Mapping and managing

cyber risks from third

parties and beyond
Sensitive data travels across your ecosystem
without your oversight. Here's how to manage
your risk exposure.
Learning from the headlines

How do you manage data protection risks when a large portion of the data you originate travels
beyond your control? In PwC’s 22nd Annual Global CEO Survey, chief executives ranked cyber
threats among the top five risks to growth prospects. Businesses experience cybersecurity incidents
every day that can become disruptive, costly, and damage their reputation significantly. Large
companies at the center of vast data ecosystems, however, face a particularly thorny problem:
managing cyber and privacy risks around information that travels to third parties and beyond (Nth
parties).
A TechCrunch report on a breach of 24 million mortgage and bank loan documents provides a useful
case study. A server that wasn’t password-protected exposed 10 years of mortgage documents
containing personally identifiable information (PII) and financial data, revealing names, addresses,
birth dates, Social Security numbers, and other private financial information. The breach was traced
to Ascension, a Texas-based data and analytics firm for the mortgage servicing industry. Ascension,
in turn, blamed its vendor OpticsML, a documentation management start-up in New York, for the data
leak, caused by a configuration error. The internal systems of financial institutions are so far reported
to be unaffected, but investigations are continuing. Several banks were identified in the breach even
though they may not have been the ones that shared data with Ascension. Although this case
involves the financial sector, all major industries use global supply chains and third-party vendors and
therefore also may face risk exposure.

Watching your data custodians

Today, many businesses share data with service providers and subcontractors to improve service
delivery and reduce costs. In the process, data changes ownership multiple times and documentation
containing sensitive and identifiable information travels throughout the ecosystem. In the lending
industry, for example, there is a secondary market where financial organizations will sell existing
loans to other lenders, who, in turn, may again continue to sell to other lenders and so on down the
supply chain. The same scenario applies to lenders that originate the loan and but sell the mortgage
servicing right (MSR) to a third party. Regardless of the number of times these loans change hands,
lenders may not redact or sanitize the loan details due to lending industry requirements, leaving
sensitive information intact. Whichever industry you are in, from hospitality to healthcare, you should
consider the risks of your documentation traveling through vast ecosystems, often containing
information directly identifying your business and customers. As TechCrunch’s report shows, third
parties are effectively custodians of the original information, and it’s critical to know what steps they
are taking to safeguard the information further down the value chain.
Breaches of third parties may force your organization to respond to incidents that are outside of its
control or originate from an indirect source. Although you might not have an obligation to respond
under current breach regulations, your organization could still suffer significant reputational damage
as a result of the incident. Further, your customers could be at increased risk from criminals seeking
to exploit a breach regardless of how the incident originated.

PwC: Mapping and managing cyber risks from third parties and beyond 2
Managing risks and preparing your business

Only 42% of medium and large FS institutions say they assessed the security of third-party
outsourcers and only 38% say they began monitoring fourth-party relationships in the last year,
according to key findings from PwC’s Fall 2018 Digital Trust Insights survey. But there are
encouraging signs around increased spending on third-party risk management in financial services, a
leading sector in cybersecurity. Among medium and large FS institutions, 59% say they plan to
increase spending on third-party risk management over the next 12 months, a notable uptick
compared to the last two years. Increased spending is not a silver bullet. Business leaders should
consider the following solutions:

1. Map your data flow: Businesses should prioritize data governance and implement
mechanisms for tracking data easily, in both digital or physical formats, by maintaining data
records from creation to disposal. Enforce discipline through data ownership and
accountability, assigning data custodians, implementing system controls, monitoring, and
enforcing security policies as well as data handling procedures and auditing.

Understanding how and where data could be sold or transferred and having agreements on
how or if the liability shifts in the event this happens are important considerations. In addition,
data mapping (or data inventory) is one of the building blocks for compliance with the
European Union’s General Data Protection Regulation (GDPR). Further, mature data
management can help organizations quickly identify and determine if there is an unauthorized
disclosure of records they own or have sold. This can drastically reduce response times when
the media, customers, and shareholders are demanding status updates.

