Vendor risk management is hard. And it's getting harder. But it doesn't have to be.
Business units are outsourcing more of their operations to third-party suppliers. In turn, these suppliers outsource to their own service providers. It's undeniable, the average organization's exposure to third-party risk and fourth-party risk has never been higher. It is important to have robust vendor management practices.
Many organizations myopically focus on operational risk factors in their supply chain, such as service levels, quality standards, KPIs and service levels, ignoring the largest risks. Namely, the reputational and financial damages from security breaches.
Vendor risk management can help prevent data breaches and is increasingly a key part of regulatory compliance. This is especially true for financial services organizations with the introduction of CPS 234, the Gramm-Leach-Bliley Act and PIPEDA.
Here are 8 best practices any vendor risk management program will benefit from.
Keep an Accurate Vendor Inventory
Without an inventory of your third-party relationships, it's impossible to measure the level of risk vendors introduce.
Keep in mind, third-party vendors may not have the same security controls as you. This is why a third-party risk management framework must account for your vendors' potential risks
Even security incidents at small vendors can result in large cyber attacks.
A good example is the 2013 Target data breach which began with a HVAC subcontractor in a single Target store. This led to the exposure of approximately 40 million debit and credit cards.
Keeping inventory of your vendors is the first step to any vendor risk management program. Security issues can occur at any part of the vendor lifecycle including after the vendor relationship as ended.
Create a Vendor Assessment Process
Vendor questionnaire are key to any vendor risk management strategy. For many industries, they are a regulatory requirement.
The problem with traditional vendor questionnaires are they are point-in-time, subjective and time consuming to create.
This is why organizations are investing in tools to automatically create, send and assess the results from security questionnaires in an objective way.
If you're not sure where to start, use our vendor risk assessment questionnaire template. Use it as a baseline and remove or add questions based on your risk tolerance.
A good template reduces the operational overhead of assessing and onboarding new vendors, without compromising on security.
Continuously Monitor and Assess Individual Vendors
The biggest issue with traditional third-party risk management processes is they are point-in-time, expensive and subjective.
Ongoing monitoring and assessment of individual vendor risk is difficult.
Even for the largest organizations. One answer to this problem is security ratings.
Security ratings are a quantitative measurement of security posture, akin to how a credit rating measures lending quality. As security ratings improve, so do security postures.
Security ratings providers provide real-time, non-intrusive measurement of any vendor's security posture. Instantly providing an aggregate view of vendor performance and key risks shared across your vendor portfolio, alowing vendor management teams to continuously monitor individual vendors for security issues.
By combining the continuous monitoring nature of security ratings with the deep insights of point-in-time risk assessments, security teams can achieve the most comprehensive awareness of their entire attack surface, even between risk assessment schedules.
Define Vendor Performance Metrics
If you're planning to engage an IT vendor or service provider, define cybersecurity metrics alongside operational SLAs.
If you're a HIPAA covered entity, you are liable for vendor data breaches. Even if you aren't legally liable, data breaches cause reputational and financial damages.
If you're not sure what metrics are important UpGuard Vendor Risk automatically assesses your vendors against 50+ important metrics.
Monitor Fourth-Party Vendors
Cybersecurity risk doesn't stop with third-parties. There is a good chance your vendors have vendors. Those vendors introduce fourth-party risk.
Fourth-party risk management requires even greater consideration than third-party risk management. You likely have no legal contract with fourth-parties.
Many third-parties fail to manage fourth-parties to the same rigor as you manage your third-party vendors. We see this as a major risk management gap.
Fourth-party risk management can reduce:
- Remediation efforts
- Total risk exposure
- Provider selection processes
And improve due diligence, risk monitoring information and review.
Plan for the Worst Case Scenario
Your third-party management plan must account for the removal of vendors who fail to mitigate risks in a timely manner.
Business continuity reduces the risk that your customers will suffer from extended outages caused by third-parties. This could be caused by a misconfigured S3 bucket managed by a vendor or a third-party data center suffering from a natural disaster.
Form a Dedicated VRM Committee
One of the best practices you can implement is a vendor risk management committee.
This is a dedicated team with senior management represented.
The committee is tasked with dealing with potential and existing vendors.
The most important thing is to communicate with your vendors. Don't assume they know what you expect from them. Communication can reduce misunderstanding and allow you to proactively address issues before they become security incidents.
Communication workflows should also be directed upwards, to keep stakeholders informed of your VRM efforts. The most effective vendor risk management communications occur via cybersecurity reports covering information such as:
- Security measures across all major risk categories (which could include reputational risks and financial risks)
- The efficacy of mitigation efforts as measured by security posture improvements
- Continuous monitoring efforts for the detection of emerging vulnerabilities
- Alignment with compliance requirements, like the GDPR.
- TPRM program effiocact
- The results of cybersecurity audits (internal and external)
- Critical risk threatening service level agreements stipulated in vendor contracts
The UpGuard platform includes a cybersecurity reporting module with automation features pulling relevant vendor risk management data into a reporting template optimized for stakeholders and board meetings.
UpGuard’s board summary reports can be instantly exported into editable PowerPoint slides to streamline stakeholders’ communication at reporting and presentation levels.
How UpGuard Can Help Scale Your VRM Program
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitoring your vendors' security posture over time while benchmarking them against their industry. Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing.