Best Practices In Evaluating Vendors For Risk

For most companies, many digital transformation efforts involve onboarding new third-party vendors. And it makes sense. Third-party collaboration ensures agility and efficiency through reduced time-to-market or production while also offering optimized performance and availability. E.g., hosting servers via a cloud platform, integrating with a security platform, or telecommunication services, etc. But third-party collaborations don’t come without security risks. More cyberattacks are stemming from third-party integrations than ever before. So, how do you assess risk before onboarding the third party? And how do you manage their access lifecycle?

Evaluating third-party risk

A former CTO mentioned that they were using Archer for third-party risk management at their last company and thought about swapping it for ServiceNow, which worked more out-of-the-box. Another executive noted that they rely on PCI compliance to ensure secure third-party transactions. Overall, most participants shared that they were managing third-party risk somehow but didn’t really have a formal program for it.

An attendee recounted how they created a cloud assessment survey consisting of around 350 questions during their time at a leading research institute. Every new third-party vendor had to fill the survey, which contained questions like cloud or on-premises? What kind of data? What is your disaster recovery plan? Business continuity plan? Soon afterward, they collaborated with folks from Higher Education to develop a vendor assessment tool that’s now used across higher education institutes. The tool in its current state has two versions: Light, with 80-90 questions, and heavy, with ~ 250 questions.

Sharing risk data between organizations

Multiple speakers agreed that organizations should share risk data to protect against cyberattacks and data breaches, even with competitors. One mentioned that they are building an identity risk warehouse, which will allow sharing risk data about individuals between organizations. A CTO for a hedge fund company said that many companies in their industry use the same vendors, and they often share their reviews and experiences with each other. They, in collaboration with other CTOs, have standardized a vendor assessment questionnaire.

Why bother with third-party assessments?

One executive commented on the importance of third-party assessments by sharing some facts: In 2018-19, security breaches increased by 11%, 67% since 2014. 53% of companies have dealt with at least one data breach caused by a third party, costing up to $7.5 million to remediate. They added that many companies are exchanging data with hundreds of different third parties but aren’t fully aware of the security and compliance obligations that must be considered.  

The challenges of managing third-party risk

A participant talked about how it’s not enough to simply get a questionnaire filled and consider everything that a vendor says to be true. When onboarding, they may say that they will never require privileged access, but companies can’t afford to just take their word for it. However, many small organizations often lack the staffing and tools to monitor third-party access post-onboarding to ensure compliance. Do you know how many people will be granted critical access? How many API accesses will be granted? Who is accessing what right now? In case of a breach, can you immediately revoke the relevant accesses and work towards a remediation plan?

Assessing and mitigating third-party risk without being a barrier to new business is also very important but sometimes hard to achieve. Executive and management teams can sometimes question the efficacy of risk assessment programs if they inhibit a company’s ability to do business actively. In such circumstances, it’s essential to explain to them the potential risks and monetary losses that the company can incur in the event of a third-party data breach.  

‍