In today’s connected economy, where companies do business with suppliers and vendors worldwide, an integrated governance, risk and compliance (GRC) strategy that incorporates vendor risk management is critically important. To help your organization better understand and mitigate third-party vulnerabilities, this guide has strategies to identify and manage supplier risks and outlines steps to create a successful vendor risk assessment framework. Finally, it details the actions you should take if a vendor is breached and explains how a Cyber Risk Scorecard can help boards assess cybersecurity risks for their organizations.
What Are Third-Party Risks?Your organization has relationships with many outside parties. These include partners, customers and suppliers of products or services. In turn, all of these have some amount of access to your systems and network. Third-party risks are all the threats these relationships could pose to your organization. As supply chains become more complex and more organizations look to use global supply chains to build their presence in new markets, these third-party risks are growing. The 2020 Deloitte Third-party risk management global survey shows that 17% of organizations reported facing a high-impact third-party risk incident in the previous three years, up from 11% in the 2019 survey. The Deloitte survey also reveals the high costs of these risks. For instance, 30% of organizations believe that failure to manage third-party risks adequately could cause share prices to fall by 10% or more, and 46% expect their financial exposure because of a significant third-party incident would exceed 50M USD.
How Are Third-Party Vendors Security Risks?When organizations begin a new relationship with a partner or vendor, security screenings and policies are generally top-of-mind. But as the relationship continues, screenings may become less stringent, and organizational policies may become relaxed because the relationship has become familiar. Third-party vendors also represent security risks because of the nature of supply chains. For an organization to trust that their third-party vendors present no security risks, they must also trust that every vendor in the extended supply chain has security protocols in place that are at least as robust as their own. Even if an organization can guarantee that third parties’ policies consistently match their own internal policies, ensuring this for every organization the third parties work with (subcontractors, fourth or fifth parties) poses significant challenges. Deloitte research reveals that 29% of organizations rely solely on their third parties for managing subcontractor risks. More worryingly, 23% don’t monitor subcontractors in any way, even via their own third parties.
Third-Party Risk ExamplesHere are some of the most significant ways organizations can be affected by third-party risk.
- Cybersecurity: A data breach at a third party can profoundly affect every organization it has a relationship with. IBM’s 2020 Cost of a Data Breach Report shows that third-party software vulnerability is the third-largest initial threat vector for malicious breaches, representing 16% of all attacks.
- Failure to perform adequate screening: Without careful cybersecurity screening when onboarding third parties, organizations experience increased risk of data breaches, financial losses and reputational damage. To be effective, screening must also encompass fourth parties and subcontractors.
- Regulatory noncompliance: The emergence of wide-ranging privacy regulations such as the EU’s General Data Privacy Regulation (GDPR), California’s Consumer Privacy Act (CCPA) or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) have put the responsibility for securely storing and managing consumers’ personal information squarely on the organizations that collect the data. The financial penalties for noncompliance can be severe and apply even if the data was exposed through a third party’s actions.
- Financial: Organizations face significant financial risks due to third parties’ actions. Suppose a third-party supplier fails to deliver parts on time or provides faulty parts. In that case, organizations face lost sales in the short term and, in the most severe cases, the prospect of ongoing revenue losses due to reputational damage.
- Operational: Conditions that affect third parties can also affect an organization’s operations, such as when a natural disaster disrupts a supplier’s ability to deliver goods or when an outsourced business function is shut down due to network failures at a third party.
- Failure to account for changing third-party circumstances: Organizations also face reputational risk due to unexpected actions by third parties, such as the sale of the business. Organizations must also monitor third parties and their subcontractors for business decisions that violate environmental or labor laws. These actions pose a regulatory risk for third parties and represent a serious reputational risk for any organizations that do business with them.
What Types of Supplier Risk Do You Need to Consider?All suppliers and third parties should be evaluated for risks associated with website access and permissions, specifically managing cookies, user privacy and extensions. Extensions created by cybercriminals and installed on a third-party site may, for example, expose your organization’s data. Decentralized systems and service providers may represent cloud security risks. The many different platforms that use both internal and customer-facing third-party applications, and connect using APIs, may also be sources of supplier risk. Organizations must also assess the distribution of their suppliers. The risks of using a single supplier for essential goods or services are apparent. Still, organizations that depend on multiple suppliers in a given area also face risks due to outside influences, potentially including environmental disasters, political upheaval or social unrest. Organizations must also assess supplier financial risks, including constrained cash flow and lack of access to capital, and supplier performance risks, such as those created by management changes or a lack of planning.
