsource their ICT services to third party service providers.

While this makes very good sense in the majority of cases, it can lead to problems when it comes to cyber risk management, according to Mazars director Alex Burnham.

Those problems arise because shifting responsibility for IT operations to an outsourcing partner does not mean that responsibility for managing cyber risk transfers with it.

“Cyber risk is in the top five risks for organisations around the world at present,” says Burnham. “And all the evidence points to an increase in sophisticated cyberattacks globally.”

He points to a recent Mazars global study which revealed that more than half of C-suite leaders (54 per cent) think cyber threats have increased over the previous year. Over a third (36 per cent) say a significant breach is likely in their own company this year.

And the implications of a cyberattack can be far-reaching in terms of reputational damage, financial costs, legal consequences, and regulatory fines.

That means organisations need to maintain close oversight of their outsourced ICT service providers and ensure that that they are providing the correct level of cyber protection. Furthermore, the external service provider may well be the vector for the breach.

“Reports indicate an increase in data breaches and cyberattacks impacting organisations because of weak controls and exploitation of vulnerabilities that exist within outsourced service providers,” Burnham notes.

“In fact, there is a school of thought that outsourced third parties and the services that they provide are now being targeted.”

While it may seem natural that a service provider contracted to provide ICT services would take care of cybersecurity, this should never be taken for granted. Burnham advises this needs to be specified in contracts and service level agreements with the third-party providers.

“You sometimes hear companies say that their outsourcing provider provides cyber security services for them, and the outsourcing providers say they are doing it on a best-efforts basis but that they are not contracted to do it,” he said.

“The chances are that they are not providing it if they aren’t being paid for it. Most third-party providers deliver a very good service, but they deliver in line with what they are asked for and what they are paid for. There are no freebies in this world. And you do tend to find gaps in the level of cyber security protection provided.

“There can be an expectation that things are covered where they are not. Companies have to ask who is responsible for cyber security management and incident response within their organisation and if the level of security services are ensuring the services, monitoring, reporting, disaster recovery, cyber incident management and periodic testing requirements are clearly defined in contracts and or service level agreement?”

That’s just part of the story, however, companies then have to ensure that the third-party provider has the capabilities to meet the terms of the contract and that they continue to do so.

This means carrying out due diligence to ensure the service provider can adequately service the specified requirements prior to engaging in contracts.

“Industry standard certifications may not be enough, and organisations should ensure that the scope of any certification includes all the services they require,” Burnham adds.

Organisations must ensure they have identified the full supply chain ensuring that any subcontractors operate within defined security requirements .

“Outsourcing is a good choice for many companies, but without a strong third-party risk management process and continued oversight monitoring it can go wrong,” Burnham advises.

Those management and oversight processes require companies to retain some IT and cyber expertise internally.

“Organisations need to maintain the ability to understand and challenge how their third parties are operating to gain an adequate level of assurance,” he continues.

Of course, not all companies have the resources to maintain internal IT capability at the same time as paying a third-party provider.

“What we are seeing more of now is organisations hiring independent cybersecurity advisers,” says Burnham.

“They can look after the cyber risk management piece and monitor and challenge the providers. They can be hired on a part-time basis, maybe two or three days a month. They can also act as advisers to senior management.

“Having this service available on a drawdown basis makes a lot of sense. Some companies are also retaining external resources to support them when they need to respond to a cyber incident.”

While expertise and services can be bought in, ultimate responsibility still rests with the organisation, Burnham stresses.

“Companies need to be able to demonstrate that they have a framework in place for managing third party risks. If there is an incident, failure to have one could result in severe regulatory sanctions.”