American college athletics is a foundational pillar of higher education institutions and a profitable business model for universities. The National Collegiate Athletic Association (NCAA), which regulates college athletics, reported that in 2020, Division I schools earned $15.7 billion in athletics revenue. In 2023, NCAA Division I school Ohio State University reported a record-breaking revenue of over $275 million from its athletic department alone.
Like most successful businesses, collegiate athletics often utilize third-party vendors to outsource business operations. From marketing operations to recruitment processes, these third-party vendors handle sensitive data—putting athletic departments at risk of data breaches and other security incidents.
Third-party risk management (TPRM) seeks to minimize the risks associated with using third-party vendors, and college athletic programs must understand the importance of TPRM to protect their institutions and the student-athletes they work with. This blog post will discuss examples of sensitive data and third-party service providers in college sports, including best practices for universities to follow when working with third-party organizations.
Types of Data Used in Collegiate Athletics
At first glance, college sports does not seem like it would be a data-heavy industry. However, under the surface, collegiate sports are one of the biggest data-driven industries in higher education.
Data has wide functionality in collegiate athletics. Performance analytics track detailed statistics and metrics about a player’s physical and tactical performance, which help refine training programs to keep athletes in top condition. Health and medical data also impact injury prevention and management, identifying risk factors, and rehabilitation programs.
On the administrative side, athlete data can be used to monitor academic performance (which impacts athletic eligibility), financial information plays a role in athletic scholarship awards and contractual requirements, and personal athlete information may even be outsourced to marketing firms to help promote upcoming games on social media. Data in college athletics enhances athletic performance while supporting student athletes' health, academic success, and engagement, making it an essential tool in modern sports.
Examples of sensitive data used by intercollegiate athletics include:
- Personal Identifiable Information (PII): Basic personal information, including names, addresses, phone numbers, email addresses, etc.
- Health and Medical Records: This data is protected under laws like HIPAA in the U.S. and includes injury reports, medical histories, rehabilitation details, mental health information, etc.
- Academic Records: Grades, transcripts, course schedules, eligibility status, etc. This data is protected under FERPA in the U.S.
- Financial Information: Data relating to scholarships, tuition assistance, financial aid, bank account information for direct deposit of scholarships or stipends, etc.
- Athletic Performance Data: Statistics on performance, training regimens, strategies, etc.
- Contractual Information: Contracts with head coaches, staff, trainers, etc., that may contain confidential information like salary information
- Communication Records: Private communication between coaches, athletes, staff, etc.
- Recruitment Information: Data on prospective high school student-athletes, including scouting reports, contact information, communication logs, etc.
Third-Party Service Providers in College Athletics
At its core, college athletics is a business that must be profitable to succeed. However, athletics programs often face the challenge of balancing their financial goals with their commitment to providing a high-quality athletic experience for their student-athletes. Outsourcing business operations to third-party service providers is one way to achieve this balance.
By outsourcing administrative and logistical work to third-party vendors, athletics programs can focus on what they do best: coaching and training their athletes to succeed on the field. This approach allows athletics departments to allocate more resources towards athletic performance and success, which can lead to increased revenue and profitability.
In addition to freeing up resources, outsourcing can lead to improved efficiency and cost savings. Third-party service providers often have the expertise and experience to handle complex business operations, such as managing sponsorships, arranging travel logistics and insurance coverage, and handling ticket sales. By leveraging the expertise of these vendors, athletics programs can streamline their operations and reduce costs.
Common third-party vendors a college athletics department might utilize include:
- Sports Medicine Providers and Athletic Trainers
- Academic Consultants and Tutors
- Financial Services Providers
- Legal and Compliance Consultants
- Marketing and Public Relations Firms
- Travel Agencies and Logistics Providers
Best Practices for Third-Party Risk Management in Collegiate Athletics
A TPRM program is essential for any intercollegiate sports program that works with third-party vendors. Third-party risk management is the process of analyzing and controlling risks associated with outsourcing to third-party vendors or service providers. This is particularly important for collegiate athletic departments with sensitive student-athlete data.
Depending on the type of third-party risk organizations aim to minimize, there are various approaches to TPRM. The best approach is holistic, which addresses all types of third-party risks. Below are some best practices to incorporate into your TPRM program, specifically applicable to collegiate athletic departments seeking to protect student-athlete data.
Due Diligence and Vendor Risk Assessments
Athletic departments should practice due diligence by utilizing vendor assessments when selecting third-party vendors. Due diligence involves assessing potential risks before entering into an agreement with a third-party vendor. Vendor assessments facilitate this process by evaluating and monitoring the risk profile of third-party vendors by analyzing various aspects of their operations.
