A Guide to Onboarding and Offboarding Employees for Risk PreventionRead article
Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
Vendor risk management is a process companies use to identify, manage, and monitor ongoing risks associated with a vendor.
Because 58% of companies believe they have suffered a data breach due to vendor access, the importance of having a solid vendor risk management plan in place cannot be overstated.
Organizations often work hand-in-hand with outside vendors to cut down on costs or better serve customers. And because sharing access to sensitive information with vendors often can’t be avoided, organizations need to do so in a way that maintains their own security.
A well-appointed vendor risk management (VRM) process not only helps protect your organization from various types of threats, it also helps set clear expectations with vendors that can improve communication and foster a more productive partnership.
In this primer, we’ll explain what vendor risk management is, common risk types, how to implement a plan within your organization, and best practices to develop your own vendor risk management program.
Gone are the days when a written agreement or a signed NDA provided enough protection for organizations sharing sensitive information with an outside vendor. With the growing frequency and sophistication of cyber attacks, it’s imperative that companies put the same amount of scrutiny on the risk management practices of outside vendors as they do their own.
While the compliance landscape continues to evolve, many organizations aren’t keeping pace with industry standards. In a 2019 survey conducted by Compliance Week and Aravo, 43% of surveyed practitioners claimed that their board didn’t have a good handle on third-party risk.
Not having a clear-cut vendor risk management process can cost companies dearly. Data breaches caused by third parties cost organizations an adjusted average of $4.29 million in 2019.
When companies choose to enter a partnership with a third party, they open themselves up to increased digital risk and, by extension, increased enterprise risk. Beyond that, industry regulations such as General Data Protection Regulation (GDPR) and the New York SHIELD Act are solidifying the necessity of creating and maintaining ongoing VRM best practices.
As you begin to build your vendor risk management process, it’s important to understand the types of risks your organization faces. Understanding which types of risk are most critical to your business will help you better understand your risk exposure when working with outside vendors.
Cybersecurity risk: This type of risk involves the susceptibility of an organization to damage from cyber attacks resulting in loss of data and reputational harm. This type of risk includes three components: threat (the entity carrying out the attack); vulnerability (the area of weakness that the threat can exploit); and consequence (results of the vulnerability being exploited).
Cybersecurity risks include ransomware attacks, malware, phishing, denial-of-service attacks, and even insider threats, to name a few. A recent example is the March 2021 ransomware attack on CNA Financial Corp. The company ended up paying $40 million to regain control of its network.
Compliance risk: Compliance risk comes from a violation of laws, regulations, and internal processes that a company must follow. These will vary by industry, but common compliance frameworks include HIPAA and PCI. Failure to comply with these regulations often comes with a hefty fine, so it’s important that any third-party vendors you work with are also in compliance. An example of this is Marriot’s 2019 fine of more than £99 million for infringements of the GDPR that resulted in a cyber attack that exposed the personal data of over 339 million guests.
Reputational risk: This type of risk is associated with the public perception of an organization that can suffer in the aftermath of a data breach or insecure data handling that’s not up to industry standards. An organization opens itself up to reputational risk damage if questionable ethical practices or poor crisis management is brought to light.
Financial risk: This type of risk a company faces by doing business with another organization that, should they be breached, would cause financial risk. This could include lost revenue or excessive costs, both of which can hinder the growth of a business.
Operational risk: Operational risk could involve the business interruption of a third-party vendor that disrupts your own organization’s operation or flawed process, procedures or policies. An example could include your third-party vendor experiencing a ransomware attack or a natural disaster impacting operations indefinitely.
Strategic risk: These types of risks are associated with or created by a company’s business strategy or business objectives and changes to technology, personnel, or events that could impact the defined strategy and objectives. Third-party vendors come into play with this type of risk when decisions made or changes to their operations do not align with your company’s objectives or security requirements.
Key performance indicators (KPIs) and key risk indicators (KRIs) can be helpful tools to measure and monitor a third-party vendor’s performance over time to ensure changes to their business objectives or strategy aren't impacting your own company goals.
The most obvious benefit of a solid vendor risk management plan is to minimize risk to an acceptable level. This allows you to focus on driving value from third-party partnerships and maintaining a positive public image.
Creating a vendor risk management process requires an initial investment, but the costs associated with not having one (data breaches, compliance fines, etc.) can often cost much more. Having a vendor risk management plan can help identify vendors that do not have a strong enough cybersecurity program to meet a defined required security standard for protecting customer data.
