Vendor Risk Management (VRM): How to Implement a VRM Program that Prevents Third-Party Breaches

  • May 02, 2023
Author

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe

Reviewer

Cavan Leung

Senior Compliance Manager at Secureframe

In a 2022 study conducted by Ponemon Institute, 54% of organizations reported experiencing a data breach caused by one of their third parties in the last 12 months.

An effective vendor risk management (VRM) program can help prevent these third-party data breaches. In addition to helping protect your organization from various types of threats, a VRM program also helps set clear expectations with vendors that can improve communication and foster a more productive partnership. 

In this guide, we’ll explain what vendor risk management is, common risk types, how to implement a program within your organization, and best practices to develop your own vendor risk management program.

What is vendor risk management?

Vendor risk management is a process companies use to identify, manage, and monitor ongoing risks associated with a vendor. 

Because many organizations work hand-in-hand with outside vendors to cut down on costs or better serve customers, sharing access to sensitive information with third parties often can’t be avoided. So organizations need to do so in a way that maintains their own security.

VRM provides companies with visibility into who they work with, how they work with them, and what security controls each vendor has implemented.

Let’s take a closer look at why VRM is important below.

Why is vendor risk management important?

Why is vendor risk management important?

With the growing frequency and sophistication of cyber attacks, it’s imperative that companies put the same amount of scrutiny on the risk management practices of outside vendors as they do their own.

Yet many organizations aren’t. In a 2022 survey of executive risk committee members conducted by Gartner, 84% of respondents said that third-party risk incidents resulted in disruptions in their operations.

Below are just a few reasons to begin or improve your process for managing third-party risk.

  • Minimize risk: When companies choose to enter a partnership with a third party, they open themselves up to increased digital risk and, by extension, increased enterprise risk. A solid vendor risk management plan can help minimize risk to an acceptable level. This allows you to focus on driving value from third-party relationships and maintaining a positive public image.
  • Prevent third-party data breaches: Creating a vendor risk management process requires an initial investment, but the costs associated with not having one — such as data breaches and disruptions in business continuity — can often cost much more. For example, data breaches cost organizations an average of $4.35 million in 2022. Data breaches caused by third parties cost organizations an additional $247,624, which is an adjusted average of $4.37 million.

third-party data breaches cost 4.37 million dollars in 2022

  • Meet regulatory compliance requirements: Industry regulations such as the General Data Protection Regulation (GDPR) and the New York SHIELD Act are solidifying the necessity of creating and maintaining ongoing VRM best practices. Having a VRM plan can help identify and manage vendors that do not have a strong enough cybersecurity program to meet a defined required security standard for protecting customer data. 
  • Streamline the vendor onboarding process: A vendor risk management plan will often introduce more steps to your vendor onboarding process because each vendor will undergo a due diligence process during procurement. However, having a step-by-step process for collecting information, creating vendor profiles, assigning risk categories, and communicating with vendors can inherently help streamline the process, mitigate risk, and streamline vendor compliance. 
  • Improve information security processes: In terms of information security, having a vendor risk management program in place helps your organization understand how data flows, where it’s stored, and how to manage access to that information.

Types of vendor risks 

Vendor risks refer to the risks your organization as well as your customers face due to the services and processes you outsource to vendors. Below are common vendor risks to be aware of as you begin to build your vendor risk management process.

6 types of vendor risks including cybersecurity and operational risk

Cybersecurity risk

This type of risk involves the susceptibility of an organization to damage from cyber attacks resulting in loss of data and reputational harm. This type of risk includes three components: threat (the entity carrying out the attack); vulnerability (the area of weakness that the threat can exploit); and consequence (results of the vulnerability being exploited). 

Cybersecurity risks include ransomware attacks, malware, phishing, denial-of-service attacks, and even insider threats, to name a few. A recent example is the March 2021 ransomware attack on CNA Financial Corp. The company ended up paying $40 million to regain control of its network. 

