Vendor Risk Management - time up for a paradigm shift

“If not managed effectively, the use of service providers may expose financial institutions to regulatory action, financial loss, litigation, and loss of reputation”, I recall one of the statement that struck me some time ago. Recent cyber attacks reinforce the urgency to implement stronger third party risk management programs. Data might be stored on vendor cloud or on premise, it doesn’t matter, if the data is not properly secured, it increases the chances of data breaches.

Multiple vendors – More complexity

Many of you would be dealing with multiple vendors. When I associated with a financial company once in my career, I was little bit surprised by the number of vendors they are associated with. Being a financial company, their financial data is been stored in a vendor place. How secure is it? I agree that the vendors are complying with our standards and we have the right to audit them anytime. Still I had the doubt as it is financial data, how can we monitor what they are doing with our data. I have got the opportunity to interact with the senior security leader of that company and have asked about my doubts. He told me about the Vendor Risk Assessment they perform, before they go for business and there would be yearly refresh to make sure that they comply with the policies. He also showed me some documents that have the PCI DSS requirements with the service provider. As per the contractual agreement, the service provider has to be compliant with those and that will ensure that they will take care of security seriously and will perform audits too.

To be frank, still I was not convinced with his statement. I don’t believe that contracts are enough to protect your business. If you are compliant to certain standards, it doesn’t mean that you are fully protected. I have other questions too. What if your vendors have other vendors and how can we assess the risks associated with those “fourth” party vendors? What about the sensitivity risk of the data to which the vendor could potentially have access? Have you also categorized your service providers based on the risk and criticality possessed by them?

Whom to blame?

 If a breach occurs and your customer for example, a credit card information or health related information gets exposed, then it is not your vendor who is responsible. Ultimately you are responsible for protecting your consumer data, not your third party vendor. So third party assessment has to be incorporated into your cyber security plan.

Vendor selection process

Once we decide to outsource, we need to pay utmost attention while selecting the vendor. We need to involve Information Security department during the selection process. Before going for the vendor selection process, you need to let the information security department understand about the application and also can request them for the basic information security requirement the vendor needs to comply. You need to provide these requirements to the vendor and take back the responses, give it to back to the Infosec team. Based on the responses, Infosec can score the ratings, and can ask for more clarifications. While evaluating multiple vendors, I too agree that application functionality with your business requirements is important, at the same time you need to give importance to information security as well. Any small negligence can cause major vendor risks to arise and grow without detection.

Need to be proactive not reactive

Once we have finalized the vendor and started doing business, back to the old question about monitoring them, not reactively, but proactively. Is there any way? As I mentioned above, traditional way of doing Vendor risk assessment is sending out a questionnaire to understand more about the risk posture. We have been using technologies in all the important areas. Still why most of the companies are going for the old fashioned way of doing only manual assessment?  Why can’t we use a solution that would help to monitor your service provider? The solution will help while we perform pre-assessments where we have an RFP with numerous vendors competing and they need good criteria to shortlist the vendor list. There are lot of vendor risks in terms of Strategy, Reputation, Industry, Geography, Operational, Financial, Brand, Regulatory and Data. In order to determine and mitigate all these risks effectively, it is always good to look at a solution that can help you in gaining real-time visibility into vendor risks and controls.

As per the current trend, these days financial companies are paying more importance to Vendor Risk Assessment’s. The risk possessed by vendors needs to be taken into consideration and a Vendor risk assessment has to be mandatory for all business streams before handing over your core business function. However, the volume and complexity of vendor relationships makes it extremely challenging to perform thorough vendor risk assessments and that is where we should start thinking of different solutions.

Authored by Aju Nair

Rate this article: 
Average: 1 (4 votes)
Article category: 

There are 2 Comments

Multiple vendors does not provide more complexity as long as we have strong governance and proper and periodic vendor risk assessment is in place and for high risk vendors, the enterprise need to perform the vendor risk assessment annually. Lot of risk are mitigated with strong contractual agreement between the enterprise and the vendor. The stringent penalty clause must be defined for vendor who violates the agreement.  Without multiple vendors, economy of operational effectiveness is not possible and this help the enterprise to focus on their core competencies.

Yes. I too agree with you. But as you mentioned we need to have a strong governance in place and people should understand  the real importance of doing periodic VRA's. Even though I didnt mention any name of a vendor, I was looking at solutions similar to "Prevalent", that offer products in  assessing vendor threats.. The risk of handing over my data to a vendor is always there, but as you mentioned we need to have good governance in place. I personally wont believe in doing only an annual risk assessment to feel that we are good, we also need to be proactive.