Blog

Steps for properly managing vendor risk to your company

11-6-2018, 08:17   Blog   

The first installment of this two-part blog post discussed “the modern chain gang” and how we are – for better or worse – all linked together via technology and the other vendors in the supply chain. If you missed that first article, you can read it here: www.cleverdome.com/blog. In this post, Rick D’Angona, founder of 3PAS (a vendor credentialing and risk assessment company established on the principle that vendor credentials and risk assessments should be universally accessible and shareable between companies doing business together as part of the global economy), lays out the steps for properly managing vendor risk to your company. 


With their supply chains being targeted by cyber attackers and advanced persistent threats, organizations face increased legal, operational, compliance, reputation, strategic, and credit risks when engaging in third-party relationships. These risks are compounded by the growing volume, diversity, and complexity of outsourcing arrangements. Regulators get it. They have turned their attention to these weak links in your chain-gang and are enforcing stricter guidelines on how organizations must manage their third-party suppliers. It won’t be long before regulations require companies to identify risks in their suppliers and their suppliers’ vendors and their suppliers’ vendors’ service providers and so on. 

Recent exploits, public scrutiny, and regulatory fines have thrust vendor risk management into the corporate spotlight. Without proper oversight, and a framework to systemically capture, assess, and mitigate third-party supplier risks, your organization can be seriously exposed. Time to have that long overdue heart-to-heart with your Chief Financial Officer.

DO ANY OF THESE BELIEFS SOUND FAMILIAR?

Here are some common misconceptions when it comes to vendors’ data security risk:

Misconception #1: Because the vendor has been certified as PCI or HIPAA compliant, procurement can skip the security review.
In reality: Not a good idea.
  • Regulatory compliance is just one data point. A vendor can be PCI compliant on a very specific portion of its technology yet have weak controls in other areas. 
  • Most products and applications that are PCI or HIPAA compliant fall into non-compliance quickly because they are often implemented with weak controls or over time, due to environmental changes, the original compliant configurations weaken enough to make them non-compliant.
  • Vendors may be PCI or HIPAA compliant but their sub-contractors and suppliers may ultimately put them out of compliance, putting your organization at risk.
  • Companies must be reviewed for data security risk annually to remain compliant.
  • Be wary of vendors who make a product seem too good to be true. There is no magic bullet that will make your network completely PCI or HIPAA compliant. Most vendors overstate their claims and promise much more than they can deliver. In the event of a security breach, consumers won’t care whether the fault lies with your business or with your vendor partner. 
#2: Because we are a privately held company, we don’t need to demonstrate the same level of data security due diligence as a public company; we are also not required to disclose any data breaches. 
In reality: Not true.
  • Wow. Are there still people in positions of power that believe this?
  • Both public and private companies must disclose whether there has been a data breach involving PII and regulated data - that’s the bottom line. There is no get-out-jail card for private companies.
  • California and other states have strictly regulated data breach notification policies based upon the size of the breach not whether or not a company is publicly or privately held.
Misconception #3: If we were to have a data breach our customers would continue to do business with us if it wasn’t our fault.
In reality: Research has shown that it doesn’t matter how a breach occurs – a serious breach picked up by the media can have a negative impact on revenue and company valuation. 
  • Ask Target. Then ask Home Depot, AT&T, CVS Photo, California State University, Lowe’s and Department of Veterans Affairs.
  • When consumer satisfaction, trust and confidence drop due to a data breach it has a huge impact on the bottom line. Make no mistake, if your customer loses trust and confidence in your ability to protect their data, they will go elsewhere and - even worse – they will black list you via social media where their rants can spread like wild fire.
Misconception #4: If a data breach occurred, our executive team is not liable and won’t be held responsible.
In reality: It depends on the publicity and consumer impact of the data breach.
  • Whoops! Take a look at the Target breach in Jan 2014. Executives including the CISO were fired.
  • When the impact of a data breach affects shareholder value, consumer confidence and loyalty, and ultimately bottom-line revenue, it’s time to dust off the resume. One of the few teams that usually emerges unscathed after a major breach is the procurement team – even in the case of a data breach attributed to a third-party service provider that procurement opted out of a risk assessment. How much longer do you think that the procurement team will escape accountability?
Misconception #5: All open connections into my environment are well known and are properly managed and monitored.
In reality: Be careful – if you believe you are completely secured, you may miss something.
  • External connectivity needs are changing all the time to support vendor engagements. Temporary connections are often left in place and become permanent and over time it’s these temporary connections that are forgotten or don’t properly protect data being exchanged. This is precisely what happened at Target and Goodwill.
Misconception #6: My vendors signed contracts that assert that their security and privacy controls are strong and effective – so why do I need to do anything more to verify this?
In reality: This is a common misconception.
  • Procurement should use an objective process to determine which vendors require a data security assessment. The fact a vendor asserts these claims won’t protect you in the court of public opinion should a major data breach occur.
  • Relying on vendor attestations is never a good idea – even cherry picking, using the old-school Russian roulette process of assessing vendors is more reliable. Procurement should implement a “trust but verify” model for long-term successful and safe vendor engagements.

