Fortify Your Resilience Against Third-Party Challenges

COVID-19 is wreaking havoc with every facet of the business world, and IT is no exception. While your business may have had some degree of control over the pandemic’s impact on the internal technology environment, the same may not be true for the multitude of third-party IT services providers that are relied upon for mission critical IT functions. Since external IT services are ubiquitous in today’s business environment, it is imperative that you assess your technology providers to ensure these services do not pose an immediate impact, and determine how best to fortify your resilience against third-party challenges.

Many third-party services are critical to your business’ success, and include technical support providers, cloud-based financial applications, security monitoring, email, and data backup solutions. These providers are not immune to disruption, including those related to COVID-19, and face a host of their own challenges, ranging from depleted manpower to insolvency. Compounding any challenges third-party providers may be experiencing is the fact that many of their clients (including, most likely, your workforce) are now scattered into unfamiliar settings, forced to work from home until conditions improve. This unprecedented upheaval caused by the pandemic has uncovered many unanticipated issues and limitations, exposing those third-party providers that did not have adequate resources in place to continue delivering the same quality of services they provided prior to COVID-19’s arrival.

The immediate and most pressing need is to ensure that IT service providers can support your business with a stable and acceptable level of uninterrupted service until the pandemic’s effects begin to abate. Open and maintain communications with your providers to keep one step ahead of any surprise impact to your services. While you may feel that the worst is over, the service provider may have an overseas workforce located in an area that has yet to be hit by COVID-19, so discuss whether they can sustain operations if and when the pandemic reaches their shores. It should also be determined whether the provider’s services will be impacted if and when businesses begin the massive shift back to traditional office environments.

To avoid a future degradation in third-party services, your business should assemble a team that is focused on the following tasks:

• Establishing a third-party provider evaluation and management system. Service level agreements, certifications, and SOC (service organization control) reports should be reviewed and documented for both current and future providers, to determine whether they have the necessary resources in place to mitigate downstream disruption. This evaluation process should be periodically repeated, and augmented with formal and ongoing discussions with providers, to allay any future concerns. While evaluation and management of third-party IT providers should be widely adopted, the results of Citrin Cooperman’s proprietary risk assessment tool, the SCORE Report, shows that only a fraction of companies have established these protocols. A recent example of the importance of evaluation and management of third-party providers involved a cloud-based ERP system that encountered unexpected issues, leaving them unable to service their clients. As a result, hundreds of their clients were unable to perform critical functions for weeks, including the ability to send invoices or track their workers’ activity. Had these organizations reviewed the service provider’s SOC report, they would have been aware of the risks, as there was minimal documentation related to contingency planning and incident response.
• Developing a migration plan to a more resilient provider that is better equipped to weather future challenges and is scalable to meet future demands. Since migration is a significant step that comes with substantial challenges of its own, exhaustive planning will avoid outcomes that are worse than if no action was taken at all. While a budget is key to the migration decision, other factors must be considered, including business continuity, time and resources needed to move to a new provider, and the willingness to sacrifice legacy capabilities. Should the migration be executed, the plan should establish milestones and metrics throughout the process to provide for the best chances for a successful outcome.
• Identifying opportunities for internal improvements. COVID-19 has provided every business with an impromptu and comprehensive disaster recovery test, shining a glaring and unforgiving spotlight on a business’ technology weaknesses. If a mission-critical third-party service has been rendered ineffective as a result of shifting to a work-from-home environment, contingency solutions that can meet the necessary technology requirements should be investigated and implemented to prevent future disruption.

While unimaginable hardships have been inflicted upon the business world during the COVID-19 outbreak, there are opportunities for companies to learn from, and adapt to these unprecedented challenges. One of these opportunities is putting the right third-party IT service providers in place, giving your company a chance to emerge stronger, once the post-pandemic future arrives.

For more information or to set up a meeting to discuss how Citrin Cooperman can provide assistance with evaluating or selecting your third-party service providers, please reach out to us:

Kevin Ricci, CISA, CISM, MCSE, CRISC, QSA Principal kricci@citrincooperman.com	Michael Camacho, CPA, CIA Partner mcamacho@citrincooperman.com