Rohit Ghai, president of RSA Security, warned in a speech today that the increased public concern – and regulatory penalties – around data privacy could mean companies will increasingly need to consider fourth and even fifth-party risk.
Speaking at today's RSA Digital Privacy, Digital Risk & Security conference in London, Ghai commented: "Third-party risk used to relate to the supply chain of products, but now that data is the most valuable resource, we are going to see more attacks targeting the supply chain so you need to categorise your data and chart your ecosystem.
"And that is going to extend to looking at fourth-party risk – so, a major provider to several of your third parties could become a major risk. You need to look at at least two levels of third and fourth party risks, and later it may extend to fifth party. You will need to look at the cyber-competency of your partners."
Kevin Akeroyd, CEO at Cision, suggested that we will also see these data privacy regulation risks becoming more country specific, with more fragmentation before it comes back together.
He said, "I also predict an arms race, with GDPR [providing the impetus for countries] to say, they don't like aspects, and accelerate regulation, land-grabbing [jurisdiction]. And to get attention, the penalties for non-adherence will skyrocket, so they could take 10 percent off share value as the penalties become more punitive and proliferate to become a critical factor. On the plus side, the industry knows more about how data privacy works than the regulators and so there is the opportunity for the industry to step up and take leadership."
For Ghai the result is this: "Whether its an intrusion or a breach is irrelevant, it’s the impact that is the priority. We need to align the business risk to the cyber-incident."
Nigel Ng, vice president international at RSA Security, suggested that the risks could be mitigated, explaining: "While companies see a 15 percent dip in their share price on the first day of a breach becoming public, those who manage the incident will see the price back up after a week and the press coverage disappear. But when you don't handle it well, it takes four to six weeks of being hounded by the press and ongoing reputational damage."
Akeroyd went further, implying that paying lip service to concerns allowed companies to get away with less ethical behaviour than those who did less harm but were less transparent about it.