Use Case

A publicly traded lending company sought to enhance and mature its cybersecurity third-party risk management (TPRM) framework and program amid rapid growth.

Part of this growth involved a soaring volume of new third parties, nearly all of which intended to host sensitive data and/or perform critical services.

CrossCountry Consulting was engaged to enhance and optimize current-state program maturity, cyber and privacy risk management, and best practices for third- and fourth-party due diligence.

Our Approach

CrossCountry’s third-party risk experts started with an assessment of the client’s current-state cybersecurity TPRM program relative to leading practices and relevant regulations. The team placed an emphasis on cyber and privacy risks and collaboration with cross-functional teams (i.e., Contracts, Enterprise Risk, Legal, Procurement, etc.), including:

  • Interviewing key stakeholders across the enterprise to level set on a comprehensive approach to third-party risk.
  • Reviewing existing third-party documentation and how it should be adapted to better assess and manage cyber and privacy risks.
  • Performing a sample of third-party assessments under the “current state.”
  • Gaining access to existing technology tools supporting the third-party program to understand their capabilities.
  • Identifying program gaps and presenting high-level thematic observations and recommendations.
  • Building and gaining consensus on framework and risk tiers for third parties and third-party engagements.

This approach enabled our client to gain greater insight into managing cyber and privacy risks, particularly around the flow of information to third parties and beyond.

Our Impact

CrossCountry collaborated closely with client-side stakeholders to build consensus around a new framework for third-party risk management. This included enhancing third-party risk tiers across the business, which fostered a risk-based approach to:

  • Due diligence.
  • Point in time and continuous monitoring.
  • Fourth-party considerations.
  • Issue tracking and remediation.
  • Offboarding.

This effort resulted in the following benefits:

  • Matured the third-party risk management program through increased focus on cybersecurity risk.
  • Eliminated silos and fostered cross-functional team alignment.
  • Considered impact of other risks (e.g., availability, fraud, location, reputational, regulatory, vendor lock-in).
  • Optimized existing third-party tool usage to reduce management by spreadsheets.
  • Aligned processes with best practices, CIS Top 18, and key regulations (e.g., NYDFS, SOX, and GLBA).