Vendor Risk Management-Dealing with High-Risk Incidents

Over the last two years, the number of cybersecurity incidents involving vendors has increased dramatically. Although organizations have strengthened their vendor assessment programs, improvements are still required. While it is important to manage incidents related to products, services, and tools offered by vendors, organizations should also consider the possibility of risk incidents happening at the vendor’s end, especially when they deal with customer data or confidential information. Many organizations still do not have visibility beyond their tier 1 vendors, and also believe that their vendors will not notify them of any incidents, if and when these incidents do occur.

Many organizations struggle with vendor risk incidents because they don’t have the right tone at the top, or they lack a robust vendor risk management strategy, as well as processes, risks, and controls. Some of the leading causes for high vendor risk exposure or incidents are:

MetricStream Research’s recent survey on the state of vendor risk management revealed some interesting insights on how organizations think about incidents involving vendors, the associated risk posture, loss impact, and measures adopted to prevent future incidents. The survey was conducted across 85 respondents from 40+ organizations and 15 industries.

According to the survey, one out of five organizations reported risk exposure due to a vendor (Fig 3). Most of them reported a medium or high risk (Fig 4) with a loss impact of more than $1 million (Fig 5).

Organizations adopt different strategies for vendor risk management depending on their industry, vendor base, maturity, and the number of FTEs and contractors in the internal team. Here are the most common and important measures taken immediately after identifying vendor risk exposure. These measures help prevent future risk incidents

Managing vendor risk is not merely a contractual obligation or compliance need, but a strategic risk for organizations as it impacts their margins and brand reputation. Across industries, organizations have adopted multiple approaches to vendor risk management, such as improving the transparency of their vendor ecosystem, increasing visibility into their vendors’ risk posture, mapping vendors to fourth parties, standardizing the onboarding process across the enterprise, conducting continuous monitoring and assessments, and collaborating with vendors to manage the associated risk. Most organizations view their vendors as strategic partners and are more interested in collaborating with them to mitigate risks and implement corrective actions, than terminating the relationship.