In virtually every industry, organizations work with third parties such as suppliers and vendors, to improve operational efficiency, save money, and achieve greater flexibility, scalability, and agility for their own organizational growth.

Those benefits, however, also create cybersecurity risks that need attention. Since third-party vendors (and even fourth-party vendors!) often have access to your organization’s critical systems and data, cybersecurity must be monitored continuously to limit potential cyber attacks and data breaches.

To keep such risks in check, a vendor risk management (VRM) program, with a formal vendor risk management policy, is essential.

Vendor risk management encompasses risks from your third parties, as well as from your vendors’ vendors — that is, your fourth parties. A vendor risk management policy is the first step in developing your vendor risk management program and is essential to the program’s success. It is also a critical component of your overall cybersecurity program.

What Is a Vendor Risk Management Policy?

In the digital age, organizations are developing and maintaining many more third-party relationships than they did before. A few years ago, a survey of about 400 companies found that two-thirds of respondents had more than 5,000 third-party relationships. One organization reported that it interacted with 28,000 vendors!

Even if your organization doesn’t have that many vendors, outsourcing to any third-party vendor, supplier, contractor, or service provider creates risk. In particular, every such relationship increases the potential for a data breach, whether it’s negligent or malicious.

Third parties also create other legal, compliance, financial, strategic, and reputational risks that can all harm your organization. A robust vendor risk management policy is crucial to manage third-party relationships and strengthen risk mitigation.

A vendor risk management policy identifies the risks your organization faces as it works with third-party vendors. This policy imposes due diligence and specifies under what conditions a vendor should have access to your systems, networks, or data; and to what extent.

A vendor risk management policy also spells out the various controls that must be in place to minimize those risks and prevent disruptions to operational continuity. Think of your vendor risk management policy as a roadmap to the success of your third-party risk management program.

The Benefits of Having a Vendor Risk Management Policy

In late 2017, the “Paradise Papers” data hack was discovered. More than 13.4 million sensitive pieces of information were leaked that belonged to celebrities, politicians, and other high-profile people. Of this number, at least 6.8 million came from a single offshore legal services provider (that is, a vendor) that had been hacked by cybercriminals.

As the cyberthreat landscape expands, particularly in the wake of COVID-19, such risks are growing even more common. Threat actors are increasingly attacking major IT vendors (think SolarWinds) by exploiting open vulnerabilities with increasingly sophisticated malware.

Considering the potency of such “supply chain attacks,” it’s not surprising that research firm Gartner believes that external risk is now “top of mind” for security and risk management leaders. Creating a written vendor management policy is the first step toward reducing such risks, particularly as your vendor network expands.

Such a policy outlines how a vendor can access, manage, and process your assets and sensitive data. Without this policy, there is a high chance that your organization’s sensitive data and even your customers’ personally identifiable information (PII) might be handled by someone not authorized to do so.

Worse, if this leads to a breach, you won’t have the necessary controls in place to minimize the harm. The average cost of a data breach increased from $3.86 million in 2020 to $4.24 million in 2021. Without a vendor risk management policy, this average cost might well become your organization’s average cost.

The risk management policy must be applied consistently to all third-party vendors, all the way from onboarding through termination. Continuous monitoring of all vendors over this lifecycle is also essential. Don’t just rely on an initial cyber risk assessment alone.

The policy must spell out how each vendor will handle your sensitive data to remain compliant with industry regulations, legal standards, and your own internal privacy and information security policies.

Next, along with the policy, you’ll need third-party risk management procedures outlining the roles and responsibilities of every person involved in the vendor risk management program, including senior management, business line managers, and, where applicable, the vendors themselves.

Setting Up A Vendor Risk Management Policy

When setting up a vendor risk management policy, it helps to follow a systematic, step-by-step procedure.

Step 1: List All Third-Party Vendors

First, create an exhaustive list of all third-party vendors associated with your enterprise. These vendors could be suppliers, contractors, consultants, business process outsourcers — basically, everyone your organization does business with. Also identify their third-party vendors, so your list accounts for both third- and fourth-party entities that are potential sources of risk.

Step 2: Conduct a Risk Assessment

What are the risks your business might incur from using those third parties? Complete a risk assessment to find out. Start by determining which vendors in your list (compiled in Step 1) have access to your internal network and sensitive data.

Step 3: Calculate a Risk Score for Each Vendor

Score each vendor’s risk, depending on whether or not it has access to your sensitive information and network. If it does and if your organization relies on that vendor for critical business activities, categorize those parties as high-risk vendors. Create the rest of your priority list accordingly. Consolidate your rankings in a central database for easy access and update the database as you add new vendors or remove old ones.

Step 4: Establish Vendor Risk Management Procedures

Draft your vendor risk management policy based on the vendor list and risk scores for each vendor. Your policy should address all these critical factors and accordingly specify the relevant controls:

  • Vendor due diligence

    • What questions should we ask?
    • What should we include in our security questionnaires?
  • Security service level agreements (SLAs)

    • What do these contain?
    • How do we assure that vendors meet these SLAs?
    • What should we do if they don’t (or can’t)?
  • Vendor compliance with regulatory and industry frameworks

    • Which frameworks and regulations matter to us?
    • How do we evaluate whether vendors are compliant with these frameworks?
  • Vendor controls

    • Which controls are mandatory to meet our expectations?
    • What other controls are acceptable?
  • Breach liability

    • Who is responsible if a security breach happens?
    • What action do we take if the vendor is found to be liable?
  • Breach procedures

    • What’s our plan if a vendor experiences a disruption or failure in services?
  • Vendor review

    • Which certifications or reports (PCI-DSS, HIPAA, SOC 2, and so forth) do we need our vendors to have or prepare?
    • How do we audit our vendors?
    • Should we make site visits? How often?
    • How do we assure that vendors continue to meet our security requirements and comply with ever-changing regulations?
    • When and how do we terminate vendor contracts, such as if security requirements aren’t met?
  • Oversight required from the board and senior management

  • Disaster recovery and business continuity procedures

Step 5: Monitor and Update the Vendor Risk Management Policy

Your vendor risk management policy should be reviewed and updated regularly to ensure that it (and your enterprise) can adapt to changing circumstances and situations. Regular review will also assure that you can quickly identify new risks and implement the necessary controls to minimize them before they get out of hand.

Streamline Vendor Risk Management With ZenGRC

Vendor risk management is a job with many moving parts. Just creating, sending out, tracking, and logging the answers to vendor surveys can be enough to make a risk or compliance officer’s head spin — especially if you’re using spreadsheets to organize everything. Fortunately, there’s an easier way.

ZenGRC streamlines the vendor risk management process with user-friendly compliance checklists, workflows, and dashboards. It automates questionnaires and assessments, eliminating labor-intensive tasks while increasing visibility. You can easily see which third parties are in compliance and which are not, where the gaps are and how to fill them.

ZenGRC can also help you rank third parties according to their level of risk and continuously monitor for changes in their compliance and risk posture. Freed from these mundane, time-consuming tasks, you can focus on more pressing matters — such as protecting your systems and data from unauthorized access and use.

Contact Reciprocity today for a free consultation on ZenGRC and start on the Zen path to successful vendor risk management.