Compliance risk

Compliance risk comes from a violation of laws, regulations, and internal processes that a company must follow. These will vary by industry, but common compliance frameworks include HIPAA and PCI DSS. Failure to comply with these regulations often comes with a hefty fine, so it’s important that any third-party vendors or service providers you work with are also in compliance.

An example of this is Amazon's 2021 fine of more than $880 million for tracking user data without appropriate consent. It remains the largest fine imposed by a European data protection authority since the GDPR came into effect in 2018.

Reputational risk

This type of risk is associated with the public perception of an organization that can suffer in the aftermath of a data breach or insecure data handling that’s not up to industry standards. An organization opens itself up to reputational risk damage if questionable ethical practices or poor crisis management is brought to light. 

Financial risk

This type of risk a company faces by doing business with another organization that, should they be breached, would cause financial risk. This could include lost revenue or excessive costs, both of which can hinder the growth of a business.   

Operational risk

Operational risk could involve the business interruption of a third-party vendor that disrupts your own organization’s operation or flawed process, procedures or policies. An example could include your third-party vendor experiencing a ransomware attack or a natural disaster impacting the supply chain.  

Strategic risk

These types of risks are associated with or created by a company’s business strategy or business objectives and changes to technology, personnel, or events that could impact the defined strategy and objectives. Third-party vendors come into play with this type of risk when decisions made or changes to their operations do not align with your company’s objectives or security requirements. 

Key performance indicators (KPIs) and key risk indicators (KRIs) can be helpful tools to measure and monitor a third-party vendor’s performance over time to ensure changes to their business objectives or strategy aren't impacting your own company goals.

What is a vendor risk management program? 

A vendor risk management program is a step-by-step program that a company adopts in order to identify, measure, monitor, and reduce the risks associated with an outside vendor. The program clearly lays out the expectations a company has when it comes to vendor behavior and access to data. 

A vendor risk management process typically begins with a due diligence exploration of a potential vendor’s risk profile, also known as a vendor risk assessment. This assessment process is used to identify any potential risks and better understand how data is shared before entering into a legal agreement. It can include anything from reviewing vendor compliance reports and the attestations of compliance to requesting vendors to perform a vendor security questionnaire and reviewing results.

From there, a process should be in place to consistently monitor your vendor's security posture and identify potential threats before they impact your business. 

Vendor risk management programs may look a little different depending on your organization’s industry, but they often include a contract between the two parties detailing terms of use and a responsibility matrix determining how customer data and services are managed throughout the partnership. 

To ensure your vendor risk management program is successful, it’s important to have key stakeholders work together to help coordinate best practices and document risk. This includes HR, legal, compliance, and any other teams that are involved in shared responsibilities with the vendors.

What is the Vendor Risk Management lifecycle?

As you create your vendor risk management program, it’s helpful to understand how those vendor relationships will evolve over time. That process includes:

Stage 1: Planning

The planning phase is an opportunity to design a vendor risk management program that’s tailored to your organization’s unique needs. Think through your organization’s goals for managing vendor risk and outline new tasks, responsibilities, and workflows that will need to be adopted for your vendor risk management plan to move forward.

This is also a chance to rethink how previous vendors were chosen and onboarded and implement a standard for how onboarding will be managed in the future.

The planning phase could also include the creation of a vendor inventory and the classification of each vendor into a risk tier. 

Stage 2: Vendor selection

Due diligence must be performed before entering into a contract with a vendor. This is the point where you should ask questions around their data protection practices or obtain certifications and attestations of compliance. Example questions include what type of training they do internally to mitigate risk and how often they perform internal risk assessments. This can be done via security questionnaires.

Stage 3: Contract negotiation

Once a vendor has been selected, a contract should be drafted that outlines the expectations and responsibilities of each party. Topics to cover include reporting and data governance, mitigation of any risks identified in the vendor selection process, performance expectations, and disaster recovery planning. This is also an opportunity for both organizations to get aligned on the work you’ll be doing together, how it will be done, and how it will be audited.

