Delve into strategies to design and implement a strong IT vendor risk management program – one that has clear processes, policies, and tools in place to govern vendor selection, contracts, risk assessments, due diligence, monitoring, and risk mitigation.
Over the course of their digital journeys, organizations have become dependent on a range of IT vendors, be it cloud service providers, data analysts, or payment processors. While on the one hand, this form of outsourcing has helped reduce costs, on the other hand, it has introduced a number of vendor governance and risk management challenges.
The threat of data breaches stemming from vendor vulnerabilities, as well as the risk of regulatory fines for vendor non-compliance have compelled organizations to take better control of their vendor base. However, since there are often multiple departments managing vendor relationships, it can be difficult to gain a comprehensive and consistent view of vendor risks.
Over the last few years, these risks have resulted in multiple security incidents. In mid-2017, Italy’s UniCredit Bank suffered a data breach that affected 400,000 customers, and was allegedly caused by an unnamed third-party provider. A few months later, credit reporting agency, Equifax, which was just recovering from a massive cyberattack, found that one of its third-party vendors had been running malicious code on the company’s web page.
In the light of these and other incidents, organizations have become much more vigilant about the risks posed by their IT vendors. A recent MetricStream Research survey on IT risk management found that the top two factors that are driving IT risk management programs in organizations are the outsourcing of IT services, and the integration with third-party systems. Another MetricStream Research survey on third-party risk management found that for 67% of organizations, the most important risk parameter when evaluating third parties is data protection or privacy.
Clearly, efforts are being made to keep vendor risks in check. However, challenges remain. A Ponemon Institute survey report, sponsored by BuckleySandler and Treliant Risk Advisors, revealed that 37% of respondents didn’t believe that their primary third-party vendor would notify them of a data breach involving sensitive and confidential information. Worse, if the vendor was further down the chain (a fourth-party or nth party vendor), 73% of respondents didn’t believe that they would be notified of a data breach.
Addressing these challenges calls for a strong IT vendor risk management program – one that has clear processes, policies, and tools in place to govern vendor selection, as well as vendor policies, contracts, risk assessments, due diligence, monitoring, and risk mitigation.
To optimize the value of their IT vendor relationships, organizations would do well to implement robust vendor risk management processes. Here are a few key steps to consider:
Since the same vendors are often managed by multiple organizational departments such as Sourcing, IT, and Finance, all of these departments need to have a common nomenclature while onboarding, assessing, monitoring, and off-boarding vendors. Consistency in nomenclature makes it easier to track, search, assess, and rate various vendors. Having a centralized repository of vendor information is also essential, as it forms the backbone of a strong IT vendor risk management program. A repository provides a comprehensive knowledge base of all vendors and the associated assets, business units, services, and products to help organizations identify and understand their vendor risks clearly.
With regulatory bodies pushing for better vendor riskoversight, organizations need to be able to manage vendor documents effectively, and present them if a non-compliance or security incident occurs. Vendor contracts also need to be more comprehensive. Earlier contracts might have been able to make generic statements such as “Reasonable security measures should be used,” without specifying the parameters that constitute “reasonable” effort. Today, however, contracts need to have well-defined and crisp clauses that help vendors understand what they need to do, while also safeguarding the organization’s own security and reputation. Privacy and security requirements need to be expressed clearly, in addition to general clauses such as quality, cost, and delivery.
Since risk incidents such as security or privacy breaches can be caused by a failure at the vendor’s end, organizations must understand these risks right at the start of their vendor relationships. By segregating critical and non-critical vendors, organizations can determine which ones require the maximum attention. The key is to understand which vendors have a direct impact on the organization’s margins and profitability. For example, if a vendor has access to personally identifiable information (PII), they might be categorized as a critical vendor because a data breach at their end would significantly impact the organization. Categorizing vendors this way makes it easier to define and plan vendor risk
management and control activities.
Vendor risks need to be evaluated during onboarding, as well as continuously. While there are multiple methods to evaluate vendors, the ones used most often are self-assessments, risk assessments, and audits. Some organizations enable continuous vendor risk assessments by integrating with external content providers who offer vendor grades, ratings, and rankings based on various parameters such as security, unsolicited communication, potentially exploited, botnet infections, malware servers, spam propagation, file sharing, and data breaches. Whatever the method chosen to evaluate vendors, it should be defined based on the risk category associated with each vendor. A risk-based approach helps ensure that appropriate time, effort, and costs are allocated to each vendor risk basket.
Every risk that is identified requires appropriate mitigation actions. The type of mitigation would depend on the impact of the vendor risk, as well as the risk appetite of the organization. Strategic and critical vendors usually have the most impact on the business, and therefore need more proactive monitoring to prevent disruptions. With these vendors, business continuity plans also need to be clearly defined to deal with risk incidents.
The MetricStream Third-Party Management App enables organizations to effectively manage IT vendor risks and compliance: