Growing fines to change the face of Third Party Risk Management?
In the past couple of years, cybersecurity has been the #1 priority for plenty of companies, in lieu of skyrocketing cybercrime rates. Unfortunately, plenty of business owners and managers have downplayed the operational risks posed by cyberattacks — to their detriment and the detriment of their businesses.
However, regulators have started taking note of the paradigm shift in cybersecurity — and they’ve visibly decided to use their authority to steer companies towards adopting adequate risk management systems that can offset substantial cybersecurity risks.
We’re witnessing increased regulatory scrutiny right now, with unprecedented cases like Aerojet Rocketdyne — but while this is among the first cases of a company being fined so heavily due to a lack of proper cybersecurity measurements, it definitely won’t be the last. In the coming months and years, companies will likely face a more proactive regulatory stance regarding cybersecurity, along with inevitable sanctions and monetary penalties.
The interconnected and online-first nature of today’s business world is slowly putting TPRM (third-party risk management) front and center. Companies will soon have to ensure decent risk management systems that provide enough cybersecurity and comprehensive protection. And they’ll also have to stick to a regular update and upgrade schedule to ensure the system’s effectiveness.
While this will also apply to in-house solutions, in practice, most companies will opt for third-party solutions like Rescana — which they’ll need to maintain their business integrity and compliance with new regulations.
What is Aerojet Rocketdyne?
While all companies need to be careful about maintaining a necessary level of cybersecurity to mitigate third-party risk, that’s especially important for businesses in specific industries whose products have both commercial and defense applications.
This makes the case of Aerojet Rocketdyne even more worrying — the company is one of America’s oldest manufacturers of electric, hypersonic, and rocket propulsive systems. Their engines have found big commercial, civil, military, and space applications. And while its current form has existed since Aerojet’s 2013 merger with Pratt & Whitney Rocketdyne, the former has been a vital US manufacturer since WWII.
Their more recent troubles with government authorities aren’t their first — Lockheed Martin was all but ready to acquire Aerojet Rocketdyne right before the start of the pandemic. However, they had to abandon the transaction after FTC blocked the acquisition due to complaints from competitors like Raytheon.
Why Did Aerojet Rocketdyne Get Fined?
At the start of July 2022, Aerojet Rocketdyne agreed to a hefty $9 million fine that resolved recent allegations of their violation of the False Claims Act.
Namely, the company has supposedly misrepresented its level of compliance with the cybersecurity requirements put forth by some of the federal government contracts they signed. This is particularly troublesome considering the nature of their work — right now, Aerojet is working on power and propulsion systems for missiles, launch vehicles, and various other space vehicles for federal agencies like NASA and the Department of Defense.
The settlement reached at the beginning of April resolved litigation by one of their former employees, Brain Markus. He called on the False Claims Act and its whistleblower provisions to pursue litigation on behalf of the USA as a private party, and Mr. Markus will receive a portion of the settlement money.
In this case, another whistleblower has proved their worth in preserving national security and their company's business integrity and compliance. But even more importantly, the case has set an important precedent regarding cybersecurity misconduct and various failures.
It’s important to view this as what it is — a watershed moment for TPRM in the context of cybersecurity, but also just another part of a wider trend. In October 2021, the Justice Department announced its Civil Cyber-Fraud initiative.
Its purpose is to reach a new level of accountability for individuals and entities who put U.S. systems or information at risk by intentionally providing products and services with cybersecurity deficiencies or by misrepresenting their level of cybersecurity knowingly.
What’s The Underlying Issue?
It’s important to note that most companies aren’t intentionally or maliciously keeping their cybersecurity standards below the required threshold — generally, their main problem is the difficulty of third-party risk management in a globally interconnected economy, especially when it comes to third-party digital IT environments.
It can be argued that the biggest flaw lies in the tools that companies have traditionally used to manage and gauge third-party risk — in practice, that means security questionnaires.
The Problem With Security Questionnaires
Once you scratch beneath the surface of cybersecurity risk management, you will find that questionnaires are undeniably the most popular solution. However, that’s more to do with their expedience and familiarity, than their actual efficacy as dependable risk management tools.
In fact, an honest conversation with most risk management professionals will tell you that they don’t have much confidence in these questionnaires when push comes to shove.
Unfortunately, they rarely provide a thoroughly accurate view of a company’s risk exposure due to third parties — and they don’t provide effective solutions for getting remediation from your third-party vendors either.
However, security questionnaires bring something else to the table — a budget-friendly, straightforward, and easy-to-understand process. And while vendors aren’t the biggest fans of security questionnaires either, they generally know what to expect; they’re very much the status quo.
The position of security questionnaires as a supposedly acceptable third-party risk management tool is further cemented by the attitude of most regulators; they frequently accept questionnaires as a way to check TPRM compliance boxes.
Unfortunately, the result is that, much like antivirus solutions and firewalls, they have persisted as the de facto TPRM standard in most industries. They’re not particularly well-loved, but they allow for an expedited and streamlined process.
The Wind of Change
According to some estimates, over 80% of U.S. enterprises use security questionnaires — which is more than double compared to the rate at which companies use more technologically-advanced means of assessment.
However, there are ample signs of change — mostly pushed by regulatory awareness of the growing tide of cybersecurity threats that largely come from TPRM failures. And as cybercriminals have begun using more advanced technology for their malicious purposes, cybersecurity measures must follow suit.
That’s why a growing number of companies is moving away from solely relying on security questionnaires. A lot of them have started using a combination of AI-driven cybersecurity solutions, cybersecurity ratings, remote assessments, more extensive doc reviews, and questionnaires.
Unfortunately, a sizable ratio of TPRM solutions still mainly relies on questionnaires. And even when alternative methods — like onsite assessments — are used, security questionnaires still represent the leading method for TPRM assessments.
Most TPRM professionals will attest to self-assessments simply being too problematic and unreliable, and while there’s some anecdotal evidence of their success, the almost daily headlines of huge data breaches that stem from TPRM failures clearly show their inefficacy.
A majority of vendors report perfect compliance with cybersecurity requirements; a starkly different picture to the reality “on the ground”. And the result is clear: such assessments just don’t offer the kind of actionable insights that a 21st-century cybersecurity system needs.
What Does This Mean For TPRM?
More and more, questionnaires are starting to seem like rubber stamps — and the Aerojet Rocketdyne fine only speaks to that fact. Most TPRM pros don’t think that their vendors' security performance corresponds to the standards represented in the questionnaires. A small number of today’s organizations can claim that their vendors are in full compliance with cybersecurity regulations, with any degree of confidence.
Of course, the quality of the questionnaires varies — among other things, with the number of questions they contain. But no number of additional questions will change the fact that all companies want to close deals. This means that, given the chance to falsely report a better cybersecurity standard than they actually employ, they most likely will.
The huge negative impact of a false answer on these questionnaires is more visible with every new cybersecurity breach — and each one is a new piece of evidence for the argument that the current overreliance on self-assessment methods has to end.
Luckily, data-driven TPRM solutions that employ machine learning algorithms are the way forward. By combining vast amounts of data gathered from OSINT and other sources, they’re able to provide a far more reliable picture of a vendor’s true level of cybersecurity. News feeds, security rating agencies, financial ratings — all of them can be cross-referenced with questionnaires to reveal the truth.
Of course, all of that would take a tremendous amount of manpower to do manually. That’s why solutions like Rescana rely on cutting-edge machine learning technologies to process vast amounts of data from all possible sources.
The case of Aerojet reinforces the need for new, tech-driven solutions that will be more dependable — especially those developed by cybersecurity experts, instead of cookie-cutter in-house solutions that may ultimately do more harm than good.