When truckers think about risk and safety, they tend to focus on catastrophic events on the road.
But to shippers, safety involves more than accidents and out-of-service rates. Increasingly, they’re looking at carriers through a cybersecurity lens and asking what kind of risk they pose to their data, business, compliance, and reputation.
In the world of Governance, Risk, and Compliance (GRC), a for-hire carrier represents what’s known as third-party risk. You’re an outside vendor, probably one of many that a shipper works with and has little control over when it comes to monitoring and managing private information.
Of course, you have your own third-party relationships.
If you want a sense of what that exposure looks like, take a moment to map out every possible way your operation connects with customers, vendors, employees, and regulators.
Get granular. Consider every individual cell phone, computer, telematics device, EDI connection, and app or SaaS product that each department uses to generate and store its own data. Anyone or anything that can connect to a network where data about you and your customers resides should be on that list.
Now extend that map to your vendors’ vendors. Each point on the map is a potential opening to a data breach or cyber attack.
As more organizations formalize and invest in GRC, it’s likely that your risk posture will be part of the RFP and onboarding processes. Your response could help you separate your operation and win business.
Where do you start?
- Let’s define third-party risk management or TPRM. It’s a process whereby companies monitor and manage interactions with all outside parties. This can include contractual relationships, where risk is recognized in a service contract, as well as informal non-contractual ones. From a cybersecurity standpoint, TPRM relates to all outside parties you work and share data with, but it can also include risk to a company’s operations, financial standing, and reputation.
- How do you monitor the risk that third parties pose? It starts with understanding how much of your data each external party has access to, but it also involves knowing their relative health and security posture. If they’re attacked or have a breach, or the business were to simply change hands, what are the conditions and procedures for sharing that information back to you?
- What about regulatory compliance, including new SEC guidance for publicly traded companies? Some of these data privacy and data protection requirements may be outside the traditional scope of trucking but would apply if you or vendors handle credit card and banking information, for example, or employee medical records.
- How do you get leadership to buy in? Not every executive team is enthusiastic about dedicating budget and headcount to something that’s relatively new, hard to grasp, doesn’t directly contribute to sales, and indeed can make relationships with customers more complex. How do you actually operationalize third-party risk management? How does it mesh with your larger GRC initiatives?
Third-party risk management is exploding as a practice. The marketplace is full of consultants, technology, and other resources promising to get you up and running quickly.
At the same time, there’s no one-size-fits-all solution, especially in trucking and logistics. The risk posture and third-party relationships of a carrier hauling auto parts or an asset-based broker will be different from a dedicated carrier or one-truck owner-operator.
None of that may matter to your customers, frankly. Shippers want to work with vendors that can support their risk management programs from the moment the relationship begins until well after it’s over—and you’ve met whatever requirements are in place for off-boarding the data you’ve shared.
Shippers will always want truckers to compete on price and service. But a well-executed third-party risk management program may tip the balance in your favor.
Dr. Erika Voss is vice president and chief information security officer at DAT Freight & Analytics. In a Transport Topics webinar, she outlines the steps trucking companies can take to manage the risk of online threats.
The above article is sponsor-generated content. To learn more about sponsor-generated content, click here.