Third-party risk management has been a hot topic ever since the high-profile SolarWinds incident brought it to the forefront of cybersecurity discussions, serving as a reminder that MSPs and MSSPs take on a massive responsibility when delivering cybersecurity services. A recent MSP Success reader survey found that MSPs identify a supply chain attack as a threat to their business. And rightly so. The SolarWinds breach was a supply-chain attack; the perpetrators knew they could reach hundreds or thousands of companies by targeting a single IT supplier.
Most recently, UnitedHealth Group’s Change Healthcare breach has put a spotlight on the financial impacts of a third-party security incident. Any security incident involving a third party can have significant financial repercussions, even if the breach itself does not directly affect an organization’s systems or data.
For MSPs, it’s imperative to adopt a proactive approach to third-party risk management. That way, MSPs and their clients can stay aligned on their risk tolerances and manage them jointly.
The Impact To The Bottom Line
Traditionally, most third-party risk programs have focused primarily on the potential impacts of a confidentiality breach. This typically involves scenarios where a third party holding sensitive data is compromised, or where a malicious code introduced into their systems ends up infecting their own environment with malware. However, the UnitedHealth breach shows why concentrating solely on confidentiality risks is a limited approach.
Confidentiality breaches can certainly lead to reputational damage and regulatory fines. Indeed, the U.S. government announced in mid-March that it had opened an investigation into the cyberattack to determine whether there was a breach of protected health data and if the company followed U.S. health privacy law (HIPAA). However, these types of breaches may not always directly translate into immediate financial losses for the affected organization.
In contrast, financial impacts such as operational disruptions, loss of revenue, legal fees, and damage to customer trust can have a more immediate and tangible effect on the bottom line—for MSPs’ customers and maybe even their own businesses.
In the case of UnitedHealth, the breach resulted in a temporary suspension of its claims platform, affecting the ability of healthcare providers and patients to access essential information. Beyond the immediate impact the loss of the claims platform made, the ongoing financial implications of being unable to bill insurance is crippling for the healthcare industry. Some clinics were impacted to the degree that they weren’t able to make payroll.
The UnitedHealth breach brings to the forefront the cascading effect of third-party breaches across interconnected ecosystems. Even if your organization’s systems remain uncompromised, disruptions or compromises in third-party services or suppliers can have ripple effects throughout the supply chain. This interconnectedness underscores the need for a comprehensive approach to third-party risk management that goes beyond confidentiality concerns to encompass operational resilience and financial risk mitigation.
MSPs Should Not Assess Risk In A Bubble
Risk can be expensive to manage, but allocating resources to assess and mitigate potential threats is an investment in safeguarding both financial stability and reputation. As MSPs consider new vendors for a client’s environment, they need to be categorized based on how critical they are for the business operations. Many service providers make the mistake of doing this risk assessment in a bubble. Involving clients in the risk assessment process, however, ensures alignment between the MSP and their client’s needs. This fosters a proactive approach to security and enhances overall resilience against potential breaches.
By bringing clients into the conversation, MSPs will be able to accomplish two things.
First, they will be able to gauge their risk appetite and better understand what risks are most critical for them. In addition, some clients may have a high-risk tolerance for business disruptions while others will not. It’s critical that MSPs manage risk to their clients’ tolerance, not their own.
Second, it sets the precedent that the MSP does not solely own the risk. It is jointly owned. In the event of a third-party security event, the client has already been involved with the risk discussions and has accepted the residual risk associated with their business decisions.
The far-reaching consequences of third-party security incidents underscore the urgency of prioritizing financial risk mitigation alongside traditional confidentiality concerns. In doing so, MSPs will not only enhance their resilience but also contribute to the broader ecosystem’s collective efforts to fortify against evolving cyberthreats.
