Tackling the growing challenge of third-party cyber due diligence

As the cyber threat landscape continues to evolve and regulatory initiatives like The Network & Information Security (NIS-2) and The Digital Operational Resilience Act (DORA) gain prominence, organisations are compelled to evaluate and monitor third-party cybersecurity risks more diligently than ever before. This situation may result in a massive compliance workload, with organisations constantly exchanging due diligence assessments, causing inefficiencies and bottlenecks for risk and compliance teams. Moreover, it's not just the security teams that need to conduct due diligence activities; other teams within the organisation must also get to work. New European legislation in the field of Environmental, Social, and Governance (ESG) and compliance means that sustainability, risk, and compliance teams will also have to take their supply chain due diligence obligations more seriously. How can we best address this problem?

Delving deeper into cyber due diligence

Before we dive into potential solutions, let’s first take a closer look at some of the requirements laid down in regulations. NIS-2 emphasizes that organisations should proactively manage ICT risks by third parties, which include performing due diligence in the pre-contract stage as well as real-time monitoring during the entire contract life cycle. According to NIS-2, organisations need to assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers (article 43) and exercise increased diligence in selecting managed security services providers (article 44). Furthermore, organisations need to address cybersecurity risks stemming from their interactions and relationships with other stakeholders in a broader ecosystem (article 45) and carry out and participate in coordinated sectoral supply chain risk assessments (article 46). Currently these requirements are transformed and further specified into national legislation.

On the need for a European supplier network

In our view, the solution to the growing challenge of third party cyber due diligence consists of four interconnected elements. Firstly, standardisation across industries and risk disciplines is needed, for example, in the area of indicators and questionnaires used to assess third parties. Secondly, a network such as LinkedIn should be created where organisations can store and share their due diligence information not just about cybersecurity, but also emerging risk domains such as ESG, compliance and continuity, in a safe and privacy-friendly manner. This approach can greatly reduce the need for sending questionnaires back and forth. Thirdly, organisations need to establish a uniform due diligence process to facilitate better collaboration between internal risk teams and thereby channel the amount of information requests towards third parties. Furthermore, this should also enable integrated decision-making about doing business with third parties. Fourthly, we believe it is key that internal control and third-party risk management converge, allowing organisations to pass on information about controls that are automatically tested in a direct and efficient manner to their broader ecosystem.

Building community for sharing NIS-2 related best practices

At 3rdRisk, we believe that - next to technology - building communities is key to consolidate knowledge and connect experts with one another. Therefore, to accelerate standardisation and gain insight into the prerequisites for building a global supplier network, we intend to set up an European community around NIS-2. This community, which is open to both public and private organisations, aims to exchange good practices so that NIS-2 and other due diligence obligations can be intelligently implemented. In this community, we want to explore how organisations can improve their internal governance processes to enable integrated decision-making about third-party risks, investigate how to create NIS-2 compliant standardised questionnaires, and discuss how to use technology to build a supplier network. The community will kick-off before the end of October with a virtual meeting. Do you want to join the community? Join the movement and send an e-mail to hello@3rdrisk.com.