Third-Party Risk Management – Evaluating Cyber Risk Posed by IT and Managed Service Providers

Despite AWIA Section 2013 and/or cyber insurance requirements, do you still struggle with risk management? Even more so with your third-party – vendors, contractors, consultants, and integrators – relationships? As organizations struggle with assessing risk across their own organizational attack surface, it’s often more challenging to assess the cyber risk posed from and preparedness of third-party partners (new and existing). Many aren’t sure where to start or even what questions to ask of these trusted partners – perhaps even more so with technology services partners. Yet with many water and wastewater utilities outsourcing IT services and with cyber threat actors specifically targeting IT and managed services providers (MSPs), this is one of the most crucial third-party relationships to evaluate.

WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities #13 – Secure the Supply Chain discusses how third-party relationships must be assessed and better managed for the risks they pose to the overall risk profile of an organization. Furthermore, a recent post by Tenable, How To Assess the Cybersecurity Preparedness of IT Service Providers and MSPs, shares a valuable resource guide by CompTIA to help you ask the right questions. Whether you’re looking for a new IT provider or assessing an existing relationship, the CompTIA guide provides 18 pages of specific questions (not just suggested ideas) to ask MSPs covering core cybersecurity tenets, including:

• Frameworks and compliance
• Policies
• Privilege account management
• Systems management
• Incident response
• Patch and vulnerability management
• Detection and prevention

Side note: Remember that an MSP contract doesn’t inherently cover cybersecurity. If explicit services are not spelled out in the contract, the MSP has no obligation to provide cybersecurity. Similar to cyber insurance policies, it’s important to know what is and what is not under contractual obligation.

Additional Resources on MSP Risk Management

• Joint Cybersecurity Advisory – Protecting Against Cyber Threats to Managed Service Providers and their Customers
• CISA Insights on Risk Considerations for Managed Service Provider Customers
• Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (NIST)