Stage 4: Vendor onboarding

During this phase, your organization should gather as much information about the vendor as possible. This is used to create a robust vendor profile. The onboarding stage is also the time to set up the vendor within your organization’s workflows, introducing the vendor to the tools and software they will be using, and sharing necessary access.

Stage 5: Continuous monitoring

Throughout the vendor relationship, your organization should be monitoring vendor compliance and performance to help eliminate risks. Compare performance against the contract in place as well as the industry standards for security to ensure your vendors remain competitive.  

Stage 6: Vendor offboarding

At the end of the vendor term, the contract should be reviewed again to ensure that all obligations have been met. Offboarding can then take place, with careful consideration regarding data preservation and disposal.

vendor management lifecycle broken down into six steps

How to implement a vendor risk management program

After identifying the need for a thorough vendor risk management program, it’s time to map out each step of the process. 

1. Understand your vendor’s risk factors 

The first step is to get a clear picture of the risk types a vendor may pose in regard to your organization. Collecting as much information as you can during this due diligence stage will help you build a risk profile for each vendor. 

You can do this by listing out all of the vendors you work with and prioritizing them by the threat each poses. Consider the level of access they may have to internal data or your organization’s ability to function if the vendor were to shut down for a period of time. 

A few questions to ask during this stage include:

  • What type of data is shared with the vendor?  
  • How are we sharing that data?
  • Who has access to this data?
  • How is that data stored?

Once risks have been identified and categorized, you can assign risk levels to vendors. One way to do this is to look at the impact of a risk and the probability of it occurring. 

From there, you can organize vendors into tiers:

  • Tier 1: High risk, high criticality
  • Tier 2: High risk, medium criticality
  • Tier 3: High risk, low criticality
  • Tier 4: Medium risk, high criticality 
  • Tier 5: Medium risk, medium criticality
  • Tier 6: Medium risk, low criticality
  • Tier 7: Low risk, high criticality
  • Tier 8: Low risk, medium criticality 
  • Tier 9: Low risk, low criticality 

Manual tiering is a popular route that provides organizations with greater flexibility and personal preference. Organizations can also use tools such as security questionnaires to score a vendor’s risk potential.

2. Review the right security framework for your organization

After identifying the risks vendors pose to your organization, it's time to review the security framework that is most relevant to your company. For example, if your vendor processes debit or credit card payments, you’ll want to ensure they are in compliance with the Payment Card Industry Data Security Standard (PCI DSS). If you operate in the healthcare industry, you’ll want your vendor to be compliant with HIPAA

3. Prepare contracts for your vendors

Working closely with your legal team, you’ll want to create contracts that outline the specifics of your business relationship and compliance expectations you hold for your vendors. 

Companies often have templates they use when writing contracts for vendors, but it’s important to tailor specifics of the contract to your vendor and the relationships you both share. 

4. Set up an internal vendor risk management team

Dedicating a team to work with vendors can help with communication, as well as streamline the ongoing monitoring of vendor relationships. This often involves hiring experienced risk managers or training current employees on vendor risk management practices. 

This team should own the setup of the vendor selection process, including creating documentation for choosing future vendors, collecting vendor details, and establishing ongoing reporting processes. A reporting process with vendors could include identifying any vulnerabilities and quickly resolving them. 

5. Monitor and refine your program over time

Once you begin collecting vendor information and tracking risks over time, your organization can make adjustments to improve your vendor relationship management program.

