Engaging third-party vendors for the provision of goods and services is not a new concept, so why has vendor risk management become so important?
Vendor risk management is important because managing vendor risk is foundational to cybersecurity, ensuring business continuity and maintaining regulatory compliance. A robust vendor risk management (VRM) program can help organizations under their vendor risk profile and mitigate third-party and fourth-party risk rather than relying on incident response.
This is particularly true for organizations in regulated industries, like financial services and healthcare, who rely on third-parties to enable mission critical services for their customers.
With the heightened and reinforced regulatory expectations around third-party risk management processes, it's imperative to have the ability to continuously monitor and manage your vendors' performance and the risks they introduce.
What is Vendor Risk Management?
Vendor risk management is concerned with risk mitigation, particularly:
- Cybersecurity risk: The risk of exposure or loss resulting from a cyber attack, data breach or other security incident. This risk is often mitigated by performing due diligence before onboarding new vendors and ongoing monitoring over the vendor lifecycle.
- Operational risk: The risk that a third-party will cause disruption to the business operations. This is generally managed through contractually bound service level agreements (SLAs). Depending on the criticality of the vendor, you may opt to have a backup vendor in place to ensure business continuity. This is common practice for financial institutions.
- Legal, regulatory and compliance risk: The risk that a third-party will impact your organization's compliance with local legislation, regulation or agreements. This is particularly important for financial services, healthcare and government organizations as well as their business partners.
- Reputational risk: The risk arising from negative public opinion caused by a third-party. Dissatisfied customers, inappropriate interactions and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor security controls, like Target's 2013 data breach.
- Financial risk: The risk that a third-party will have a detrimental impact on the financial success of your organization. For example, your organization may not be able to sell a new product due to poor supply chain management.
- Strategic risk: The risk that your organization will fail to meet its business objectives because of a third-party vendor.
What is Driving the Increased Focus on Vendor Risk Management?
There are a number of factors driving organizations to place increased importance on third-party risk which can be grouped into the following areas:
- Regulation: Increased focus on third-party risk management and vendor risk assessments by global regulators, e.g. FISMA, CPS 234, GLBA, SOX, PCI DSS and HIPAA
- Market conditions: Global recession caused many organizations to outsource operations to reduce costs
- Reputational impact: Increasing understanding of reputational damages that can stem from poor vendor performance or failure has caused senior management to care about stopping incidents before they occur
- Technology: Changes in technology has lead to data being stored, processed and transmitted across cloud services
- Overseas providers: Increasing use of offshore vendors has increased the level of regulatory risk taken on by organizations
- Specialist suppliers: Organizations are increasingly reliant on products and services from specialist suppliers that cannot be brought in-house
A vendor risk management program reduces the frequency and severity of data breaches, data leaks and cyber attacks involving third and fourth-parties, protecting sensitive data, PII, PHI, intellectual property and ensuring business continuity.
What are Some Common Problems With Vendor Risk Management Programs?
There are a number of common problems that can have significant impact on your organization including:
- Resiliency: Organization has no business continuity or incident response plan in place.
- Solvency monitoring: No monitoring of third-party solvency and financial viability.
- Security controls: Organization does not have adequate visibility into whether their vendors are compliant with their information security policies.
- Regulatory compliance: You need to be able to measure whether third-parties are in compliance with your data protection requirements.
- AML-CTF and KYC: No contractual obligations to perform AML, KYC or CTF checks on vendors
- Intellectual property protection: Contracts are not consistently passed through IP or legal teams to ensure intellectual property is protected from corporate espionage.
- Health and safety: Not taken into account when negotiating with potential vendors
- Corporate social responsibility: The vendor relationship is not nurtured and there are no processes in place to ensure third-parties are protecting your organization's brand and CSR efforts.
Why are Third-Party Vendors Important for Businesses?
Outsourcing to effective vendors can offer several benefits including:
- Specialization: Many products or services are so specialized that outsourcing to a dedicated company will provide better performance a lower level of risk than performing the function in-house, e.g. accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement or loan servicing. And for smaller companies, it's often impractical to perform every function. Third-party relationships allow you to streamline your organization and focus on core competencies.
- Cost savings: Many vendors benefit from economies of scale and are able to offer the good or service at a lower cost than you would be able to internally.
- Globalization: With a growing pool of international clients, it's often required to engage with vendors on the ground to compete overseas. Think of things like legal services, translations and sales reps who are knowledgeable about other countries or geographies.
What are Third-Party Vendors?
A third-party vendor is any person or organization who provides a product or service to your organization, who does not work at your organization. Common third-parties include:
- Manufacturers and suppliers (everything from PCBs to groceries)
- Services providers, including cleaners, paper shredding, consultants and advisors
- Short and long-term contractors. It's important you need to manage short and long-term contractors to the same standard and assess the information that they have access to.
- Any external staff. It's important to understand that understanding of cyber risk can be widely different depending on the external staff.
- Contracts of any length can pose a risk to your organization and the Internal Revenue Service (IRS) has regulations about vendor and third-party relationships that go beyond specific time frames so even the length of a contract can pose risk. In the IRS's eyes, a vendor working onsite with a company email address for longer than a specific period of time should be classified as employees and receive benefits.
The Importance of Vendor Risk Management
Fundamentally, organizations are increasingly reliant on outsourcing and there is no sign the trend is slowing.
In 2019, the average cost of a data breach involving third-parties was $370,000 higher than first-party data breaches, for an adjusted total of $4.29 million.
Ask yourself these questions:
- Do I know who are my high-risk vendors?
- Do I know if my high-risk vendors have adequate data security practices in place to protect my and my customers' sensitive information?
How Can I Manage My Third-Party Risk Exposure?
It is important to have strong vendor management practices. Any vendor risk management program starts with an accurate inventory of your vendors. Without that, it's impossible to measure the level of risk your vendors are introducing.
Once you've have a complete list of your vendors, it's time to develop a vendor assessment process, which should include a vendor questionnaire template to streamline the onboarding of new vendors and the assessment of current vendors.
This is why organizations are investing in tools that automatically create, send and assess the results from vendor questionnaires.
But don't just rely on questionnaires. The problem with questionnaires is they are point-in-time, subjective and expensive to administer and it's not something that improves with scale. The larger your organization, the more vendors you'll have.
One answer to this problem is security ratings.
Security ratings are a quantitative measurement of security posture, akin to how a credit rating measures lending quality. As a vendor's security rating improves, so does their security posture.
Security ratings products provide real-time, non-intrusive measurement of any vendor's security performance and can instantly provide an aggregate view of vendor performance and key risks shared across your third and fourth-parties.
This allows your vendor management team to continuously monitor individual vendors for security issues without scaling headcount.
How UpGuard Helps Organizations With VRM
Hundreds of organizations, both small and large, choose UpGuard to help manage their VRM programs. We're experts in data breaches and data leaks, our research has been featured in the New York Times, Wall Street Journal, Bloomberg, Washington Post, Forbes, Reuters and Techcrunch.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing. Vendors are also monitored daily through UpGuard's Cyber Security Rating system and any significant score drops are instantly flagged and notified.