STEPS FOR PROPERLY MANAGING VENDOR RISK TO YOUR COMPANY

Step #1: Identify your active vendors.
  • Partner with business units and other procurement teams to create a list of all the active vendors supplying services to your company. The list must contain validated vendor point of contact data so you can contact the vendors and outline your risk assessment process for them.
Step #2: Triage your vendor list using objective criteria.
  • One of the most significant problems in properly triaging vendors supporting an organization is the sheer size of its vendor population. Even small to mid-sized companies easily have 100 third-party vendors. It’s understood that not all of a company’s vendors pose security risks to it. On average, about 10% of any vendor population exchanges data electronically or has connectivity to the computer systems of the companies it supports. This 10% vendor pool often includes technology, utilities, hosting, facilities, payment, and debt collection service providers.
  • As a result, it is not surprising that the business uses subjective methods including things like the name of the company (“well, it kinda sounds like we might exchange data with them, right?”) when it comes to cherry picking the vendors they send over to the information security team for a vendor review. Procurement teams that cherry pick vendors run the risk of passing over vendors that really should be assessed as in the Target case or they select vendors that shouldn’t have been selected because they don’t have access to data. Looking into vendors that should not be included in the 10% vendor pool is at best a time-waster and at worst, it takes the attention away from the 10% that should be reviewed.
  • Cherry-picking in many ways is the gift that keeps on giving! It is very often the best way for a company to land on a regulator’s report for non-compliance to the new data security and privacy rules. A key requirement under the new rules is that all active vendors should be ‘touched’ once per year using an objective, repeatable process so they can be triaged into 2 buckets: (1) the 10% bucket of risky vendors needing an annual assessment and (2) the 90% bucket of vendors that don’t require a security review.
Step #3: Assess your vendors using an internationally recognized data risk framework.
  • Select an assessment vehicle that will provide you and your vendors with an objective way to leverage internationally recognized data security and privacy frameworks to give you the peace of mind that the assessment criteria are acceptable to regulators.
  • Rinse and repeat: Conduct assessments annually to ensure that you and your suppliers maintain compliance.

FINAL THOUGHTS: CONTINUE TO ‘TRUST-BUT-VERIFY’


Business teams like procurement hold all the cards with regard to vendor risk.

It is essential to conduct a one-time sweep of your active vendor population to identify the set of vendors that should be assessed regardless of when they were on-boarded to your environment. Most “yesterday vendors” have fallen outside your regular process and may be posing risks to your environment. A sweep will also pick up any vendors that may have been excluded because of subjective cherry-picking.

Commit to running assessments on your active vendors that fall into your 10% bucket annually to keep the integrity of your process intact and to maintain compliance. And, look for help if you need it!

ABOUT THE AUTHOR

Rick D’Angona is founder of 3PAS (www.3PAS.com), a vendor credentialing and risk assessment company established on the principle that vendor credentials and risk assessments should be universally accessible and shareable between companies doing business together as part of the global economy. 3PAS has a proven process for providing vendor due diligence assessments. This process is provided without extra cost to cleverDome members. To learn more about cleverDome and its alliance with 3PAS and how we can help with your vendor due diligence, click here.