Vendor risk management (VRM) deals with the management and monitoring of risks resulting from third-party vendors and suppliers of information technology (IT) products and services. VRM programs are concerned with ensuring third-party products, IT vendors and service providers do not result in business disruption or financial and reputational damage.
Vendor risk management programs have a comprehensive plan for the identification and mitigation of business uncertainties, legal liabilities and reputational damage.
As businesses increase their use of outsourcing, VRM and third-party risk management becomes an increasingly important part of any risk management framework. Organizations are entrusting more of their business processes to third-parties, so they can focus on what they do best. This means they must ensure third-parties are managing information security, data security and cyber security well. The risk of cyber attacks and data breaches from third-party vendors must be identified and mitigated.
While outsourcing has great benefits, if vendors lack strong security controls, your organization is exposed to operational, regulatory, financial and reputational risk. Vendor management is focused on identifying and mitigating those risks.
In this article, we cover the best ways to identify vendor risk and how to prevent and mitigate those risks.
Table of contents
- What is vendor relationship management?
- What is a vendor risk management plan?
- What are third-party vendors?
- What is vendor lifecycle management?
- Why you need to manage your vendor risks
- What are the benefits of vendor risk management?
- How do you create an effective vendor or third-party risk management framework?
- What is a vendor risk management maturity model (VRMMM)?
- What are the vendor risk management maturity levels?
- How to create a third-party or vendor risk management checklist
- Vendor risk management best practices
- How to address a vendor breach
- How UpGuard can help you manage your vendor risk
When assessing a vendor, it's important to understand how the vendor fits into the overall context of your organization's projects and goals. Third-party relationships can range from a small one-off project with an independent contractor to an ongoing vendor relationship with a large multinational. Common vendor scenarios include:
- An original equipment manufacturer (OEM) who sells something your organizations needs, like a printed circuit board (PCB) to a computer manufacturer.
- A marketing freelancer sells her services to your company on a one-time or ongoing basis (leading to an ongoing vendor relationship).
- A Software-as-a-Service (SaaS) provider who sells software to your organization for a period of time.
Vendor relationship management is focused on overseeing the relationship with vendors, from due diligence and cyber security risk assessment through the delivery of the good or service onto planning for business continuity. The person who oversees vendor relationships is often called a vendor manager. Vendor managers can sit in any part of an organization from human resources to supply chain.
Vendor risk management is an important part of an organization's information risk management and overall risk management process. Vendors pose many risks including financial, reputational, compliance, legal and regulatory risks.
This is why it's in the best interest of your organization to manage its vendor risks before, during and after a vendor relationship ends.
A vendor risk management plan is an organizational wide initiative that outlines the behaviours, access and services levels that a company and a potential vendor will agree on.
The document should outline key vendor information and be valuable to the organization and the third-party. It should outline how your organization tests and gains assurance of vendor performance. And it should outline how the vendor will be able to ensure your organization's regulatory compliance and not expose customer data in security breaches.
Depending on the vendor and services provided, the relationship may be spelled out step by step with checklists or in a more casual manner.
In order for a vendor risk management plan to be useful, your organization must understand the vendor risk assessment process and be willing to work with your compliance, internal audit, HR and legal teams to ensure the vendor risk management plan is followed for each new and existing vendor.
A third-party vendor is virtually anyone who provides a product or service to your organization who does not work at your organization. Common third-parties include:
- Manufacturers and suppliers (everything from PCBs to groceries)
- Services providers, including cleaners, paper shredding, consultants and advisors
- Short and long-term contractors. It's important you need to manage short and long-term contractors to the same standard and assess the information that they have access to.
- Any external staff. It's important to understand that understanding of cyber risk can be widely different depending on the external staff.
- Contracts of any length can pose a risk to your organization and the Internal Revenue Service (IRS) has regulations about vendor and third-party relationships that go beyond specific time frames so even the length of a contract can pose risk. In the IRS's eyes, a vendor working onsite with a company email address for longer than a specific period of time should be classified as employees and receive benefits.
The general lifecycle of a vendor relationship is as follows:
- Define and determine needs
- Create vendor assessments for all vendors
- Search for vendors and send out bids
- Select vendor(s)
- Define contract terms and timeframes
- Monitor relationship and performance
- End of contract, relationship or renewal
For high-risk vendors, steps may be skipped and may even result in early termination of contract.
Companies face a host of risks when they engage third-parties. Vendors who handle confidential, sensitive, proprietary or classified information on your behalf are especially risky. If your third-party vendors have poor security practices, they can pose a huge risk regardless of how good your internal security controls are.
A myopic focus on operational risk factors like performance, quality standards, KPIs and SLAs is not enough. Increasingly, the biggest risks that come from third-party vendors are reputational and financial risks like data breaches.
Here's a sample of the risk that vendors can pose:
- Legal or compliance breaches, especially if you work in government, financial services or a military contractor
- Breach of the Health Insurance Portability and Accountability Act (HIPAA) that require protected health information (PHI) to be secured correctly
- Legal issues like lawsuits, class actions, loss of work or termination of relationships
- Information security and data security risks. You need to know how much information a vendor should have access to and has access to.
- Loss of intellectual property. If a vendor has access to proprietary information, there is a risk they steal it for themselves or expose it through a data breach
- Relaxed restrictions with long-term vendors can be a big risk, it's important for controls to be as rigorous five years in as on the first day
One key way to reduce risk is to only give vendors access to what data they need to get their job done and no more.
That said, to really reduce risk organizations need to have an overall risk management strategy that means vendors are constantly measured and evaluated. It's not enough to have subject matter experts who own their vendors. Data breaches can come from any part of your organization.
