Effective Vendor Risk Management
An effective risk management strategy includes a strategic process for assessing and monitoring vendor compliance. Some vendors go to great lengths to secure their services and processes, but others may leave you with consequences to pay. Vendors need to prove what they are doing to reduce risk to you and your customers. You’re putting a great deal of control into vendor’s hands, so managing vendor risk must be an integral part of any business.
What happens if your operations depend on the availability of your vendor’s services, but their service has an outage? If your vendor goes out of business, how does your organization continue to operate? If your organization shares cardholder data with a vendor and that vendor has a breach, what are the consequences to your organization? These are the types of scenarios your organization must consider when selecting vendors and effectively managing vendor risk.
Managing Vendor Risk
When engaging with a vendor, there are many steps to take: conducting a risk assessment, scoping, setting expectations, establishing communication methods, and verifying compliance requirements. Because there’s so much to do, we see many common gaps in organizations who are managing vendor risk, including a lack of exercising due diligence, limited involvement from senior management, lack of contract development and review, issues with a risk ranking system, and ineffective monitoring procedures.
- Lack of Due Diligence: What is your process for vendor selection? If you choose a vendor without assessing what types of vendor risk they present and whether the relationship will help achieve your objectives, you can damage your business. Do they have a Disaster Recovery Plan? Are policies and procedures updated and implemented? What types of security and compliance resources do they have? What is their reputation related to security? What types of vendor risk are critical to your organization? Have you performed a risk assessment? It’s critical to exercise due diligence when selecting vendors and even during the course of the relationship, especially when considering a renewal of a contract.
- Limited Management Involvement: A mistake that many organizations make is not including senior management in vendor compliance management. The FDIC’s Guidance for Managing Third-Party Risk explains that an organization’s senior management is responsible for managing the activities conducted through vendor relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within their own organization. Senior management’s involvement is critical to effective vendor risk management.
- Lack of Contract Review: Specific expectations and obligations of your organizations and your vendors must be outlined in a written contract prior to entering into the relationship. This contract should include the scope of the relationship, cost, performance standards, reporting guide, security standards, dispute resolution, and termination rights. Thorough contract development and review could prevent legal consequences for your organization, making it a major element of effective vendor risk management.
- No Risk Ranking System: Vendors should be ranked based on their access to confidential or sensitive information, criticality of the product/service they provide, and complexity of the product/service they provide. Types of vendor risk are also reputational, strategic, financial, operational, regulatory, privacy, environmental, and legal risks. If you’re not risk ranking your vendors, how do you know which bring critical risks to your environment?
- Monitoring Issues: A key component of effective vendor risk management is oversight and monitoring. The extent of oversight will depend on the types of vendor risk they present and the scope of the relationship, but your organization must have qualified staff allocated to monitoring vendor relationships. Monitoring your vendors’ performance, audit reports, compliance requirements, training effectiveness, quality of services, and risk management practices will assist your organization in evaluating the effectiveness of the relationship.
Vendor Management Across Disciplines
For many industries, validation of a vendor’s security practices is not optional. Consider the following guidance:
- The OCC Bulletin 2013-29 provides guidance to banks for assessing and managing vendor risk and third-party relationships, defining a third-party relationship as any business arrangement between a bank and another entity, by contract or otherwise.
- 23 NY CRR Section 500.11 describes the need for financial services companies to have security policies related to managing vendor risk, which should include identification and risk assessment of vendors, minimum cybersecurity practices to be met by vendors in order to do business with the covered entity, due diligence processes used to evaluate the adequacy of cybersecurity practices of vendors, periodic assessment of vendors based on the types of vendor risk they present and the continued competence of their cybersecurity practices.
- Under HIPAA, covered entities are generally required to enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information (PHI). Business associates must contractually agree to not use or disclose PHI other than as permitted or required by law, use appropriate safeguards, report breaches of unsecured PHI and any other security incidents to the covered entity, among other requirements.
- The PCI SSC says that when entities use vendors to store, process, or transmit cardholder data on the their behalf, vendors then impact the security of the cardholder data environment and the entity’s PCI compliance. That’s why contractual agreements and policies should be established between the entity and its vendors for all applicable security requirements. An effective vendor risk management program helps an entity ensure that the cardholder data entrusted to vendors is maintained in a secure and compliant manner.
- In the ACIPA’s SOC 2 Guide, it states that service organizations may implement policies, procedures, and controls for managing vendor risk. This could include how to assess risk that vendors bring, assigning responsibility and accountability for managing vendor risk, establishing communication and resolution protocols for issues with vendors, how to assess the performance of vendors, and how to terminate vendor relationships.
What vendor compliance obligations does your industry require of you? Interested in learning more about effective vendor risk management? Contact us today to hear how we can validate the security of your vendors’ services or demonstrate the security of your own.