Whether you’re adding a point-of-sales system or incorporating cloud service providers into your business operations, you’re continually adding new vendors to your data ecosystem. Cisco’s Global Cloud Index Forecast suggests that by 2021, 95% of all data center traffic will come from the cloud, 85.1 million cloud Infrastructure-as-a-Service workloads will exist, 402.2 million cloud SaaS workloads will exist, and 46.4 million cloud Platform-as-a-Service (PaaS) workloads will exist. In other words, vendor risk management (VRM) will drive cybersecurity and business success.
Effective Vendor Risk Management
How do I analyze potential third-party risks?
The first word everyone thinks of when third-party vendor due diligence pops up in conversation is “risk assessment.” However, an assessment of risk no longer qualifies as appropriate due diligence.
A risk assessment means you look at your critical infrastructures and list risks. However, assessing the existence of a risk is fundamentally different than analyzing the risk’s potential negative impact.
Analyzing risk requires you to look at the types of information the third-party vendor handles and then review the potential financial, reputational, and legal impact of a data breach.
For example, if your vendor is going to access personally identifiable information or protected health information, then a data breach would impact you substantially. If the vendor only accesses publicly available information, a data breach would have far less of an impact.
Are there regulatory compliance risk management requirements?
Regulations increasingly focus on vendor risk management, imposing fines or penalties arising out of vendor data breaches. For example, the 2017 New York Department of Financial Services regulation 23 NYCRR 500, devotes an entire section to third-party service providers’ security. The General Data Protection Regulation (GDPR) refers to data processors, which means vendors.
Both of these, as well as many other regulations, levy fines and penalties over companies who do not maintain adequate vendor management processes.
Can I effectively manage third-party risk?
As you increase the number of vendors who enable business performance, it’s normal to wonder whether you can create an effective risk management program.
While companies don’t add vendors without thinking about the risks, not all vendor risks are apparent. For example, your vendors use third-party IT suppliers as well. You may be able to assess the risk of your own contracted business partners, but tracking their vendors may be impossible. When looking holistically at your supply chain, the information security risks increase exponentially, almost to the point of impossibility.
Thus, the tracking and oversight taxes physical and personnel resources. While you may be able to manage some risks effectively, you may find that your risk management needs outpace your current system.
5 Steps in the Vendor Management Lifecycle
Assess Risk
Assessing risk is the first step to almost any compliance objective. While it sounds simple, it is often complicated. You may have all your systems, networks, and devices cataloged, but you may not know all the vendors who connect to them.
If you’re using a cloud service provider, you’re likely connecting your systems and networks to it. Any applications that connect your systems and networks to the cloud so they can share data need to have the appropriate controls.
The difficulty in assessing risk lies in peeling back the onion skin of vendors and associated applications.
Incorporate Security into Contracts
If you determine that a vendor’s security stance aligns to your own, you need to include cybersecurity within the Service Level Agreement (SLA).
Contracts act as a binding agreement between businesses and can also help you define liability. Under most regulatory requirements, you are legally required to cover the costs of any data breach that impacts your customers. Therefore, you need to make sure that your vendor understands their liability if they cause the data breach.
Moreover, SLAs should also document when a vendor’s cybersecurity stance is a cause for contract termination. Malicious actors continually evolve their attack methods. Therefore, if a vendor regularly ignores security alerts, you may be at risk. Defining cybersecurity activities that lead to contract termination can help you secure your data.
Monitor Continuously
Cybersecurity professionals believe that you should always “trust but verify.” You can incorporate vendor responsibilities into your contract and approve vendor policies and controls. However, companies don’t always adhere to their internal control decisions.
You retain the burden of monitoring not only your data environment but that of your vendors. Their risk is your risk. Therefore, if you see something wrong with your vendors, you need to say something. If they don’t remediate the problem, you need your backup plan.
Plan an Incident Response
Vendors often enable critical business processes. Whether it’s a payment system vendor or a database SaaS platform, a vendor cybersecurity incident can lead to business disruption.
Part of effectively managing third-party risk lies in ensuring that you have an incident response program that can help you rapidly return to regular business operations.
Another part of your incident response plan should be customer notification. Even though the breach isn’t your fault, you still need to tell your customers it occurred.
Communicate Internally
Whether you’re aligning to regulations or industry standards, you need to effectively communicate risk with senior management and your Board of Directors.
The “governance” in “risk, compliance, and governance” focuses on oversight. Your senior management team and Board can’t effectively oversee your vendor risk management program if you don’t tell them the risks and ways you chose to mitigate them.
ZenGRC Enables Vendor Risk Management
Vendor risk management drives business success. Your customers need to know they can trust you, but they also need to know that you can document and verify their trust.
With ZenGRC, you can create workflows that help manage vendor risk tracking and reporting. ZenGRC’s workflow tagging and task prioritization capabilities make tracking requests and managing responses more efficient.
Vendor risk management requires paperwork. With ZenGRC provides a centralized dashboard, you can view KPIs that offer you a single source of information over your vendor risk management program’s effectiveness.
For more information on how vendor risk management can increase business success, download “Driving Your Business Forward Through Effective Vendor Risk Management.”