Establishing metrics to evaluate your VRM program can help you make the right adjustments. Examples of metrics are:

  • Total number of suppliers
  • Suppliers by risk level
  • Total number of reported cybersecurity incidents
  • Status of all vendor risk assessments
  • Risks grouped by tier (high, medium, low)
  • Time to detect risk
  • Time to mitigate risk
  • Cost of risk management
  • Risk history over time
  • Type of data stored, processed, and/or transmitted by vendor

Vendor risk management best practices

To ensure your vendor risk management program is set up for success, here are a few best practices to keep in mind:

  • Conduct a thorough exploration of a vendor’s risk management practices before signing a contract: Security questionnaires should be completed before agreements are in place to understand a product’s or service’s function, how it’s designed, and how data flows. This also provides an opportunity to learn more about the vendor’s reputation. 
  • Ensure the vendor contract covers all necessary categories: If questionnaire results are satisfactory, then legal agreements should be created that include the agreed upon security standards and obligations. 
  • Create consistent compliance and security training within your own organization: Often, data and security breaches happen through human error, so providing ongoing security awareness education can help lower the internal risk of a problem occurring. 
  • Monitor fourth-party vendors: There’s a good chance your vendors are also using vendors, which opens the door to fourth-party risk. While you won’t have contracts with these vendors, you can ask vendors for attestation for compliance against frameworks such as SOC 2, which will require vendors to conduct their own due diligence on the vendors they work with.

Vendor risk management checklist

Still unsure of how to implement an effective vendor risk management program at your organization? Use this checklist to get started.

How to automate vendor risk management

The vendor risk management process can be a heavy burden on your organization. Risk assessments and ongoing monitoring of vendors can require employees to spend countless hours sifting through data. 

Automating this process can not only save your organization time; it can also speed up the process of assessing a vendor’s risk profile and onboarding new vendors. And because 60% of organizations are now working with more than 1,000 third parties, reducing the risk of human error is also an attractive benefit of vendor risk management automation. 

VRM automation can help simplify and streamline the following tasks:

  • Vendor reviews: An automation platform can allow you to easily store and review vendor documentation to ensure they’re compliant. 
  • Vendor risk assessments: Some automation platforms can provide risk recommendations based on the vendor assessment information you provide to help simplify the vendor risk assessment process.
  • Vendor access tracking: You can easily monitor and track third-party personnel system access using an automation platform. 
  • Continuous monitoring: An automation platform can continuously monitor your vendors’ security posture and their compliance with regulatory and industry frameworks.

When looking for an automated vendor risk management product, look for one that offers an easy-to-use platform in addition to a team of security and compliance experts to guide your organization through every step of the vendor risk management setup process.

How Secureframe can help companies manage vendor risk 

Secureframe is able to integrate with dozens of common vendors you're already using, retrieve their security information on your behalf, and provide a detailed report of their risk profile. Secureframe also allows you to document other vendor details such as vendor owners, types of data, and any due diligence notes from your vendor review.

Automating this repetitive, labor-intensive process can greatly speed up vendor evaluations and onboarding processes. Secureframe’s team of compliance experts can also help you complete faster risk assessments with auditor-certified security questionnaires. 

To find out more about how Secureframe can improve your VRM process, request a demo of our platform today.

FAQs

What is the vendor risk management process?

Vendor risk management is a process companies use to identify, manage, and monitor ongoing risks associated with third-party vendors. 

What is the role of vendor risk management?

Vendor risk management is intended to minimize an organization’s third-party risk exposure by:

  • Preventing third-party data breaches
  • Meeting regulatory compliance requirements for standards such as GDPR and the New York SHIELD Act 
  • Simplify new vendor onboarding
  • Improve information security processes by understanding how data flows both internally and externally

What is an example of a vendor risk?

An example of vendor risk would be a third-party vendor experiencing a ransomware attack, or a natural disaster impacting the supply chain. 

How do you conduct vendor risk management? 

Implementing a vendor risk management program involves several key steps: 

1. Understanding the vendor’s risk factors, including what type of data is shared with them, who has access to it, and how/where it’s stored

2. Verifying compliance with applicable frameworks. For example, if the vendor processes payment card data, ensure they are PCI DSS compliant. 

3. Prepare contracts that outline the specifics of your business relationship and your expectations for compliance. 

4. Assign an internal vendor risk management team to establish a vendor selection process and monitor vendor relationships. 

5. Monitor and improve your vendor risk management program with key metrics such as total number of cybersecurity incidents, status of all vendor risk assessments, and time to detect and mitigate risk.