Every organization, whether a startup or global enterprise, works with multiple vendors, using their software and relying on their systems – and yet, while these external vendors provide invaluable services, they also introduce significant risk to your company’s information security.
The issue is this: How do you know if your third-party business partners are meeting required contractual, security, and privacy obligations?
If you don’t have processes to assess these third parties’ risks, then your answer is most likely that you don’t know. That lack of visibility is a significant threat; you need to know the risks of these business relationships and how much you can trust them – because if they fail, your business may, too.
This post explains third-party risk and how to manage it adequately in your company.
What Is Third-Party Risk?
Third-party risk refers to the likelihood that your business might experience an adverse event (such as a data breach, a disruption in operations, or reputational damage) when you outsource particular services or use software made by third parties to carry out specified duties.
A third party is any independent business or individual that provides software, physical goods, supplies, or services. These third parties could be software providers, raw material and component suppliers, employment agencies, consultants, contractors, and many more. Depending on other parties to run your business can be risky, but in most cases, it’s also necessary.
What Are Common Types of Vendor Risks?
We can group third-party risks into six broad categories.
This is the possibility of loss because of a cyberattack, data breach, or another security event that arises from your third-party relationship. For example, the third party might be attacked while hosting your data, or attackers target your third party first and then use it to reach your IT systems. Due diligence and ongoing monitoring of vulnerabilities throughout the vendor lifecycle helps reduce this risk.
Operational risk is the chance that your third party might not deliver promised goods or services, and that failure disrupts your operations – say, a cloud-service provider goes off-line at a critical moment, and brings your customer fulfillment operations to a halt. Typically, service level agreements (SLAs) that are legally binding are used to handle this vendor risk. Depending on the vendor’s importance, you may want a backup vendor to maintain business continuity.
Legal, Regulatory, and Compliance Risk
This is the possibility that a third party’s conduct will affect your company’s adherence to regional laws, rules, or regulatory requirements, such as the EU General Data Protection Regulation. This is especially crucial for enterprises in the financial services, healthcare, and government sectors and their commercial partners.
This is the danger associated with unfavorable public perceptions of your business brought on by a third party. Customer complaints, improper encounters, and subpar referrals are only the beginning. The most harmful occurrences are third-party vendor data breaches brought on by lax security measures, such as the well-publicized Target data breach in 2013 (which actually started when attackers targeted one of Target’s vendors that had access to the company’s payment systems).
Financial risk is the chance that a third party will harm your organization’s ability to make money. For instance, a supplier might suddenly charge much more money for promised materials, driving up your company’s costs.
The possibility that a third-party provider may prevent your company from achieving its goals results in strategic risk. For example, a reseller in overseas markets might be acquired by one of your competitors, closing off your ability to sell goods in those markets until you find a new distribution channel.
It’s essential to keep in mind that these topics frequently overlap. For instance, if a company suffers a cybersecurity breach and customer data is stolen, this could also present operational, compliance, reputational, financial risks, and ultimately, strategic risk.
Why Is it Important to Mitigate Third-Party Risk?
In today’s digital business world, a company can outsource any number of its processes – but it cannot outsource the dangers involved in doing so. Organizations need to take an active, risk-based approach to managing third parties so the risks that arise from these relationships don’t derail your plans.
You can anticipate risk with a robust third-party risk management program, and improve business efficiency along the way. That said, every level of the organization must participate in implementing a risk-based third-party management program, even though this might make managing the process more challenging. By managing costs, bolstering operations, and reducing the risks of outsourcing, effective third-party risk management maximizes the value of your third-party agreements.
Chipotle is an example that is well recognized for its shortcomings in third-party risk assessment. In 2015 public health officials found E. coli outbreaks connected to Chipotle restaurants in Massachusetts, Washington, Oregon, and other states, affecting hundreds of patrons and staff nationwide. Chipotle assured the public this would “never happen again.”
To rebuild its reputation as a reliable restaurant, Chipotle hired a new CEO. When many patrons of a Chipotle restaurant in Sterling, Virginia, complained in 2017 of symptoms resembling the extremely dangerous norovirus, the company again changed CEOs.
Alas, this had little effect on the illness spread; a Los Angeles Chipotle restaurant reported sick staff and patrons later that year. According to a UBS Evidence Lab poll from 2018, 32 percent of people who had stopped dining at Chipotle said “nothing” would entice them to go there again.
The outbreaks started soon after the company introduced an innovation to use locally sourced ingredients in its recipes. Chipotle had revolutionized the sector with decentralized, locally sourced food, but failed to match its innovative business model with risk management best practices.
By using that decentralized procurement strategy, Chipotle had exposed itself to more than 1,000 possible sites of food contamination; a more typical centralized procurement system would have only a fraction of that. Chipotle failed to address the underlying cause of the problem, which led to repeated food safety disasters.
How to Conduct a Vendor Risk Assessment
To assess the risks of your third parties, you should have a disciplined vendor risk management process. That process typically includes the following steps.
Vendor List: Who Are Your Suppliers?
First, identify all of your suppliers. A third-party vendor is any person or organization that provides an item or service to your company, but does not work there. These may include contractor employees, service providers, manufacturers and suppliers, and service firms. (In some situations, you may also include fourth party suppliers in your vendor inventory.)
Vendor Evaluation Procedure
Second, develop a process to evaluate the risks that each third party might pose. Typically you can do this with a questionnaire sent to each prospective vendor before you decide to bring that party into your enterprise. Consider what goods or services the vendor will provide, how important those services will be to your operations, and the potential risks that the party might bring to your organization.
Prioritizing High-Risk Suppliers above Lower-Risk Vendors
Not all vendors pose the same risks. Some vendors deliver commodity items, while others supply specialized components. You may share sensitive customer data with some third parties, and nothing of consequence with others.
Prioritize vendors based on the risks they present to your organization as identified in the due diligence and risk assessment processes discussed in the previous step. It’s essential to assess all vendors regularly, using the same standards for all, to ensure that no potential issues go overlooked. For example, vendor surveys should be completed both at the time of onboarding and then annually thereafter.
How to Minimize Third-Party Risk
Even though most businesses agree that screening third parties is essential before engaging in a commercial relationship, 60 percent also aren’t properly prioritizing third-party risk. Several steps can help an organization do better.
Seek references while evaluating the security commitment of your vendors. Contact other firms that have used their services and ask how well the vendors perform on security. Ask questions specific to the type of engagement you’re planning for each vendor.
Apply Internal Standards to Third Parties
After you’ve chosen a vendor, develop a service level agreement (SLA) that defines the vendor’s commitments for security policies, performance expectations, and service or product deliverables.
Don’t rely only on the vendor’s default procedures. Consider the needs of your organization, your industry, and your customers. Your best bet for guaranteeing that data is safeguarded is holding the vendor to the same regulatory and compliance standards that you need to meet.
Regularly Check Third Parties’ Cybersecurity Protocols
Circumstances change all the time, especially in the fast-moving world of cybersecurity. Hence it’s critical to review the cybersecurity policies of your third parties regularly. Continuous monitoring and periodic audits assure accountability and keep vendors on their toes.
Automate Third-Party Risk Management with Reciprocity ZenRisk
Enter Reciprocity ZenRisk. With ZenRisk, your organization can streamline processes, automate workflows, and protect your information environment. Insightful reporting and dashboards provide real-time visibility to your current risk landscape, enabling data-backed decisions.
Managing third-party risk is critical, no matter the industry you operate in or the size of your company. With vendor management software that scales as your business grows, you can automatically assess risks, identify potential threats, and take action before it’s too late.
Schedule a demo for more information!