Vendor Compliance Resources
Vendor compliance management is the process by which organizations understand and control the risks associated with working with vendors, third parties, or business partners. If your organization utilizes vendors to conduct part of your business process – whether that be billing, customer service, data processing, etc. – the risks associated with that partnership could ultimately put you out of business.
Get our checklist of vendor compliance management best practices and learn how to properly manage vendor risk today!
An effective risk management strategy includes the assessment and monitoring of vendor compliance with your company’s policies and procedures. Today’s compliance program involves an ongoing struggle organizing vendor responses utilizing spreadsheets and questionnaires while manually tracking reoccurring events and supporting documents. Where should you start?
According to CFPB Bulletin 2012-3, companies must “oversee” their vendors “in a manner that ensures compliance with Federal consumer financial law…The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis.”
Vetting and choosing vendors are some of the most important decisions you’ll make for your business, especially when it comes to information security. They could do everything from run your call center to store your data, monitor your systems, or destroy your records.
Yes, you can outsource a process or a department to vendors – but you can never outsource risk. No matter the vendor, they pose some level of risk to your organization – especially financial risk, operational risk, reputational risk, and cyber risk – because they have access to your data, network, hardware, cloud, and more.
If your organization utilizes a third-party vendor to conduct part of your business process – whether that be billing, customer service, data processing, etc. – the risks associated with that partnership could ultimately put you out of business. Because of this, establishing a formal risk assessment process allows organizations to do their due diligence and lays the foundation for effective vendor compliance management.
But how can it be done? You can first start by identifying the types of risks that your vendors pose to your enterprise. By properly vetting your vendors and having a formal, documented risk assessment in place, you’ll be able to mitigate any potential threats to your organization. Let’s take a look at what a formal risk assessment is and some of the most notable risks that your vendors could pose to your security posture.
Most organizations outsource some aspect of their business to vendors, whether it’s to perform a specific, integral task or replace an entire business unit. Vendors can be in roles like customer support, financial technology, record storage, software development, or claims processing. Using vendors can further an organization’s business objectives, enable them to function more effectively, and may be more cost-efficient. With all these opportunities, organizations must remain aware of the risks vendors carry with them.
As a result of the additional risks that vendors bring, more and more organizations are asking vendors to receive SOC 1 or SOC 2 attestations. But, when you do receive a SOC 1 or SOC 2 report from a carved-out vendor, do you know how to read it? Which areas do you focus on and what do the results mean? SOC 1 and SOC 2 reports are lengthy and complex, but incredibly important in understanding the risks posed to your organization. Let’s take a look at some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors.
In March 2017, the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23 went into effect, establishing new cybersecurity requirements for financial services companies. NY CRR 500 requires that financial services companies (covered entities) develop a cybersecurity program that protects the confidentiality, integrity, and availability of sensitive customer information and information technology systems.
Most organizations utilize third-party vendors to assist them in fulfilling their business needs because they just can’t do it all themselves. These vendors play a critical role in allowing organizations to sustain their business, but they can also be a liability for a company. Why? Because if a third-party vendor isn’t properly vetted, they can pose a major risk to an organization.
Vendor compliance management is a key starting point towards GDPR compliance. When your organization is deciding whether to use a vendor as part of your GDPR compliance efforts, you must follow GDPR vendor (processor) compliance management best practices.
An effective risk management strategy includes a strategic process for assessing and monitoring vendor compliance. Some vendors go to great lengths to secure their services and processes, but others may leave you with consequences to pay. Vendors need to prove what they are doing to reduce risk to you and your customers. You’re putting a great deal of control into vendor’s hands, so managing vendor risk must be an integral part of any business.
What happens if your operations depend on the availability of your vendor’s services, but their service has an outage? If your vendor goes out of business, how does your organization continue to operate? If your organization shares cardholder data with a vendor and that vendor has a breach, what are the consequences to your organization? These are the types of scenarios your organization must consider when selecting vendors and effectively managing vendor risk.
On April 4th, 7.ai, a customer support software company, announced a cyber incident “potentially affecting the online customer payment information of a small number of our client companies,” that occurred between September 26 and October 12, 2017. This cyber incident specifically occurred in 7.ai’s chat tool. Never heard of 7.ai? We hadn’t either, but their well-known clients gave this breach national attention. Sears, Delta Air Lines, and Best Buy have all announced breaches traced back to 7.ai, making this cyber incident a vendor compliance management issue.