2. Assess how third parties safeguard data: How do you assess and evaluate thousands of
entities that support your business to see if they have implemented controls to reasonably
safeguard data? It’s a formidable challenge made even more difficult by the mushrooming of
cloud-based services. A lot of these new players and services that are not validated against
leading industry standards may be missing baseline security controls needed to protect the
confidentiality and integrity of the data. Data analytics on large volumes of unstructured data
requires multiple organizations to have unrestricted access to data. This can result in
unknown proliferation of sensitive data stored in insecure locations. In this environment, it is
important to use threat intelligence and continuous monitoring tools to better understand
where your data is going and who is accessing it. Continuous monitoring can help you
identify significant fourth and Nth parties so you can more clearly see your risk exposure.

You should stratify third parties according to risk based on attributes like volume of
transactions, regulated data, and data sensitivity type. Take into consideration the impacts of
evolving data and privacy laws based on where data is being processed. Conduct
assessments and evaluations of these entities and their implemented security controls
surrounding the protection of the organization’s information or provided access. To manage
risks related to cloud providers, consider using access controls and whitelisting, testing the
application program interface and using red-teaming.

PwC: Mapping and managing cyber risks from third parties and beyond 3
 Your third-party agreements should address data-protection responsibilities for all parties
involved and clearly detail the risks and consequences of unauthorized disclosure. Should a
third party involve a subcontractor or a fourth party, then the agreement should address the
expected requirements for authorizing that vendor’s access to sensitive information.

3. Use leading practices and industry standards: It might be helpful to use cybersecurity
assessment and ratings services to create risk profiles for third parties. Cyber threat
intelligence reports provide benchmarked data across third parties compared to industry
leading practices -- and this information could be the basis for creating the risk profiles.

In addition, companies can work together to set standards that all entities in the value chain
abide by when exchanging or selling records containing sensitive customer information. For
example, the Payment Card Industry Data Security Standard (PCI DSS) provides a
compliance framework for all companies that accept, process, store or transmit credit card
information. PCI DSS is not a regulatory standard but rather an enforceable commercial
standard, setting the bar for information security practices across an entire industry.

4. Create and stress test a cyber incident playbook: Your cyber incident response plan
should be consistent with other plans for dealing with threats to business operations. Its
components include training the broader company, conducting advance planning and
rehearsal, and assigning accountability for communicating with media and stakeholders. You
should stress test the plan with realistic scenarios. Implementing a transparent, interactive
customer portal for sharing knowledge and a hotline to answer questions can also go a long
way toward mitigating the fallout of a data breach.

The proliferation of cloud and analytics providers who might have data about your customers without
your knowledge or oversight is increasing your risk exposure. In the event of a data breach involving
third or fourth parties, the key steps we have discussed here can help you quickly answer
fundamental questions: Is this our data? Where does it exist? Who did we sell it to? You can’t prevent
all breaches involving your customers’ data. But you can do a lot more to provide clarity,
transparency, and reassurance in a difficult situation.

PwC: Mapping and managing cyber risks from third parties and beyond 4
For further information, contact:

Sean Joyce Amandeep Lamba

Cybersecurity and Privacy Leader, PwC US Principal, Cybersecurity and Privacy, PwC US
Tel: +1 (703) 918 3528 Tel: +1 (301) 943 8800

Ertem Osmanoglu Dean Spitzer

Principal, Cybersecurity and Privacy, PwC US Principal, Cybersecurity and Privacy, PwC US
Tel: +1 (646) 634 8297 Tel: +1 (917) 841 2976

Joseph Nocera Alison Hoover

Principal, Cybersecurity and Privacy, PwC US Banking Digital Leader, PwC US
Tel: +1 (312) 298 2745 Tel: +1 (202) 412 6286

Gerasimos J. Stellatos Roberto Hernandez

Principal, Cybersecurity and Privacy, PwC US Principal, Consumer Finance Group
Tel: +1 (703) 918 2631 Tel: +1 (940) 367 2386

Contributors:
Stephanie Hardt, Josh Moses, Ben McKee,
Aditya Krishnan, Chris Freda, Ayush Barot,
Jackie Studdert

PwC: Mapping and managing cyber risks from third parties and beyond 5
Appendix

© 2019 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes
refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional
advisors.