Creating a Vendor Management Policy and Why You Need One

Last updated by Abi Tyas Tunggal on November 13, 2019

scroll down

The purpose of a vendor management policy is to identify which vendors put your organization at risk and then define controls to minimize third-party and fourth-party risk. It starts with due diligence and assessing whether a third-party vendor should have access to sensitive data.

These internal controls could include rewriting vendor contracts to ensure vendors meet a certain level of security, implementing an annual inspection or replacing existing vendors with new vendors who meet security service level agreements (SLA) and SOC 2 security requirements. Make sure you evaluate new and existing vendors again by putting out RFPs at the end of each contract life cycle.

Table of contents

  1. Why your organization needs a vendor management policy
  2. How do third-party relationships introduce more potential risks?
  3. Why continuous monitoring is a must for any vendor management program
  4. What are the consequences of not having a vendor management policy?
  5. How to create a vendor management policy
  6. What should a vendor management policy include?
  7. How to assess new vendors with a vendor management policy
  8. How UpGuard can help you manage your vendor risk

1. Why your organization needs a vendor management policy

While many organizations have internal security policies in place, they often lack a clear understanding of the risks that stem from third-party vendors. Pair this with the growing number of legal, regulatory, financial and reputational reasons to have a vendor management policy. 

Regulators have recognized that third-party data breaches and data leaks represent significant cybersecurity risk. This has led to increased regulatory scrutiny on third-party risk management, information risk management and vendor risk management, particularly around vendors who have access to personally identifiable information (PII)

Outside of regulatory and legal issues, the cost of a data breach has never been higher at $3.92 million. Data breaches involving third-parties increased the average costs by more than $370,000 to $4.29 million. These costs exclude some of the biggest data breaches like Equifax and Facebook

2. How do third-party relationships introduce more potential risks?

Every organization should be concerned with third-parties that have access to sensitive data, intellectual property or corporate network. The more third-parties you are working with the higher the number of cyber attacks potential attackers can exploit. 

Outsourcing is becoming more common, organizations look to their vendors to frequently save costs or capitalize a vendor's expertise. This is often the right business decision but it's important to understand the more vendors you have, the more cyber threats you create. 

Organizations need to have ongoing monitoring of their third-party service providers over the entire life cycle, an initial cybersecurity risk assessment is not enough.

Senior management should take into account information security, data security, network security, disaster recovery, information security policies and access control as well as cost, information technology and vendor expertise as part of the vendor selection process.

3. Why continuous monitoring is a must for any vendor management program

Many organizations enter vendor relationships not fully understanding how the vendor is managing and processing theirs and their customers' data.

In many cases, organizations have not set out requirements for how their vendors should be securing data. And even if they do, they often struggle to operationalize monitoring. 

Pair this with the fact that new vulnerabilities are added to CVE on a daily basis and that your vendors likely have vendors (fourth-party risk) who may have access to your data and monitoring vendor risk by hand becomes near impossible. 

This is why you should investing in tools that automatically monitor and rate your vendors' security performance and automate security questionnaires.

It's not enough to only monitor your organization for data exposures and leaked credentials. You need a holistic view of first, third and fourth-party risk.

4. What are the consequences of not having a vendor management policy?

A quick Google search will show thousands of results for data breaches that resulted from third-party vendors. Each one of these is a concrete example of what can happen as a result of poor vendor management. Organizations need to prevent first and third-party data breaches.

If your organization does not have a vendor management policy, you are being negligent. Negligent to your customers, shareholders and employees. 

Unfortunately, not having a policy in place means there is a high chance that your organization's sensitive data and your customers' personally identifiable information (PII) is being handled by someone who shouldn't have access.

Whether a data breach is a result of a third-party vendor, cyber attack or mistake is generally irrelevant to your customers. Data breaches have a massive negative impact on customers' trust in your organization. The average data breach leads to $1.42 million in lost business and 3.9 percent of customers churning.

5. How to create a vendor management policy

Before creating a vendor management policy, gather a list of your vendors. Keep in mind, the definition of a vendor is broad. A vendor is every third-party, contractor or associate your organization does business with. 

It's not enough to have a vague idea of who your vendors are, you need to know exactly who are your vendors are in order to effectively monitor them.

Once the list is compiled, determine which vendors:

  • have access to sensitive data or personally identifiable information (PII)
  • have access to your internal network
  • your organization relies on for important business activities

Vendors that meet this criteria should be categorized as critical and are where you should spend the majority of your time learning about, monitoring and where necessary requesting remediation.

If one of these vendors is compromised, it could lead to a damaging data breach.

6. What should a vendor management policy include?

Your vendor management policy should include:

  • Service level agreements (SLAs)
  • Vendor compliance standards
  • Acceptable vendor controls
  • Vendor liability in the event of a data breach
  • Vendor review (SOC 2 report, site visits and auditing requirements)
  • Termination of contract when security requirements aren't met
  • Board or senior management oversight where needed
  • Disaster recovery and established redundancies for important business functions

During this process, determine whether the level of access each vendor has makes sense.  Not all vendors require the same level of access to sensitive data, network and information technology systems to do their job.

7. How to assess new vendors with a vendor management policy

For new vendors, a robust vendor management policy will allow you to determine whether to do business with them in the first place. The purpose of this policy is to ensure all vendors are managing sensitive information correctly.

Consider investing in a tool that will rate your vendor's security against criteria and provide a security rating that can be monitored over time and benchmarked against their industry.

Most importantly, don't stop vendor management after due diligence.

Traditional vendor risk management assessments are subjective, unverifiable, unactionable and at a point in time. You need a way to continuously monitor and verify that a third-party's security posture hasn't changed and be alerted if new risks and vulnerabilities occur.

Many types of malware, like WannaCry ransomware, exploit known vulnerabilities and can be prevented with continuous monitoring. 

Continuous vendor management is part of any good defense in depth cybersecurity management process.

8. How UpGuard can help you manage your vendor risk

Vendor management policies can be hard to operationalize. From sending security questionnaires to collecting data, it's a laborious process. 

UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry. 

Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing.

Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We can even alert you if their score drops.

For first-party risk, UpGuard BreachSight can continuously scan for and discover data exposures and leaked credentials related to all parts of your business. 

They're powerful alone and even better together.  Cybersecurity has never been more important.

Book a demo today to start preventing first and third-party data breaches.


Related posts

Learn more about the latest issues in cybersecurity