Vendor Risk Mitigation and Compliance: How Can Companies Manage Third-Party Security Risks?In the past year, business challenges, including shipping interruptions, supply chain disruptions and travel restrictions, have forced many organizations to look for new partners and vendors, even as they also look to expand into new markets to boost growth. And while organizations have rushed to embrace digital transformation initiatives to reduce the potential impact of business interruptions, this has also resulted in increased cybersecurity risks, such as targeted attacks or technical failures leading to significant network outages. Given the state of the world at present, then, it shouldn’t be surprising that the Allianz Risk Barometer 2021 ranks business interruption as the top global business risk, followed by the pandemic outbreak and cyber incidents. Managing vendor risk is a critical component for each.
Vendor Risk Management Best PracticesEvery company should have a set of vendor risk management policies and procedures and schedule a regular review to ensure these reflect changing business conditions. Companies should also establish standardized vendor risk ratings and supplier evaluation risk ratings and use these to assess every new vendor and supplier. Policies should allow for regular review of vendor and supplier performance records to reduce the risk of partnering with a vendor or supplier with a poor history. Companies should also establish policies that ensure they can perform the following five vendor and supplier risk management best practices:
- Assess third-party risk regularly (annually at a minimum) by the board of directors.
- Categorize and assess each vendor based on their level of access to your systems and information. This assessment should also review each vendor’s third-party risk based on their own supply chains. Consider working with SMEs (either internal or external) who can help review third-party cybersecurity and business continuity plans.
- Outline KPIs for critical risks (such as cybersecurity, data security and operational resilience) for each vendor. Create strong vendor contracts that clearly set out the metrics your company can use to terminate a relationship if KPIs are not met.
- Establish communication with all vendors and set a regular schedule to update vendor documentation. Documentation for vendors that provide a product or service representing a more significant risk should be updated more frequently.
- Create a vendor risk framework that details how to evaluate vendors, enter into agreements with them, establish standards for communication and manage their performance.
What Is the Vendor Risk Management Maturity Model (VRMMM)?The vendor risk management maturity model (VRMMM) gives companies a framework for evaluating the maturity of third-party risk management programs. It lets them establish strategies to convert best practices for third-party risk management into tools they can use to assess a third party’s risk management program in both its current and future states.
What are the Vendor Risk Management Maturity Levels?There are five levels of vendor risk management maturity:
- Initial stage: Vendors either lack defined risk management processes or execute processes on an ad-hoc basis. There is an inconsistent approach to risk management.
- Repeatable stage: Vendors are taking steps toward establishing a risk management program. They have defined risk management processes and execute them consistently. The overall approach to risk management is still unstructured.
- Defined stage: Vendors have established and implemented a risk management program and use a formalized approach. Overall, program management is in place, but enforcement mechanisms are still lacking.
- Managed stage: Vendors have fully implemented and operational risk management programs. Policies for monitoring and governance have been established, and compliance measures are in place. Program management includes measures to identify process improvements.
- Optimized stage: Vendors can undertake continuous improvement in their risk management processes. Risk management best practices have been defined and implemented, and the execution of crucial program elements has been automated. Program management includes regular measurement and testing of governance standards.
Vendor Risk AssessmentsAn essential part of managing third-party vendor relationships is identifying and understanding the potential sources of vendor risk. Third-party vendors can pose significant risks, including compliance, legal, reputational, financial and operational risks. Therefore, every organization should include vendor and supplier risk assessments as part of their operating policies.
What is a Vendor Risk Assessment?Understanding vendor risk isn’t always straightforward. But organizations can use a set framework known as a vendor risk assessment to understand better the risks they may face when using third-party vendors for business-critical products or services. Vendor risk assessments are essential when third-party vendors interact directly with customers, have access to customer data, or perform critical business functions.
Why Is a Vendor Risk Assessment Important?When organizations fail to conduct adequate vendor risk assessments, they have a much greater chance of experiencing a data breach in their supply chain. In addition to lost revenue and financial penalties, data breaches can cause catastrophic reputational damage. It’s imperative to remember that the organization that initially collects the data (the data owner) has full responsibility for keeping it secure. This is true even if the data is stored by a third-party vendor (the data holder). Most data protection laws assign responsibility for data breaches to the data owner rather than the data holder. The best way to minimize your liability in the event of a breach is to demonstrate that your organization has performed vendor due diligence risk assessments.
