From CompliNEWS | Financial Service Intelligence Watch

Third-party risk tops the compliance watchlist

By Richard Rattue, Managing Director of Compli-Serve SA

In the local spotlight, third-party risk is on the rise, notably and recently demonstrated by TransUnion South Africa falling victim to a criminal cyber hacking group, with ransom allegedly set to the tune of R225 million. While details are unfolding on just how bad the data breach is – potentially revealing personal details on 54 million South Africans – the reality is clear that third-party risk is real and any business that operates online (so every business) needs to act accordingly.

Too often, just one small mistake like compromised client login details or one employee forgetting to exercise caution with sensitive information can lead to an easy way in for criminals, and difficult consequences. The risk of phishing attacks has increased exponentially in South Africa leading to increased data breach incidences. While TransUnion is just one local example, cyber-attacks are a global problem as data has become among the most valuable of commodities.

Risk goes global

Further afield, a survey comprising of UK- and US-based compliance and IT risk management professionals working in the technology sector, echoes that third-party risk is truly a global concern. Hyperproof’s 2022 IT Compliance Benchmark Report shows a staggering 90% of respondents had dealt with a third-party issue in the last year. The data was gathered in December 2021 and released in the beginning of March 2022.

Greater awareness of third-party risk is another trend, with 50% of survey respondents reporting an increase in their third-party risk management budget and enhancing their third-party risk management programs. This indicates increased concern about the risks relating to IT operations in business, and with so many of us working primarily online, there are many opportunities for a breach, without the correct compliance controls in place. For example, security measures or data clearance levels must be prioritised.

Some 63% of respondents suffered a cyber breach in the last 24 months that either disclosed regulated data or revealed personal details of clients. TransUnion SA can unfortunately relate to this difficult scenario, proving that any company can be at risk if proper precaution isn’t taken. An integrated approach to IT risk management resulted in fewer cybersecurity concerns, according to the Hyperproof survey, and can be a good step forward for any business to consider.

A cyber strategy should be central to your business

This strategy should comprise safe practice guidelines within your business and should become an essential component of your defence plan against third-party and other IT-related risks. It should be embedded within company culture to always protect the business, and that no longer only includes physical safety measures, a good business plan and sound employees. A robust cyber strategy is an essential tool.

Following the TransUnion data breach, warnings have been issued against sharing pins or passwords with anyone. This should always apply, but safely storing passwords and not saying them out loud near your computer are important steps to take. You should update passwords regularly too. Be aware and act with caution as you scroll through your emails or messages on any device you might use – don’t just click on anything without truly vetting it. This principle should apply on personal and work devices – sometimes these become interchangeable, which can enhance risks.

Big businesses with many clients, or those in lucrative fields might seem like more obvious targets, and while they can be, it’s often through an individual, or smaller businesses that bigger cyber issues can rapidly unfold. A cyber resilience strategy is appropriate for any size business and should be an ongoing compliance check point.