Vendor risk management is important because managing vendor risk is foundational to cyber security, ensuring business continuity and maintaining regulatory compliance. A robust vendor risk management (VRM) program can help organizations under their vendor risk profile and mitigate third-party and fourth-party risk rather than relying on incident response.
This is particularly true for organizations in regulated industries, like financial services and healthcare, who rely on third-parties to enable mission critical services for their customers.
With the heightened and reinforced regulatory expectations around third-party risk management processes, it's imperative to have the ability to continuously monitor and manage your vendors' performance and the risks they introduce.
What is vendor risk management?
Vendor risk management (VRM) deals with the management and monitoring of risks resulting from third-party vendors and service providers.
What is driving the increased focus on vendor risk management?
There are a number of factors driving organizations to place increased importance on third-party risk, including regulation, market conditions, reputational impact, technology, suppliers, and overseas providers.
Vendor risk management is concerned with risk mitigation, particularly:
- Cyber security risk: The risk of exposure or loss resulting from a cyber attacks, data breach or other security incident. This risk is often mitigated by performing due diligence before on-boarding new vendors and ongoing monitoring over the vendor life cycle.
- Operational risk: The risk that a third-party will cause disruption to the business operations. This is generally managed through contractually bound service level agreements (SLAs). Depending on the criticality of the vendor, you may opt to have a backup vendor in place to ensure business continuity. This is common practice for financial institutions.
- Legal, regulatory and compliance risk: The risk that a third-party will impact your organisation's compliance with local legislation, regulation or agreements. This is particularly important for financial services, healthcare and government organizations as well as their business partners.
- Reputational risk: The risk arising from negative public opinion caused by a third-party. Dissatisfied customers, inappropriate interactions and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor security controls, like Target's 2013 data breach.
- Financial risk: The risk that a third-party will have a detrimental impact on the financial success of your organisation. For example, your organisation may not be able to sell a new product due to poor supply chain management.
- Strategic risk: The risk that your organisation will fail to meet its business objectives because of a third-party vendor.
What are third-party vendors?
A third-party vendor is any person or organization who provides a product or service to your organization, who does not work at your organization. Common third-parties include:
- Manufacturers and suppliers (everything from PCBs to groceries)
- Services providers, including cleaners, paper shredding, consultants and advisors
- Short and long-term contractors. It's important you need to manage short and long-term contractors to the same standard and assess the information that they have access to.
- Any external staff. It's important to understand that understanding of cyber risk can be widely different depending on the external staff.
- Contracts of any length can pose a risk to your organization and the Internal Revenue Service (IRS) has regulations about vendor and third-party relationships that go beyond specific time frames so even the length of a contract can pose risk. In the IRS's eyes, a vendor working onsite with a company email address for longer than a specific period of time should be classified as employees and receive benefits.
The importance of vendor risk management
Fundamentally, organizations are increasingly reliant on outsourcing and there is no sign the trend is slowing.
We all trust vendors with increasingly in-depth access to sensitive data (like PII, PHI and psychographics), which means the impact of third-party security breaches is growing too.
In 2019, the average cost of a data breach involving third-parties was $370,000 higher than first-party data breaches, for an adjusted total of $4.29 million.
Ask yourself these questions:
- Do I know who are my high-risk vendors?
- Do I know if my high-risk vendors have adequate data security practices in place to protect my and my customers' sensitive information?
How can I manage my third-party risk exposure?
Any vendor risk management program starts with an accurate inventory of your vendors.
Without that, it's impossible to measure the level of risk your vendors are introducing.
Once you've have a complete list of your vendors, it's time to develop a vendor assessment process, which should include a vendor questionnaire template to streamline the on-boarding of new vendors and the assessment of current vendors.
This is why organizations are investing in tools that automatically create, send and assess the results from vendor questionnaires.
But don't just rely on questionnaires. The problem with questionnaires is they are point-in-time, subjective and expensive to administer and it's not something that improves with scale. The larger your organization, the more vendors you'll have.
One answer to this problem is security ratings.
Security ratings are a quantitative measurement of security posture, akin to how a credit rating measures lending quality. As a vendor's security rating improves, so does their security posture.
Security ratings products provide real-time, non-intrusive measurement of any vendor's security performance and can instantly provide an aggregate view of vendor performance and key risks shared across your third and fourth-parties.
This allows your vendor management team to continuously monitor individual vendors for security issues without scaling headcount.