One of the most frustrating challenges of vendor risk management is chasing outstanding security questionnaires. But with some clever operational strategies, you’ll never need to worry about delayed risk assessments impacting your SLAs again.
To learn how to encourage your vendors to complete their risk assessments faster, read on.
6 Tips for Getting Vendors to Respond to Risk Assessments Faster
There are many reasons why vendors fail to complete risk assessments. Sometimes it‘s due to a poor attitude towards cybersecurity, but in most cases, it’s a combination of a poor understanding of your vendor risk management standards and inefficient risk assessment workflow. The six tips below address the latter.
1. Include a TPRM Clause in all Vendor Contracts
A Third-Party Risk Management program (or Vendor Risk Management program) clause should be included in all vendor contracts, including Master Service Agreements (MSAs), Business Associates Agreements (BSAs), or any other service agreements used by your vendor response team. The TPRM clause is a separate stipulation to the annual right to audit clause in vendor contracts.
The TPRM clause should clearly outline each vendor‘s role in the risk assessment process, including expectations of timely responses to all vendor questionnaires. The TPRM clause doesn‘t need to be lengthy; aim for no more than a two-paragraph summary to ensure the entirety of the clause is read.
The TPRM clause should be concise and easy to understand. Don’t complicate it with legal jargon.
The flowing information should be addressed in your TPRM clause:
- The key expectations for the vendor - Rapid response to security questionnaires, rapid completion of remediation requests, etc.
- A list of the types of third-party risk assessments the vendor should expect to receive - For example, assessments based on popular frameworks and regulations like NIST, GDPR, HIPAA, ISO, and other due diligence assessments.
Example of a TPRM Clause
Here‘s an example of TPRM clauses that include a timely assessment response expectation. This clause has been slightly modified from its original wording in the Terms and Conditions of Foundation Medicine, Inc.
The supplier shall maintain an appropriate risk management and mitigation program for its critical suppliers. The supplier will share relevant risk metrics with the Buyer. In selected cases, upon request by Buyer, Supplier will provide evidence to Buyer by sharing (anonymized) risk assessments and audit reports.The supplier will respond to risk assessments no later than X days after receiving them. Risk assessments labeled as “critical” are to be answered within Y days.
A two-paragraph summary isn’t sufficient in every scenario. Higher risk level vendors with a greater potential impact on your security posture require a more detailed explanation of your third-party information security standards. For these scenarios, a Cybersecurity Addendum should be attached to the contract to supplement the TPRM clause.
The Cybersecurity Addendum should map to all of the mandatory security controls a vendor must have in place for a business partnership to be permissible. This security control deficit is evaluated with a preliminary vendor assessment analyzing the data security, data privacy, and general inherent security risk levels for all potential vendors.
If any prospective or new vendors raise concerns about your stipulated risk assessment response expectations, it should raise red flags. A willingness to contribute to the success of a client’s vendor risk management program is an attribute of a vendor that takes cybersecurity seriously. If a prospective vendor needs to be convinced to include TPRM or compliance risk processes in their due diligence workflow, it’s probably best to avoid that relationship.
2. Develop Relationships with your Third-Party Vendors
Just like your employees, your third-party vendors need to feel like their part of the team to contribute to a project proactively. Once the simplest and most effective ways of developing a strong business relationship is through an orientation summarizing the process lifecycle of your vendor risk management program. Your vendors will appreciate your transparency and objective of simplifying process integration with their security programs.
Here’s an example of an orientation program for new vendors that can be used as a template.
Objective: To establish a relationship with the new vendor.
- Outline vendor risk management program expectations
- Identify all relevant regulatory compliance standards
- Outline vendor risk assessment and response timelines
- Identify all relevant due diligence processes
- Identify all relevant points of contact
- Ask vendors how you can help make their cybersecurity efforts easier.
Objective: To make the vendor aware of your reminder process for incomplete risk assessments.
