Taking Control of Vendor Risk: A 6-Step Approach

To take control of your risks, you need to understand the risks posed by your company’s third-party vendors.

InformationWeek Staff, Contributor

October 24, 2018

5 Min Read
InformationWeek logo in a gray background | InformationWeek

Jeffrey_Rowley-ACA_Aponix.jpgIt may sound like a no-brainer, but you can’t understand the cybersecurity and technology risks posed by your company’s third-party vendors unless you are tracking those vendors and their risks.

Keeping track of your company’s vendor risks can be a huge undertaking that requires more time and money than you are able to provide. With so many cybersecurity threats out there, not to mention regulations regarding cyber risk and data privacy, keeping a watchful eye on it all can be overwhelming.

Defining Vendor Risk

Sara_Laverick-ACA_Aponix.jpgMany companies work with third-party vendors to enable critical business functions and increase operational efficiencies. Yet, these vendors can be a tremendous source of cybersecurity and technology risk.

Recent reports indicate that third-party data breaches are among the most common and most expensive types of cyber incidents, with recovery costs averaging nearly $1.23 million for large firms and increasing by up to 35% per year. Vendors with access to sensitive data, such as financial service firms, SaaS providers, and data storage companies, could pose a significant risk to your organization.

Yet many companies struggle to find the time or resources necessary to track and address the risk presented by their third-party vendors. As a result, these companies cannot fully understand the number of vendors they use, or the amount of data they are exposing. A recent Ponemon Institute report indicated that only 33% of companies keep an inventory of their third-party vendors and the company data that those vendors have access to.

How to Track Vendor Risk

The key to keeping vendor risks under control is keeping a comprehensive vendor risk tracking list. The challenge is how to best do this with limited time and resources.

Use the following tips to stay on top of the vendors your company uses, and to ensure that their cyber and technology risks are accounted for and under control:

  1. Account for every vendor – You may have an existing vendor list, or perhaps you have a partial list. It’s important to keep the list current and comprehensive. Verify vendor information with your company’s accounting department, and with the staff in charge of procurement. Weed through the list for duplicates, or vendors that are no longer active. Ask all department heads to list vendors they use, and make sure their information is consistent with the information on file. Consider granting vendors limited access to directly update some of their information (e.g., logos, subsidiaries, addresses, products, services), while implementing an approval and follow-up process.

  2. Centralize data – Ensure the vendor list is managed centrally and easily accessible. Consider appointing someone to maintain the list, and make sure their authority is established by upper management and recognized across the organization. Consider using a dedicated vendor management technology solution as needed.

  3. Conduct due diligence – Make sure every vendor is evaluated in terms of their cybersecurity practices, and how they align with your own. Prioritize vendors that have access to your sensitive data or pose operational risk. Review the vendors’ protective practices, incident response plans, business continuity plans, etc.

  4. Assess vendor risk – Assign a point value or some other ranking system for vendors, in terms of their criticality to your firm and their level of risk. Have the relevant business unit rank the vendor’s importance to the company (e.g., as critical, important, useful, or superfluous). Have your cybersecurity team, or at a minimum your IT team, analyze the vendor’s responses and due diligence results. Be cautious not to have the same vendor review itself. Be honest in your rankings, and provide the opportunity for follow-up.

  5. Track and address risks regularly and continuously – Keeping your firm secure in terms of vendor risk is a continuing effort. Don’t record risks now, then neglect to maintain the list over time. The key is consistency and accountability. To reduce risk, keep vendor risk tracking on track. Continue tracking vendors over time, and with increased frequency if they provide a crucial service to your company.

  6. Consider getting help – Just like you contract vendors to take care of specialized tasks, consider that same strategy for tracking vendor risk. Outsourcing vendor management to a company that specializes in monitoring vendors, follows up on their due diligence, and has the experience and expertise to do so efficiently and effectively can ultimately save you time, money, and worry. Getting help is a great way to greatly reduce your cybersecurity and technology risk.

Track Vendors to Keep Your Company Secure

You’re committed to reducing your firm’s cybersecurity and technology risk. Your efforts keep the cybercriminals and other bad actors at bay (not to mention the potential fines from regulators).

But to take control of your vendor risks, you need to understand the risks posed by your company’s third-party vendors. To do so, keep a comprehensive tracking list of your company’s vendors. Keep the list complete, up-do-date, and centralized. Rank vendor risk, and follow up with due diligence. Make this a continuing and ongoing effort, or consider outsourcing the job. By doing all of this, you’ll have taken control of your vendors and helped keep your firm’s data secure.

About the Authors:

Jeff Rowley is a Principal Consultant at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Jeff has over twenty years of experience in technology and risk in the financial sector. Most recently, Jeff served as Vice President for Bank of America Merchant Services where he was responsible for designing, implementing, and sustaining OCC compliant third-party programs. Jeff earned his Bachelor of Science from the University of North Texas and has accumulated advanced studies in Accounting and Computer Science from the University of Hartford and Rensselaer Polytechnic Institute, respectively. Jeff is a Certified Third-Party Risk Professional (CTPRP).

Sara Laverick is a Principal Consultant at ACA Aponix. Prior to ACA, she served as an Information Security Risk Consultant for HM Health Solutions, Inc. Before that, she served as a Data Security Analyst and later as a Data Processing Officer for Dollar Bank, Federal Savings Bank. Sara earned her Bachelor of Science degree in Information Science and Technology from Penn State University. 

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights