A high-risk vendor is a third-party vendor that has access to a company’s sensitive corporate information and/or handles its financial transactions and has a high risk of information loss. A high-risk vendor is also a vendor that an organization depends on to run its operations.
Companies have been working with third-party vendors for years. But what has changed is the frequency and scale of the use of third-party vendors and the regulatory focus on how companies are managing third-party vendors to address their inherent risks.
Typically, organizations have addressed third-party risk in a siloed manner, with people only looking at specific risks. For example, financial institutions might focus on issues around securing data and the risks of sharing data with third-party vendors. Organizations in the consumer products industry might focus on the risks involved with ensuring the safety and quality of their products.
However, to better manage third-party risk, a company needs to understand third-party risk holistically and manage it throughout the enterprise by implementing a robust third-party risk management strategy.
Organizations generally categorize their third-party vendors as high risk, medium risk, or low risk. The third-party vendors that deal with the most business-critical operations or the most sensitive data will likely be rated medium or high-risk vendors. The third-party vendors that don’t interact with critical systems, networks, and data will be rated low-risk vendors.
To identify and start managing its high-risk vendors, an organization should first conduct a third-party vendor inventory. Then the company should remove from further review the third-party low-risk vendors that don’t have any access to its data or financial transactions, such as vendors who supply food or office equipment and supplies.
Although a company should inventory its low-risk vendors, it typically doesn’t have to take any other action since these are third-party vendors that have minimal impact on an organization in the event of a data breach. However, a company must track them on its vendor inventory list to show it has performed its due diligence.
A company can mitigate cybersecurity risks posed by third-party vendors by implementing a vendor risk management program and conducting a vendor risk assessment to prioritize vendors based on the risks they might pose to the business. Doing this can also help an organization prevent and mitigate those third-party risks.
After a company has engaged a third-party vendor, it should continue to update its data as the relationship with that third-party vendor evolves to ensure the third-party vendor doesn’t become lax and put corporate data at risk.
How often an organization conducts post-contract reviews with its third-party vendors depends on their risk levels. For example, a company should review low-risk vendors annually/bi-annually, medium-risk vendors semi-annually/annually, and high-risk vendors quarterly/semi-annually
An organization should mandate that its high-risk vendors provide evidence of:
- Security controls via contract and documentation. This evidence could include business continuity programs, information security policies, disaster recovery test results, list of recent breaches, financial statements, and proof of insurance.
- The effectiveness of their security controls. This may include SOC1/SOC2 reports, synopsis of vulnerability scanning, and/or independent penetration testing, compliance reports, etc.
- Their ability to continue to provide contracted services in the event of a disaster.
- A strong incident management program as well as evidence that they will report cybersecurity incidents as required by law, regulations, and best practices.