- Specify reminder medium (in-app or via email).
- Outline the number of assessment submission reminders and the time interval between them.
- Explain your SLAs
- Provide examples of SLA warnings that will be embedded in reminder messages
Risk Summary Phase 1: Initial Security Risk Evaluation
Objective: To explain your process of risk evaluation to the vendor.
- Request security certifications
- Determine inherent risk levels and risk of a data breach.
- Complete a threat intelligence report
- Separate low-risk vendors from critical vendors (such as those with greater access to customer data).
- Calculate risk tolerances for each vendor.
- Complete initial risk summary report
- Share risk and control recommendations with stakeholders
Risk Summary Phase 2: Final Security Risk Evaluation
Objective: To explain your process of risk remediation process to the vendor.
- Identification of key vulnerabilities that need to be monitored.
- Explain how risk remediations will be tracked internally
Risk Summary Phase 3: Update Security Posture Maturity Status
Objective: To explain your process of tracking security posture improvements with the vendor.
- Track remediation requests progress.
- Confirm the effectiveness of remediation efforts with security ratings.
- Adjust internal vendor criticality rating based on security posture improvements/lack thereof.
This orientation is an opportunity to explain your risk assessment expectations in greater detail and to answer any questions about them. This will ensure a misunderstanding of your risk management processes is never the cause of delayed responses.
This additional vendor communication process should be clearly communicated to your stakeholders and procurement teams, so there are no surprises about the internal information you’re sharing with vendors.
3. Have a Point of Contact
You shouldn’t be learning about each vendor’s cybersecurity point of contact when submitting a risk assessment. This information should be requested during the vendor onboarding process, or the orientation meeting outlined in the previous point and confirmed during annual third-party vendor reviews.
Your point of contact needs to be an individual, not an entire security department, and all vendor security correspondence should go directly to that individual, not their department’s general email address.
4. Avoid email correspondence
An email inbox is the worst environment for tracking time-sensitive tasks. Your risk assessment communications should be sent to a platform that won’t push your important messages down and an ever-growing list of unassociated security messages. A dedicated risk assessment channel in Slack is a step up from email because it consolidates third-party risk communications in a single channel, but it’s not ideal - important requests could still get missed amongst a growing message list.
The ideal method for managing vendor risk communications is through in-app messages on a third-party risk management platform. The benefit to this approach is that it allows you to track responses to the specific security risk queries, delaying assessment responses.
Here’s an example of such an in-app communication capability in the In-Line questionnaire correspondence feature on the UpGuard platform.
5. Automate the Notification Process
Integrations optimizing the risk assessment workflow make it easier for vendors to complete risk assessments, encouraging them to submit the assessments faster. These integrations work best with a Third-Party Risk Management platform managing the complete scope of the risk assessment process.
Two notification interactions commonly used in cybersecurity tools are Jira and Zapier.
Jira integrations make it easier to send and track risk assessment remediation requests.
Zapier integrations trigger events based on specific risk assessment workflow actions. This integration minimizes the administrative burden associated with risk assessments, helping vendors complete them faster.
6. Send Risk Assessments as Early as Possible
Risk assessments have the highest chance of being completed within SLAs if they’re sent to vendors as early as possible. For new vendors, this should ideally be done alongside RFx processes. For existing vendors, risk assessment requests should immediately follow the detection of security posture degradations from monitoring tools like security scans or the disclosure of zero-day threats, like the Spring4Shell and Log4J vulnerabilities wreaking havoc on global supply chains.
Streamline your VRM process with UpGuard
UpGuard’s Vendor Risk Management (VRM) platform simplifies the entire third-party risk assessment lifecycle, both for your internal security teams and your third-party vendors.
With a growing list of workflow integrations, an attack surface monitoring tool, and a Shared Profile feature making it easier for vendors to sign up to the platform, UpGuard streamlines the entire VRM workflow in a single platform, removing the common process frustrations delaying risk assessment submissions.