Cybersecurity is one of the most critical challenges facing the information technology sector today. As the world becomes increasingly interconnected, the threats to digital infrastructures continue to evolve and grow in complexity. Cyberattacks are no longer confined to specific countries or industries; they have become a global problem that affects everyone. Cross-border threats now represent some of the most significant risk to enterprises and individuals worldwide. Therefore, it is essential for IT security and risk management professionals to prioritize cybersecurity and make it a top concern within their organizations by constantly being aware of the latest trends and best practices for protecting sensitive information and advising management on strategies to manage risk effectively.
Web of Third-Party Services
Given the cross-border nature of the cybersecurity landscape, no single country can effectively manage risk and mitigate the potential economic harm caused by cyberattacks. Because the world is increasingly interconnected and interdependent, global challenges such as cybersecurity, climate change and economic stability transcend national borders, necessitating unified action. Achieving unity of purpose was the goal of the G7 summit held in Hiroshima, Japan, in May 2023. The summit provided leaders with a platform to foster dialogue, exchange ideas, and forge consensus on pressing issues that impact the well-being and security of nations worldwide.1 With shared concerns and interests, the assembly underscored the need for cooperation, mutual understanding, and joint efforts to tackle complex problems that no single nation can combat effectively alone.
G7 participants recognized the importance of secure, resilient, competitive, transparent, sustainable and diverse digital infrastructure supply chains, as outlined in the 2023 “G7 Digital and Tech Ministers' Ministerial Declaration” preceding the summit.2 The finance ministers and central bank governors within the G7 also expressed deep concerns about the finance and banking industries' ability to cope with cybersecurity challenges on a global scale due to their heavy reliance on information, and communications technology (ICT) providers to deliver services.
To address those challenges, the G7 Cyber Expert Group (CEG) was established in 2015 to advise G7 ministers and central bank governors on cybersecurity issues. Since its inception, the CEG has published a series of guidance documents and proposed action plans, bringing together the public and private sectors to tackle cybersecurity challenges. One significant concern the CEG recently highlighted was the proliferation of third-party service providers and the unforeseen cybersecurity risk arising from related strategies and practices.
Imagine a financial institution, Alpha, attempting to launch a service supported by a new application (figure 1). The development team at Alpha might use the hardware resources provided by cloud Software as a Platform (SaaP) provider Beta, which procures hardware and software from enterprise Gamma. Gamma uses a software development kit (SDK) compiled by enterprise Delta, which, in turn, utilizes open-source software developed by an unknown author, Omega.
This web of interconnected third parties can continue to expand, and a cyberincident affecting any part of this network can have unexpected but catastrophic consequences for the original entity, Alpha. A cyberincident in this web of third parties not only harms the original institution, but also has the potential to disrupt an entire country's financial sector.
Recognizing this risk, the G7 CEG issued G7 Fundamental Elements for Third-Party Cyber Risk Management in the Financial Sector in 2016, urging financial institutions to incorporate the fundamental elements CEG identified into their risk profiles to better understand and manage their cybersecurity risk programs.3 The group has since published several follow-up guidelines,4 including a separate 2018 document titled Fundamental Elements concerning management of cybersecurity risk related to the use of third-party services.5 In late 2022, the CEG issued an updated version of G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector,6 which addresses the ever-expanding threat landscape and the interconnected nature of today's global markets.
The G7 Fundamental Elements
The 2022 G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector emphasizes the complexities of engaging with third-party service providers and aims to increase awareness that elements of cyberrisk extend beyond an entity's immediate control. The document outlines seven fundamental areas within and across sectors involving the third-party risk management life cycle, systemwide monitoring, cyberrisk and cross-sector coordination management.
The first four fundamental elements providing guidance on implementing third-party cyberrisk management programs cover governance, identification of the criticality of third-party services, incident response, and contingency planning. These elements also highlight the importance of considering third-party resilience, including continuous assessment and monitoring of cyberrisk introduced by third parties and structuring contracts to include exit strategies for contingencies to ensure business continuity. Contracts should incorporate provisions related to cyberrisk management, subcontracting, reporting obligations and cyberresilience programs. For example, when an entity plans to rely on an external party to develop a chatbot app to support its customer services, the request for proposal typically includes the project objectives, scope, requirements, deliverables and predetermined timeframe. However, legal obligations and regulatory requirements should also be addressed to enable the assessment of cyberrisk arising from such third-party relationships. For example, if the chatbot app assesses customer or other sensitive data, the entity must prioritize the effective management of cyberrisk associated with third-party relationships, ensuring that strategies, policies and risk tolerance levels are well-defined and align with the entity’s overall risk profile. Proactive measures, including risk assessments, contracts, monitoring, incident response plans and contingency planning, are essential for protecting against cyberthreats resulting from third parties and for maintaining business continuity.