Third-Party Vendor Risk Assessment ExampleVendor risk assessments should contain questions about reputation and compliance, information and data security, physical and data center security, infrastructure security, and web application security. Here’s a vendor management risk assessment sample that can help you get started with supplier risk analysis. Reputation and compliance:
- Please provide up-to-date financial statements that show evidence of solvency.
- What project management processes does your organization use?
- Does your organization carry liability insurance?
- Does your organization comply with all regulations (state, national, and international) such as CCPA, HIPAA, and GDPR?
- Does your organization process personally identifiable information (PII) or protected health information (PHI)?
- Does your organization have a formal information security program?
- If so, what standards and guidelines are in place?
- Does your organization have breach management policies in place?
- What processes will you follow to communicate with us regarding security incidents that involve our data?
- Does your organization operate in a shared office space?
- Does your organization have policies regarding visitors and access to your physical space?
- Does your organization use data center providers?
- If so, what countries are those data centers in?
- Does your organization store sensitive or protected information in data centers?
- What is the most significant cybersecurity incident your organization has experienced?
- What processes does your organization use to monitor network security?
- Does your organization use a VPN?
- Does data get backed up regularly?
- If so, how are data backups stored?
- Do employees use their own devices to access infrastructure?
- If so, are employee devices required to be encrypted?
- What application does your organization run?
- What does it do?
- Does your application have a valid SSL certificate in place?
- Does your application require user login credentials?
- Does it have minimum password complexity standards?
- How are passwords stored?
- Is the application regularly tested for vulnerabilities?
Steps to Create a Successful Vendor or Third-Party Risk Assessment FrameworkThe first step in the vendor risk assessment process is identifying which risk management frameworks apply to your organization. The National Institute of Standards and Technology and the International Standards Organization offer commonly-used frameworks. Once an applicable framework has been identified, you can start modifying it to meet your organization’s needs. Here are four essential steps in creating an effective vendor risk assessment framework:
- Profile your vendors internally. For each vendor, contact the business unit that works most closely with them. Assess how critical each vendor is to your business and document the data and networks they can access.
- Ask vendors to complete a security self-assessment. Ensure that it reflects your business: a health care provider would want all vendors to comply with HIPAA regulations, while an international retailer would require GDPR compliance.
- Conduct an on-site audit (if necessary). Some high-risk categories may require this for all vendors. For others, it will depend on the results of the self-assessment. Communicate with the vendor. The focus here should be on comparing your organization’s risk tolerance with the vendor’s responses to the security self-assessment. Based on the results of your vendor security risk assessment, you can decide whether the relationship should continue.
- Establish leadership. Your leadership group should have the power to make decisions and take responsibility for risk governance. Leadership should also set a regular schedule for reviewing all aspects of third-party risk.
What You Need to Know About Vendor Assessment, Management Risk and Control MatrixOrganizations that involve vendors in the process of carrying out a risk self-assessment can then use the responses as part of a vendor management risk and control matrix. Also known as a vendor management risk assessment matrix or a supplier risk assessment matrix, the control matrix clarifies the nature of vendor risk. It also clearly shows the consequences organizations may face if they fail to act on those risks. Organizations can use the control matrix to assign a risk score or rating to every vendor and prioritize their security efforts based on these ratings.
Crisis Response: What Should You Do If There’s a Vendor Breach?No organization ever wants to learn that one of their vendors has experienced a data breach. However, if it happens, here are seven critical steps to follow that can minimize risk and reputational damage.
- Communicate with your customers. Trying to cover up the breach could do even more damage to your reputation.
- Notify regulators and law enforcement. Ensure that all laws and regulations about data breach notifications are followed.
- Examine the breach. How and where did it occur, and how many records were affected?
- Offer protections to customers. Any breach that involves customer data also raises the risk of identity theft. Credit monitoring services can help rebuild customer trust.
- Tighten network security. Did the breach reach your organization via a vendor’s systems? If it did, take steps to correct the flaws in your own security.
- Ensure that your vendors protect customer data. If you’re not checking this regularly, now is the time to establish a schedule for ongoing checks. Reconsider the relationship with any vendor that is unwilling to participate in this process.
- Implement a vendor risk management plan. Apply this plan to all existing vendors and use it to evaluate new suppliers as well.