This is where vendor risk management comes in. Vendor risk management is an ongoing program that requires people, process, and technology. It ensures that the use of service providers and IT suppliers does not cause business disruption or negatively affect business performance due to undetected vulnerabilities.
Threats presented by third parties
There are several potential cyber threats that can be brought in by third parties. Companies who process or store client data can be attacked to enable the theft of confidential information, while more advanced attackers can compromise their systems and use their connections to infiltrate the networks of their partners as well.
Vendors can expose their clients to cyber risks without an attacker having to lift a finger. Server and cloud misconfigurations by third parties continue to be some of the most common causes of breaches, with recent cases including leading organisations such as Universal Music Group and Honda. A contractor working with Universal failed to secure an Apache Airflow server and inadvertently exposed essential data such as AWS secret access keys, internal FTP credentials and SQL passwords. Meanwhile, a Honda affiliate misconfigured two Amazon S3 buckets and left the data of more than 50,000 Honda Connect App accessible for more than a year.
Key areas of operationalising a vendor risk management program include understanding the vendor landscape, conducting risk assessments and what should be included in contracts and Service Level Agreements (SLAs).
Understanding who and how partners and suppliers are selected is the first step to mapping out your vendor landscape. Looking at whether the Vendor Risk Management Program is part of the selection process as well as who owns the relationship. Alignment with your internal corporate vendor stakeholders is a key component to running a successful Vendor Risk Management Program. These decision makers often include the business unit who owns the relationship with the third-party partner. Other critical parties include legal, procurement and information security.
Building proactive partnerships with your vendor stakeholder community is critical to engaging in the selection process, contract negotiation, and annual review. Constructing standard operating procedures (SOPs) for vendor risk management will help those invested in your vendors to understand why this is important and what they can expect from the process. Your program will require your decision makers to be involved as risks are identified and mitigation strategies developed. Integrating a security ratings platform can add to this by providing stakeholders with evidence of where the external risk exposure is and can lead to more transparency and continuous monitoring for the most important suppliers and third-party partners.
Conducting risk assessments
Risk assessments come in many different forms. Having clarity around the type of risk assessment can help all stakeholders understand the level of due diligence being performed. Vendor Risk Management which focuses on a vendor’s own security hygiene and capabilities, is often confused with a more general risk assessment of its implementation within the corporate environment, which looks at the impact of its operations.
Contracts and SLAs: incorporating risk
If a Vendor Risk Management program is to have any significant impact on security, companies need to ensure that the results are properly incorporated in their process. A good approach would be to include data security as a contract clause within a Master Service Agreement (MSA). It is advised that any third-party storing or processing data on behalf of the organisation have a clause on security risk included in its service contract. It is also particularly important that vendors that subcontract to others are carefully managed to make sure they do not expose the company to avoidable risk through their own suppliers.
Before any contract is negotiated, a thorough security assessment should be carried out so specific findings for the vendor’s security posture can be included in its contractual obligations around the management and care of data. Another effective approach is to incorporate cyber security into contracts by linking security risk management to a Service Level Agreement (SLA). This way if the vendor fails to live up to the required level of security, it would be treated in the same manner as missing agreed performance targets and deadlines would be.
Finally, a “right to audit” clause should be included in every data security agreement. This will go a long way to ensuring a vendor is fully compliant with the assessment process and any later inquiries. Likewise, an annual review can be included in the contract, and specific factors such as keeping systems patched can be included as criteria.
In conclusion, when integrated with security ratings, a Vendor Risk Management Program can help bring transparency to the enterprise and help the organisation make risk-based decisions. Also, building a transparent Vendor Risk Management Program where the stakeholders have a clear understanding of the process and how it can help them to evaluate vendors holistically will protect and support your corporate revenue objectives.