Where We Were
Diligence mattered, but was relatively straightforward. Not long ago the vendors, suppliers, and other 3rd parties your business engaged with were discreet, independent service or material providers of one sort or another. You communicated by phone, fax, written correspondence or maybe email or EDI. For the most part data flows were simple. Your interactions with all 3rd parties were activity and event driven with clear boundaries and endpoints. The secure boundaries of your organization were well defined, and easy to see; as were any access or exchange points. And the businesses were “real”, with physical buildings and their own staff. Then everything changed…
Where We Are
The internet has made it dramatically easier to find and work with a much larger universe of suppliers and, in parallel, made it easier for suppliers to find and serve customers all over the world. As a result, there are more suppliers than ever offering more solutions than ever, increasing opportunities for firms to better focus, reduce costs, improve quality, outsource functions and the like. Further, these new solutions are increasingly info-centric; resulting in suppliers requiring more of your data to deliver the requested solutions. And of course, these new suppliers are increasingly distributed and virtual, based on their own combination of internal and third party resources – the net of which is “the offer looks great, but how trustworthy/reliable is this supplier?”
The challenge is greater than simply the number and diversity of suppliers. These new suppliers and solutions are increasingly info-centric, resulting in suppliers requiring more of your data to deliver the requested solutions. Most firms communicate with others – you, their other customers, their vendors – over the shared, public internet. Malicious actors use this very same infrastructure to search for opportunities to steal and sell or ransom products and information. Bottom line – this new world comes with great benefits, but with costs – one of which is the risk of loss or exposure of key or sensitive data.
Running parallel to this shift in supporting infrastructure has been an equally challenging mix of new regulations regarding controls over the security and access to sensitive data. Legal and regulatory changes make your firm responsible for all the data, both in your control and that shared with, stored by, or in control of your vendors. This complicates managing the risks from emerging threats of cyber-attack and customer expectations of security and defense. It leads to more complex contractual agreements. Meanwhile the ever-growing demand for new and easier customer services requires your company to adroitly navigate through this cyber minefield of devices, communications protocols, obligations, new hard and meta data, mining programs, and the looming promise of artificial intelligence, offering even more system generated complexity to come. Comprehensive vendor due-diligence is now an operating necessity!
Normalizing control and risk management for all the cyber, regulatory, operating and contractual threats described can seem a daunting task. Let’s take this knot apart and offer some approaches to bringing things into a set of manageable practices.
First: Identify Your 3rd Party Relationships
This seems obvious but in fact may be more revealing than at first glance. Ever watched the credits from a movie? Notice all the different roles, services, players, and participants that are not part of the production company or the acting talent. The list may seem endless. But each could be offering a service whose delivery or payment may involve some of the issues and technologies noted above. Sometimes these services seem fairly separated from your core business, like catering food for the production crew. But there’ll be an order, a bill, and a payment…and it’s likely some electronic interaction before that’s all done. There may even be a contract. You can see the opportunities. Remember, some of the biggest successful cyber-attacks in recent years were initiated through communications between retail firms and building service contractors. Threat actors look for the easiest, weakest, least monitored or insecure routes to penetrate your defenses. Knowing who your vendors are, and what they do for you and how is an important first step to determining this aspect of the scope of your “soft perimeter”.
Second: How bad could it be?
Ask yourself this question: if this supplier failed to perform for some reason, what would happen? Would a key factory line shut down? Would payroll be late? Would we be the lead story on the nightly news? Face a fine? Or, would we have a small hiccup, fix it/change vendors and move on?
For each vendor, systematically asking yourself what could happen if the vendor failed and how challenging recovery would be will help define the level of diligence required.
Third: Determine Supplier Basics
This is pretty straightforward, but it needs to be done. Do a background check on the firm: How long have they been in business? A quick check of their financial viability or payment history can tell you a lot. Do you have a “good” contract in place, with appropriate obligations and remedies for failure to perform? Perhaps an insurance certificate? A non-disclosure agreement? Basic hygiene will take you a long way.