A vendor risk management plan will often introduce more steps to your vendor onboarding process because each vendor will undergo a due diligence process. However, having a step-by-step process for collecting information, creating vendor profiles, assigning risk categories, and communicating with vendors can help streamline the process.
In terms of data security, having a vendor risk management program in place helps your organization understand how data flows, where it’s stored, and how to manage access to that information.
A vendor risk management plan is a step-by-step program that a company adopts in order to identify, measure, monitor, and reduce the risks associated with an outside vendor. The plan clearly lays out the expectations a company has when it comes to vendor behavior and access to data.
The process begins with a due diligence exploration of a vendor’s risk profile. Risk assessments are used to identify any potential risks and better understand how data is shared before entering into a legal agreement. Due diligence can include reviewing vendor compliance reports and the attestations of compliance to requesting vendors to perform a vendor security questionnaire and reviewing results. From there, a process should be in place to consistently monitor your vendor's security posture and identify potential threats before they impact your business.
To ensure your vendor risk management plan is successful, it’s important to have internal teams work together to help coordinate best practices and document risk. This includes HR, legal, compliance, and any other teams that are involved in shared responsibilities with the vendors.
As you create your vendor risk management plan, it’s helpful to understand how those vendor relationships will evolve over time. That process includes:
A Guide to Onboarding and Offboarding Employees for Risk PreventionRead article
After identifying the need for a thorough vendor risk management program, it’s time to map out each step of the process.
The first step is to get a clear picture of the risk types a vendor may pose in regard to your organization. Collecting as much information as you can during this due diligence stage will help you build a risk profile for each vendor.
You can do this by listing out all of the vendors you work with and prioritizing them by the threat each poses. Consider the level of access they may have to internal data or your organization’s ability to function if the vendor were to shut down for a period of time.
A few questions to ask during this stage include:
Once risks have been identified and categorized, you can assign risk levels to vendors. One way to do this is to look at the impact of a risk and the probability of it occurring.
From there, you can organize vendors into tiers:
Manual tiering is a popular route that provides organizations with greater flexibility and personal preference. Organizations can also use tools such as security questionnaires to score a vendor’s risk potential.
After identifying the risks vendors pose to your organization, it's time to review the security framework that is most relevant to your company. For example, if your vendor processes debit or credit card payments, you’ll want to ensure they are in compliance with the Payment Card Industry Data Security Standard (PCI DSS). If you operate in the healthcare industry, you’ll want your vendor to be compliant with HIPAA.
Working closely with your legal team, you’ll want to create contracts that outline the specifics of your business relationship and compliance expectations you hold for your vendors.
Companies often have templates they use when writing contracts for vendors, but it’s important to tailor specifics of the contract to your vendor and the relationships you both share.
Dedicating a team to work with vendors can help with communication, as well as streamline the ongoing monitoring of vendor relationships. This often involves hiring experienced risk managers or training current employees on vendor risk management practices.
This team should own the setup of the vendor selection process, including creating documentation for choosing future vendors, collecting vendor details, and establishing ongoing reporting processes. A reporting process with vendors could include identifying any vulnerabilities and quickly resolving them.
Once you begin collecting vendor information and tracking risks over time, your organization can make adjustments to improve the overall vendor relationship management process.
To ensure your vendor risk management program is set up for success, here are a few best practices to keep in mind:
The vendor risk management process can be a heavy burden on your organization. Risk assessments and ongoing monitoring of vendors can require employees to spend countless hours sifting through data.
Automating this process can not only save your organization time; it can also speed up the process of assessing a vendor’s risk profile and onboarding new vendors. And because 60% of organizations are now working with more than 1,000 third parties, reducing the risk of human error is also an attractive benefit of vendor risk management automation.
When looking for an automated vendor risk management product, look for one that offers an easy-to-use platform in addition to a team of security and compliance experts to guide your organization through every step of the vendor risk management setup process.
Secureframe is able to integrate with dozens of common vendors you're already using, retrieve their security information on your behalf, and provide a detailed report of their risk profile.
Automating this repetitive, labor-intensive process can greatly speed up vendor evaluations and onboarding processes. Secureframe’s team of compliance experts can also help you complete faster risk assessments with auditor-certified security questionnaires.
To find out more about how Secureframe can improve your VRM process, request a demo of our platform today.