As businesses increase their use of outsourcing, organisations are entrusting more of their business processes to third-parties and business partners, so they can focus on what they do best. This means they must ensure these third-parties are managing both privacy and security well, or risk business uncertainties, legal liabilities and reputational damage. The risk of cyber attacks and data breaches from third-party vendors must be identified and mitigated.
While outsourcing has great benefits, if vendors lack strong privacy and security controls, your organisation is exposed to operational, regulatory, financial and reputational risk. Vendor risk management (‘VRM’) or third-party risk management (‘TPRM’) deals with the management and monitoring of risks resulting from third-party vendors and suppliers of products and services. As more cyber threats and ransomware attacks are being discovered than ever before, it is important to be ahead of the curb and manage these risks.
Here are some key things to know about vendor/third-party risk:
Risks might start small, but tend to move up
If an attacker is going to target a large organisation, they’ll want an entry point that won’t raise suspicion. This means using a valid entry point that they can access while seemingly legitimate. The attacker finds a third party that is less secure– often a smaller vendor with less stringent security protocols. They then leverage this access to break into a higher-value organisation. Sometimes they use a chain of suppliers, until they reach their target.
The Dutch data protection authority gives an real-world example of how an educational institution was told by a supplier (processor) that it had been the victim of phishing. This had resulted in unauthorised persons gaining access to the mailbox of an employee of this supplier. From that mailbox, new phishing mails were sent, including to the educational institution, gaining access to their inbox.
The attackers had access to the name and address, contact details and identification of thousands. This mailbox also contained several copies of passports of teachers.
You are responsible for your vendors
For end-customers, the complexity of third-party relationships can make the full scope of privacy and security risk difficult to comprehend. Even if a risk is due to a service provider's lax security, in the mind of the customer it will be the main organisation that bears responsibility, and it will be named in the media. They provided their data to you, not your suppliers after all. Furthermore, the organisation will often find it difficult to show that it took sufficient steps to manage its third-party risk through due diligence, and will oftentimes be considered to retain responsibility even if a third party handled its data. If a company takes every precaution internally, but fails to conduct due diligence by vetting the security of a vendor using a tool like a privacy and security assessment questionnaire, it may as well have taken no precautions at all.
What does effective vendor risk/third-party risk management look like?
To be effective in third-party risk management, you need to apply the same criteria to all vendors, adapted to the type of product or service they provide.
- Ensure the entire organisation is onboard, without total compliance to your vendor management framework it won't be as successful as it could be.
- Establish an owner of vendor risk management, as well as 3 lines of defense:
- The 1st line of defense – people that own and manage risk
- The 2nd line of defense – people that oversee or specialize in risk management and (privacy) compliance
- The 3rd line of defense – people that provide independent assurance, like internal audits
- Ensure your contracts include a "right to audit" as well as what security measures the supplier has in place.
- In the Data Processing Agreement with any party that processes personal data on your behalf (processor), the GDPR requires a right of audit.
- Also make sure you outline how monitoring will occur, when it will occur, how reviews and feedback are conducted and how risk exposures are identified and mitigated.
- Take inventory of all third-party vendors your organisation has a relationship with
- Develop a system to assess current vendors and set a minimum acceptable hurdle for the quality of any future third-parties.
- This can be done with a due diligence checklist to ensure vendors are a fit (also known as a vendor assessment).
- Catalog data protection risks that your vendors may expose your organisation to.
- Assess and segment vendors by potential risks and set out tasks to mitigate risks that are above your organisation's risk appetite.
- Establish contingency plans for when a third-party is deemed below quality or a data breach occurs