Organisations rely on third party vendors to complete their supply chain ecosystem as a means of cutting cost and saving time. Why reinvent the wheel when a wheel manufacturer can just sell you one? Another attractive prospect of utilising third party vendors is the perception of outsourcing the risk. With fewer operations performed in-house and guarantees that exceed that of in-house capabilities, we are led to believe that we are reducing our own risk exposure.
Unfortunately, this is not entirely true…
The extensive reliance on information technology to provide services or products is undoubtedly a cause of increased risk. Now take that IT infrastructure and place it in the hands of a third or fourth party and grant them access to an organisation’s private internal network. Without adequate assurance and some quality due diligence, organisations are exposed to a vast number of risks, with the most popular being a significant third party data breach. With over 50% of all data breaches being caused by third party vendor relations, and IT-related costs increasing by as much as $370,000 to remediate a data breach, organisations should be taking greater care to review their third party vendor expectations. (Ponemon Institute study 2019)
Now that we are aware of the potential outcomes of inadequately assessing third party vendor risks, how can they be avoided?
These are the top five areas to focus on to manage third party vendors and mitigate risk:
1. Old fashioned due diligence
Due diligence should be the bare minimum when selecting a vendor. Any third party vendor should align with the expectations of the organisation’s executive leadership team, more so if they will be handling confidential, personal or strategic data. Be cautious of the fact that the conditions of due diligence change over time. What was once considered acceptable compliance then, may be considered a partial compliance now. This highlights the necessity to re-evaluate existing vendors to ensure they still meet the expectations of the organisation. Conduct a formal risk assessment to evaluate delivery risks, financial risks, compliance risks and legal risks. Favour vendors who provide you transparency into their operations and allow you to audit their processes.
Establishing an open communication channel with third party vendors not only helps develop relationships and can result in cost benefits, it can also keep an organisation informed of changes to the vendor’s environment, future plans and even issues they are experiencing. It is worthwhile subscribing to a vendor’s newsletters as they may include a product road map including quarterly milestone projections. This can pave the way for predicting future risk and developing workarounds.
3. Regular review
Re-evaluating existing vendors is not only part of managing changes in vendor compliance, it should be a process performed annually to provide an organisation with the ability to benchmark vendors against each other and to compare a vendor’s performance against their own performance of the past. Through the use of security questionnaires, cyber security ratings (CSR) and acquisition of compliance reports (e.g. SOC1, SOC2, ISO27001), an organisation can leverage sensitive or crucial data to vendors that are the lowest risk. At the absolute worst, vendors can be provided with feedback for improvement. Select vendors who have a continuous improvement program and are responsive to feedback from you.
4. Vendor comparison
While long term vendor relations can have immeasurable benefits, complacency can get the better of us. The market is always ripe with competitors trying to establish their brand, and us such there may well be a vendor that can match pricing while boasting greater risk maturity. Don’t be afraid to let vendors go if the costs associated with a security incident outweigh service or product savings. While the probability is low and an incident may never occur, it only needs to happen once. According to the U.S. National Cyber Security Alliance, 60% of small organisations never recover from a cyber incident alone.
5. Planning for vendor contingencies
Many organisations have a business continuity management (BCM) framework in place that addresses all critical business functions internally. Unfortunately, many BCM frameworks fail to appropriately analyse third party vendor functions and the criticality of their services or products. As such, a lack of workarounds for a variety of third party contingencies puts the organisation at great risk of prolonging a disaster or worse. To simplify the process, third party vendor assessment can be included in the next annual BCM review to ensure a confident recovery strategy when an incident occurs. Good practice is to have at least one other vendor selected where possible in the event of a failure of the primary vendor.
The future of third party assessment
As Software as a Service (SaaS) systems have engulfed every industry imaginable, one must wonder what SaaS systems offer when organisations attempt to simplify the task of adequately assessing third party vendors and their associated risks. GRC applications have been around for some time allowing comprehensive management of risks, some even including specific third party vendor management modules. In the last couple of years particularly, there has been the introduction of systems that manage online questionnaires, provide Cyber Security Ratings (CSR) and much more. These systems used in conjunction with a well founded BCM framework provide the ability to challenge vendors using multiple vectors and thinking far beyond the continuity of merely internal functions.
How we can help
InConsult is committed to helping organisations become more resilient to third party vendor risks. We have extensive experience in risk management, cyber security, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.
If you would like to know more about our third party assessment services or would like to see how you or your vendors score on the Cyber Security Rating scale, contact us to discuss your needs.