Vendor assessments can be crafted to an organization’s specific needs—for example, a director of athletics wants to ensure a third-party marketing service will ensure the privacy of a student athlete’s personal data. A vendor assessment that evaluates the third-party organization’s cybersecurity measures could provide insight into their data protection standards, which can help determine if this vendor is a right fit for the athletics department.
How UpGuard Helps
Customize risk assessments based on a vendor’s risk exposure to your organization, and conduct initial assessments using security ratings—or deep-dive using our library of industry-standard security questionnaires. Vendor Risk provides one place to assess, remediate, or wave vendor risks, creating an in-depth, auditable snapshot of your vendor’s security posture.
Managed Vendor Inventory
In addition to selecting and onboarding third-party vendors, managing an up-to-date vendor inventory is another crucial aspect of third-party risk management for college athletic departments. Vendor inventory management involves maintaining an updated and comprehensive list of all third-party vendors that an organization engages with, along with relevant details about their services, contracts, and risk profiles.
Depending on the scope and size of an organization, there may be tens or even hundreds of vendors in contract at one time. Keeping all vendor information in one accessible place (contract terms, renewal dates, performance metrics, etc.) improves accessibility to key information. A managed vendor inventory also provides a clear overview of an organization’s risk landscape, providing insight into dependencies, risks, and impacts associated with each vendor.
How UpGuard Helps
The vendor inventory in UpGuard Vendor Risk helps you find, track, and monitor the security posture of any organization instantly. You can categorize vendors, compare them against industry benchmarks, and see how their security posture changes over time.
All monitored vendors are in a centralized location in our platform, and you can easily find vendors using the search bar and sort them by vendor tier, name, score, or label. If vendors have risks requiring remediation, you can tackle the whole remediation process in a single automated workflow. You can also run tailor-made reports for different stakeholders using our reports library.
Continuous Monitoring and Reporting
Maintaining constant vigilance in third-party risk management is essential to keep your business safe and compliant. You can avoid issues by regularly monitoring and evaluating vendor performance and risk status. For example, athletic teams may want to ensure that third-party vendors who handle confidential team performance data are consistently secure—preventing a data breach where an opponent could gain information about their private game strategy.
Continuous monitoring and reporting offer insightful and timely information that allows you to identify and address potential risks proactively. This early detection can help prevent risks from becoming major problems. With regular reporting, you can also maintain transparency and accountability, which makes it easier to make informed decisions regarding your vendors.
How UpGuard Helps
Our security ratings are generated by analyzing trusted commercial, open-source, and proprietary threat intelligence feeds and non-intrusive data collection methods. These easy-to-understand scores are updated daily and based on analyzing each vendor’s underlying domains and security posture.
Regular Audits and Compliance Checks
Regular audits and compliance checks ensure that third-party vendors stay compliant with legal regulations and that your organization is as well. Third-party risk management works to minimize legal, regulatory, and compliance risks that may impact your organization if a third party fails to comply with various regulations.
Some of the most well-known data regulations that impact collegiate athletics are the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA). These regulate protected information about student-athletes’ health and education records. In addition to these data regulations, the NCAA has its own bylaws and regulations for collegiate athletic programs around recruiting, eligibility, financial aid, etc.
Athletic departments must prioritize regular audits and compliance checks of third-party vendors who pose a compliance risk to their organization. This practice ensures third parties comply with NCAA rules and applicable legal regulations.
How UpGuard Helps
Accelerate your assessment of third-party vendor compliance by using UpGuard Vendor Risk’s powerful and flexible built-in security questionnaires. Our questionnaire library lets you get deeper insights into your vendor’s security by selecting questionnaires based on specific regulations or best practices.
Our security questionnaires make it easy to audit and check compliance across various regulations and cybersecurity frameworks, including ISO 27001, HECVAT, HIPAA, and more. Vendors are provided due dates and reminders to complete the questionnaire, and risks are automatically identified and surfaced based on vendor responses so you can request remediation or waivers.
UpGuard: Voted the #1 Third Party & Supplier Risk Management Software
UpGuard is proud to be named the #1 Third-Party & Supplier Risk Management Software in Winter 2024, according to G2, the world’s most trusted peer review site for business software. UpGuard was also named a Market Leader in the category across the Americas, APAC, and EMEA regions for the sixth consecutive quarter, reflecting the customers' trust and confidence in the platform.
G2 evaluates products in the Third Party & Supplier Risk Management category based on customer satisfaction (as per user reviews) and market presence (considering market share, seller size, and social impact). UpGuard has been identified as a Leader owing to its high scores in customer satisfaction ratings and significant market presence.
If your collegiate sports program is ready to enhance its security posture and third-party risk management, consider investing in UpGuard Vendor Risk.