The focus of the second group of fundamental elements is on systemwide management, which necessitates regulation and industry collaboration to address risk. These fundamental elements illustrate the need to address concentration risk, which is the risk that arises when a few common cloud computing providers are used by many entities across industries. Authorities are encouraged to assess and assist in managing concentration risk. Given the deep interconnection between the financial sector and other industries, managing third-party cyberrisk extends beyond the sector itself. Effective industrywide cyberrisk management in relation to third parties requires entities and authorities to collaborate with counterparts in other sectors and jurisdictions.
Effective industrywide cyberrisk management in relation to third parties requires entities and authorities to collaborate with counterparts in other sectors and jurisdictions.
Extending Collaboration and Information Sharing
A key takeaway from the 2023 G7 meetings on cybersecurity is the imperative for extending collaboration beyond national borders and the importance of sharing information. Transparency and information sharing play critical roles in successful cyberrisk management across all seven fundamental elements. Figure 2 summarizes the role of communication and information sharing for each element.
As trusted advisors to their organizations, digital trust professionals must educate themselves about cybersecurity, both in general terms and with respect to the complications that arise from using third-party services in the high-stakes cyber landscape.
The Role of Digital Trust Professionals in Cyberrisk Management
The increasing diversification of third-party services within and beyond the ICT industry enables organizations to innovate in their core businesses, but it also presents significant cybersecurity challenges. As trusted advisors to their organizations, digital trust professionals must educate themselves about cybersecurity, both in general terms and with respect to the complications that arise from using third-party services in the high-stakes cyber landscape. The World Economic Forum Digital Trust Framework is a decision-making guide for organizations to use when deploying digital services. The accountability and oversight dimension is particularly relevant in considering the business scenario of using third-party providers, as the process owner is easily overlooked when a process is handled by external third-party providers. By gaining an understanding of the latest cybersecurity management programs, best practices and regulatory requirements, IT professionals can proactively identify vulnerabilities in their organizations’ systems and processes, recommend appropriate controls and safeguards, and help develop robust incident response plans. By staying informed and knowledgeable about cybersecurity, digital trust professionals can play a vital role in safeguarding their organizations’ assets, maintaining trust, and, ultimately, assisting in achieving their overall business goals in an increasingly digital and interconnected world.
Author’s Note
The author appreciates and recognizes the financial support provided by Fulbright Japan in completion of this article.
Endnotes
1 G7 2023 Hiroshima Summit, “Prime Minister’s Message,” http://www.g7hiroshima.go.jp/summit/message/
2 Digital and Tech Ministers of the G7, "Ministerial Declaration," G7 2023 Hiroshima Summit, 30 April 2023, http://www.meti.go.jp/press/2023/04/20230430001/20230430001-summary.pdf
3 UK HM Treasury, The G7 Fundamental Elements of Cybersecurity for the Financial Sector, UK, 11 October 2016, http://www.gov.uk/government/publications/g7-fundamental-elements-for-cyber-security
4 UK HM Treasury, “G7 Cyber Expert Group: Fundamental Elements Series,” 3 February 2023, http://www.gov.uk/government/collections/g7-cyber-expert-group-fundamental-elements-series
5 UK HM Treasury, “G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector 24.10.2018,” 3 February 2023, http://www.gov.uk/government/publications/g7-fundamental-elements-for-third-party-cyber-risk-management-in-the-financial-sector-24102018
6 US Department of the Treasury, "G7 Cyber Expert Group," http://home.treasury.gov/policy-issues/international/g-7-and-g-20/g7-cyber-expert-group
JACOB PENG | PH.D., CISA
Is the Richard J. Harshman Professor of Accounting at Robert Morris University (Pittsburgh, Pennsylvania, USA). He is also a 2023 Fulbright Scholar studying cybersecurity disclosures in Japan. Peng has published articles in various academic and practitioner journals, including the ISACA Journal. He can be reached at peng@rmu.edu.