A high-risk vendor is a third-party vendor that has access to a company’s sensitive corporate information and/or handles its financial transactions and has a high risk of information loss. A high-risk vendor is also a vendor that an organization depends on to run its operations.

Companies have been working with third-party vendors for years. But what has changed is the frequency and scale of the use of third-party vendors and the regulatory focus on how companies are managing third-party vendors to address their inherent risks.

Typically, organizations have addressed third-party risk in a siloed manner, with people only looking at specific risks. For example, financial institutions might focus on issues around securing data and the risks of sharing data with third-party vendors. Organizations in the consumer products industry might focus on the risks involved with ensuring the safety and quality of their products.

However, to better manage third-party risk, a company needs to understand third-party risk holistically and manage it throughout the enterprise by implementing a robust third-party risk management strategy.

Organizations generally categorize their third-party vendors as high risk, medium risk, or low risk. The third-party vendors that deal with the most business-critical operations or the most sensitive data will likely be rated medium or high-risk vendors. The third-party vendors that don’t interact with critical systems, networks, and data will be rated low-risk vendors.

To identify and start managing its high-risk vendors, an organization should first conduct a third-party vendor inventory. Then the company should remove from further review the third-party low-risk vendors that don’t have any access to its data or financial transactions, such as vendors who supply food or office equipment and supplies.

Although a company should inventory its low-risk vendors, it typically doesn’t have to take any other action since these are third-party vendors that have minimal impact on an organization in the event of a data breach. However, a company must track them on its vendor inventory list to show it has performed its due diligence.

A company can mitigate cybersecurity risks posed by third-party vendors by implementing a vendor risk management program and conducting a vendor risk assessment to prioritize vendors based on the risks they might pose to the business. Doing this can also help an organization prevent and mitigate those third-party risks.

After a company has engaged a third-party vendor, it should continue to update its data as the relationship with that third-party vendor evolves to ensure the third-party vendor doesn’t become lax and put corporate data at risk.

How often an organization conducts post-contract reviews with its third-party vendors depends on their risk levels. For example, a company should review low-risk vendors annually/bi-annually, medium-risk vendors semi-annually/annually, and high-risk vendors quarterly/semi-annually

An organization should mandate that its high-risk vendors provide evidence of:

  • Security controls via contract and documentation. This evidence could include business continuity programs, information security policies, disaster recovery test results, list of recent breaches, financial statements, and proof of insurance.
  • The effectiveness of their security controls. This may include SOC1/SOC2 reports, synopsis of vulnerability scanning, and/or independent penetration testing, compliance reports, etc.
  • Their ability to continue to provide contracted services in the event of a disaster.
  • A strong incident management program as well as evidence that they will report cybersecurity incidents as required by law, regulations, and best practices.

Best Practices to Mitigate Vendor
Risk Within Your Supply Chain