Taking Control of Vendor Risk: A 6-Step Approach

June 1, 2020 by ACA Aponix


This article was previously published on InformationWeek. This version has been updated.

To take control of your risks, you need to understand the risks posed by your company's third-party vendors. However, keeping track of your company’s vendor risks can be a huge undertaking that requires more time and money than you are able to provide. With so many cybersecurity threats out there, not to mention regulations regarding cyber risk and data privacy, keeping a watchful eye on it all can be overwhelming.

The key to keeping vendor risks under control is keeping a comprehensive vendor risk tracking list. The challenge is how to best do this with limited time and resources. In an article recently published by InformationWeek, our team shares a 6-step approach to stay on top of the vendors your company uses, and to ensure that their cyber and technology risks are accounted for and under control.

It may sound like a no-brainer, but you can’t understand the cybersecurity and technology risks posed by your company’s third-party vendors unless you are tracking those vendors and their risks.

Keeping track of your company’s vendor risks can be a huge undertaking that requires more time and money than you are able to provide. With so many cybersecurity threats out there, not to mention regulations regarding cyber risk and data privacy, keeping a watchful eye on it all can be overwhelming.

Defining Vendor Risk

Many companies work with third-party vendors to enable critical business functions and increase operational efficiencies. Yet, these vendors can be a tremendous source of cybersecurity and technology risk.

Reports have indicated that third-party data breaches are among the most common and most expensive types of cyber incidents, increasing the cost of the breach by more than $370,000, for an adjusted average total cost of $4.29 million according to IBM Security's 2019 Cost of a Data Breach Report. Vendors with access to sensitive data, such as financial service firms, SaaS providers, and data storage companies, could pose a significant risk to your organization.

Yet many companies struggle to find the time or resources necessary to track and address the risk presented by their third-party vendors. As a result, these companies cannot fully understand the number of vendors they use, or the amount of data they are exposing. A Ponemon Institute report indicated that only 33% of companies keep an inventory of their third-party vendors and the company data that those vendors have access to.

How to Track Vendor Risk

The key to keeping vendor risks under control is keeping a comprehensive vendor risk tracking list. The challenge is how to best do this with limited time and resources.

Use the following tips to stay on top of the vendors your company uses, and to ensure that their cyber and technology risks are accounted for and under control:

  1. Account for every vendor – You may have an existing vendor list, or perhaps you have a partial list. It’s important to keep the list current and comprehensive. Verify vendor information with your company’s accounting department, and with the staff in charge of procurement. Weed through the list for duplicates, or vendors that are no longer active. Ask all department heads to list vendors they use, and make sure their information is consistent with the information on file. Consider granting vendors limited access to directly update some of their information (e.g., logos, subsidiaries, addresses, products, services), while implementing an approval and follow-up process.
  2. Centralize data – Ensure the vendor list is managed centrally and easily accessible. Consider appointing someone to maintain the list, and make sure their authority is established by upper management and recognized across the organization. Consider using a dedicated vendor management technology solution as needed.
  3. Conduct due diligence – Make sure every vendor is evaluated in terms of their cybersecurity practices, and how they align with your own. Prioritize vendors that have access to your sensitive data or pose operational risk. Review the vendors’ protective practices, incident response plans, business continuity plans, etc.
  4. Assess vendor risk – Assign a point value or some other ranking system for vendors, in terms of their criticality to your firm and their level of risk. Have the relevant business unit rank the vendor’s importance to the company (e.g., as critical, important, useful, or superfluous). Have your cybersecurity team, or at a minimum your IT team, analyze the vendor’s responses and due diligence results. Be cautious not to have the same vendor review itself. Be honest in your rankings, and provide the opportunity for follow-up.
  5. Track and address risks regularly and continuously – Keeping your firm secure in terms of vendor risk is a continuing effort. Don’t record risks now, then neglect to maintain the list over time. The key is consistency and accountability. To reduce risk, keep vendor risk tracking on track. Continue tracking vendors over time, and with increased frequency if they provide a crucial service to your company.
  6. Consider getting help – Just like you contract vendors to take care of specialized tasks, consider that same strategy for tracking vendor risk. Outsourcing vendor management to a company that specializes in monitoring vendors, follows up on their due diligence, and has the experience and expertise to do so efficiently and effectively can ultimately save you time, money, and worry. Getting help is a great way to greatly reduce your cybersecurity and technology risk.

Track Vendors to Keep Your Company Secure

You’re committed to reducing your firm’s cybersecurity and technology risk. Your efforts keep the cybercriminals and other bad actors at bay (not to mention the potential fines from regulators).

But to take control of your vendor risks, you need to understand the risks posed by your company’s third-party vendors. To do so, keep a comprehensive tracking list of your company’s vendors. Keep the list complete, up-do-date, and centralized. Rank vendor risk, and follow up with due diligence. Make this a continuing and ongoing effort, or consider outsourcing the job. By doing all of this, you’ll have taken control of your vendors and helped keep your firm’s data secure.

How We Help

ACA’s vendor management outsourcing service (VMOS) provides a combined white-glove service and technology solution that allows your firm to offload the vendor due diligence and risk assessment process. Our vendor management platform provides a clearinghouse service model that efficiently manages the third-party risk lifecycle for clients and vendors. The platform enables vendors to scale their responses to client due diligence request by responding once and then approving distribution of due diligence reports to existing and prospective clients through the platform. Clients are often able to leverage due diligence reports immediately versus a longer cycle time that often occurs with sending bespoke questionnaires to vendors. The platform enables full confidentiality for vendors and clients, and delivers cost savings for both parties through the clearinghouse model.

Our team of experienced information security risk analysts can administer due diligence questionnaires (DDQ), analyze DDQ responses, identify vendor risks, engage vendors on developing remediation plans for identified risks, and report on results so your company can focus on more strategic tasks. Our tailored DDQs include over 300 questions and are customized for each vendor type to provide an accurate assessment of possible risks. All due diligence activities can monitored via our platform which provides status on due diligence requests, reporting on risks identified during due diligence, remediation tracking, final reports, as well as management of your vendor registry.

For more information, contact info@acaaponix.com or your ACA consultant.

Vendor Management Resources

The following ACA resources are available to help your firm navigate the complexities of vendor risk management:

About the Author

Sara Laverick is a Principal Consultant at ACA Aponix. Prior to ACA, she served as an Information Security Risk Consultant for HM Health Solutions, Inc. Before that, she served as a Data Security Analyst and later as a Data Processing Officer for Dollar Bank, Federal Savings Bank. Sara earned her Bachelor of Science degree in Information Science and Technology from Penn State University.