Without organizational wide practices, departments can pick their own metrics to measure and ad hoc requirements that can resulting in substandard risk management.
A good vendor risk management program will ensure that:
- Addressing future risks takes less time and fewer resources
- Accountability for both the company and vendor is understood
- Quality of your services isn't damaged
- Costs are reduced where possible
- Availability of your services is improvement
- You can focus on your core business function
- Operational and financial efficiencies are secured
- Risk is reduced as long as every follows the plan
Even if your organization has a high risk tolerance, regulations such as the Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and the Health Information Portability and Accountability Act (HIPAA) mandate that risk management policies extend to third-party vendors, outsourcers, contractors and consultants.
To create an effective third-party risk management framework, you need to apply the same criteria to all vendors, adapted to the type of product or service they provide.
- Recognize and outline all challenges. In the era of cloud computing, a poorly configured S3 bucket can be as big a threat as a sophisticated attacker. Make sure your third-party vendors are checking their S3 permissions or something else will. You could be liable for your vendors data breaches. The introduction of GDPR means that businesses that operate in the EU must provide data breach notifications, appoint a data-protection officer, require user consent for data processing and anonymize data for privacy.
- Ensure the entire organization is onboard, without total compliance to your vendor management framework it won't be as successful as it could.
- Ensure your contracts have the "right to audit" as well as what security controls and requirements the supplier has in place.
- Outline how monitoring will occur, when it will occur, how reviews and feedback are conducted and how risks are identified and mitigated.
Read our guide on how to select a third-party risk management framework.
A vendor risk management maturity model (VRMMM) is a holistic tool for evaluating maturity of third-party risk management programs including cybersecurity, information technology, data security and business resiliency controls.
A VRMMM allows organizations to develop a strategy before building out a program and to identify where and how goals will be set to make the program robust.
Any VRMMM must have two important parts:
- A way to identify and evaluate needs and potential risks
- A way to measure the relative development of maturity in components of the overall risk management framework, such as determining how each department is managing risks, where resources need to be moved and how improvements can be made
There are six levels of a vendor risk management maturity model:
- Startup or no third-party risk management: new organizations beginning operations or organizations with no existing vendor risk management activities.
- Initial vision and ad hoc activity: third-party risk management activities performed on an ad hoc basis and considering how to best structure third-party risk activities.
- Approved road map and ad hoc activity: Management has approved a plan to structure activity as part of an effort to achieve full implementation.
- Defined and established: Organizations with fully defined, approved and established risk management activities where activities are not fully operationalized with metrics and enforcement lacking.
- Fully implemented and operational: Organizations where vendor risk management activities are fully operationalized with compliance measures including reporting and independent oversight.
- Continuous improvement: Organizations striving for operational excellence with clear understanding of best-in-class performance levels and how to implement program changes to continuously improve the process.
Understanding where your organization's vendor risk management maturity level is a key part of understanding how to best manage vendor risk and where you can improve.
When your organization is preparing to hire or onboard a new vendor, you need to work through a due diligence checklist to ensure they are fit. This is also known as a vendor assessment.
The critical parts to a vendor assessment are as follows:
- Ask for references from the vendor's other clients
- Determine that the vendor is financially solvent, you may need to request financial statements
- Verify they have liability insurance
- If you operate in an industry with regulatory requirements, verify that they have the correct licensing and training, such as HIPAA training, security clearance or financial licence to provide the service
- Conduct a background and criminal check
- Assess whether the vendor will be able to meet your required service levels
- Determine whether the vendor has proper security controls, technology and expertise to properly manage your sensitive information
- Review the contract including terms, renewals, required service levels and termination requirements
You can also look at software to automate your vendor assessment questionnaires.
The best practices for vendor risk management are to:
- Take inventory of all third-party vendors your organization has a relationship with
- Catalog cybersecurity risks that the counterparties can expose your organization to
- Assess and segment vendors by potential risks and mitigate risks that are above your organization's risk appetite
- Develop a rule-based system to assess future vendors and set a minimum acceptable hurdle for the quality of any future third-parties in real-time by reviewing data security and independent reviews
- Establish an owner of vendor risk management and all other third-party risk management practices
- Define three lines of defense including leadership, vendor management and internal audit
- The first line of defense – functions that own and manage risk
- The second line of defense – functions that oversee or specialize in risk management and compliance
- The third line of defense – functions that provide independent assurance, above all internal audit
- Establish contingency plans for when a third-party is deemed below quality or a data breach occurs
Remember, there is no point having best practices if you don't follow the protocol. Breaches by vendors are almost always caused by failure to enforce already existing rules and protocols. You and your vendors need to be transparent about what you expect from each other and what risks are posed.
It's no longer simple enough to ensure your organization's systems and enterprise web presence are secure. Your risk management program must address third and even fourth-party risk.
Your vendors can be the target of cyber criminals or accidently leak confidential information by poor configuration. Delays in schedules, failing to fulfil contracts, going over budget and cutting corners can cause financial and reputational damage even if your organization is not at fault.
By having and following a vendor risk management framework, your organization will be able to act quickly and follow a protocol if a vendor breach does occur. This can include anything from having your vendor pay the financial damages to termination of contract.
From sending security questionnaires to collecting data, due diligence can be labor intensive. To minimize the amount of administrative time spent managing third-party relationships, consider a tool that automates the process.
UpGuard can help you streamline the third-party risk management process by automatically monitoring your vendors security performance over time and benchmark them against the industry.
Each vendor is rated against over 50 criteria providing a daily Cyber Security Rating. We can automatically send vendor security questionnaires to help you gain deeper insights into your vendors, improve your coverage and scale your security team.
We also continuously scan for and discover data exposures and leak credentials related to any part of your business, preventing reputational and regulatory harm.