With cyber criminals increasingly targeting third-party vendors to gain backdoor access to data at large, well-protected global organizations, security professionals need to rethink their vendor risk management practices. While performing questionnaire-based vendor risk assessments is a popular practice, this method is no longer sufficient to identify emerging risks associated with third-parties. Regulatory changes and an evolving threat landscape are driving the need for a new approach – called enterprise-wide vendor risk management (eVRM).
Data breaches at Target and Home Depot have proven that systems and process failures by third parties can have catastrophic reputational and operational consequences for an organization. As a result, it is no longer sufficient to simply implement procedures for managing vendors and the risk they may expose to the organization. We also need to safeguard against third-party related control failures.
On paper this sounds straight forward. Until, that is, we tally the number of vendors an organization uses to run its business. Even midsized companies easily exceed one hundred third-party vendors, including technology vendors, electricity, hosting, facilities, payment, and collection services providers. In response, most organizations only focus on a small subset of their vendors, typically based on contract size.
Supply chain threats are creating increased operational, compliance, reputation, strategic, and credit risks when it comes to third-party relationships. These risks are being compounded by the growing volume, diversity, and complexity of these outsourcing arrangements. Recognizing this, regulators and standards bodies (e.g., MAS, OCC, BaFin, FCA, FedRAMP, BITS, NERC, NEI, ISO, PCI Security Council, AICPA, and Cloud Security Alliance) are enforcing stricter guidelines for managing third-party suppliers. For example, some are requiring regular risk assessments of all suppliers, and – if possible – even supplier’s suppliers.
The threat of data breaches, public scrutiny, and regulatory fines have put vendor risk management in the spotlight. Without proper oversight, and a framework to systemically capture, assess, and mitigate third-party supplier risks, an organization can be exposed.
In the past, organizations often applied lower risk assessment standards to the onboarding of new vendors than those imposed on consumers applying for a home lease, mortgage, or job. Instead, a simple W-9 form was all that was needed to set up a vendor relationship. Assessing the risk associated with the partnership was managed as an afterthought. Sometimes, years passed before a survey was sent to the third-party to assess if they would abide by expected security controls.
To address this emerging problem, organizations should operationalize and extend their traditional vendor risk management processes by taking the following four steps:
1. Create the Organizational Foundation
A fundamental success factor is to clearly define roles and responsibilities for who is accountable for managing outsourcing relationships. Following best practices, business units / divisions should be accountable for all vendor risk associated with the services they procure or manage. However, to assure standardization, they should be supported by a centrally operated services organization, which is responsible for maintaining policies, storing data, generating management information, and driving global adoption. More and more organizations are establishing so-called Vendor Management Offices (VMO) to facilitate the process. In this scenario, the business owns the risk identification and mitigation, whereas the VMO provides the necessary logistical support and metrics.
2. Emphasize End-to-End Process
As mentioned earlier, organizations often separate vendor onboarding from the vendor control assessment process. This is unique to the B2B environment and driven by the immense amount of vendors that typical organizations do business with. Following traditional methods it would simply take too long to conduct risk assessments as part of the onboarding process which would paralyze business operations and efficiency. However, as the most recent third-party originated data breaches have shown, organizations need to put special emphasis on and end-to-end process, assuring that vendors are already assessed as part of the onboarding process.
This preliminary risk assessment should entail the evaluation of continuity risks, information security risks, service risks, and regulatory risks and trigger a deeper analysis if initial findings generate red flags. Should a vendor require further analysis, a more detailed review of their financial stability, integrity, capabilities, and security controls should be conducted. Once the vendor has been on-boarded, organizations should conduct frequent vendor control assessments to assure compliance with the expected standards and guidelines. The scope of the depth of risk assessment can vary based on the compliance level the vendor presents to the organization.
3. Classify by Vendor Service, Not Vendor
Instead of assessing risks associated with individual vendors, a better approach is to apply classifications by vendor service, with dynamic workflows tied to appropriate business stakeholders. This is necessary since a vendor might provide several services to an organization, with each of them posing different risks. Obviously, taking this kind of approach only multiplies the number of engagements that need to be monitored and assessed. However, it assures the necessary granularity that mitigates the risk of third-party originated attacks.
4. Augment Survey-Based Approaches
Organizations should also augment their traditional survey-based approach of vendor risk management by taking real-time data (e.g., from ERP systems, contracts, legal entity systems) into account. For instance, if multiple IP infringement judgments have been reported against a vendor, the likelihood that the organization’s own IP might be compromised in the future is very high. Data adds a more objective element in the overall risk assessment process, as survey results solely rely on the honesty of the respondent.
The threat of data breaches, public scrutiny, and regulatory fines have put vendor risk management in the spotlight. Without proper oversight, and a framework to systemically capture, assess, and mitigate third-party supplier risks, an organization can easily be exposed. Using the steps outlined above will help reduce the risk of third-party originated compromises. New eVRM tools can assist in dealing with the challenges related to scale, workflow management, data connectivity, and time efficiency.