Fourth: Determine What Information Goes Where
From a cyber threat perspective there are several considerations at a minimum. How does the vendor communicate electronically? Do they have access into your network? If so, how are access credentials granted, monitored, and managed? Who has control? Are personal mobile devices allowed to connect, and if so, what security requirements are in place for them? What information is being accessed? Shared? Transferred? Secured? Is any of this information within the scope of compliance obligations, either regulatory or contractual? Does the vendor carry cyber insurance? Does the information, if mishandled, offer any significant financial risk (i.e., loss or disclosure of critical intellectual property) to your company? Documenting which vendors handle important information, how it’s used, whether and where it might be stored or transmitted begins to identify risk opportunities and related controls to address them.
Fifth: Consider the Resources of Your Vendors
A company of two is unlikely to have a dedicated CIO, CTO, or CRO. It’s also unlikely to have the resources to implement costly sophisticated security controls or even have dedicated resources to respond to related information requests. Even larger firms richer in resources may not operate within industries that attend to cyber threats in any organized manner. Their technological sophistication and on-hand resources may be thin. They may not recognize (nor be able to support) the security and risk management controls and practices your company would normally apply to their situation. Regulatory compliance might not be a part of what they do, nor is the recordkeeping essential to demonstrating or supporting compliance activities by your own staff. If the vendor does have strong security and compliance resources, how are they applied to your business and the interaction between you? Are there processes and procedures in place on both sides to integrate activities to address risks resulting from your relationship and interactions? Are there dedicated staff on both sides? How are potential incidents identified? How might these matters be defined and addressed in your engagement contracts, letters of intent, and procurement processes?
Now, What You Can Do
You’ve identified the scope of threat potential (cyber, operational, financial and regulatory), and understand the resources your vendor has to support any partnership with your organization. So, what, specifically, should you do? There are a number of options, but to manage this overall process, let’s start at the beginning.
Setting up a process to manage vendor risk and security is simply an aspect of good governance of your own risk management program. As stated, your vendors and those relationships contribute to your extended company boundaries. Many firms operating under regulatory and contractual obligations regarding the data they create, capture, store and exchange begin the process with a structured questionnaire for a prospective vendor. This questionnaire is designed to gather answers to many of the questions raised so far. This allows your vendor managers, procurement staff or whomever is assigned to oversee this process to build a profile of the vendor, help determine risks, relate them to obligations and controls in place at your firm, and begin to negotiate cooperative actions to address needs. The results of these actions can feed into contract negotiations. It may also identify a need for some risk offset through insurance if possible. The strength of actions needed will be determined by the extent of the financial, operational, regulatory or physical risk associated with each vendor’s provided services.
The monitoring practices you employ across your own enterprise should, wherever feasible, extend into this “grey cloud” of interactions with vendors and suppliers. It’s useful to establish some baseline standards and metrics for this category, so anomalies can more easily be detected. While you cannot hope to prevent all possibilities, good incident management begins with early, precise detection and identification of malicious events, and their speedy termination.
All of these actions should converge into your procurement processes and help identify vendors who not only suit your operating needs, but match your risk appetite across cyber, IT, operational, financial, regulatory and reputational risk areas too.
The Role A GRC Platform Can Serve
Clearly, a process with many variables requires a means of detailed but associative recordkeeping, activity tracking, and reporting. These are strengths of a GRC toolset. The vendor questionnaire can be modeled in an assessment. The results analyzed and presented through a GRC’s reporting tools can quickly identify areas needing some specific attention beyond contractual agreement. If projects are undertaken to enable processes or procedures to ensure compliance or other risk remediations, then project status, milestones and any issues can be tracked through a GRC toolset and associated to the specific risk areas they address. Annual schedules and triggers for reassessment can easily be set as well. GRC reporting can create dashboards and matrices to highlight vendor compliance program attributes, and point out compliance risks and concerns before they become incidents. It’s useful and efficient to have all this vendor management information relative to risk residing in one secure repository that can serve as an authoritative source for your vendor management, procurement, and risk management teams.
Monitoring results, incident data, and even findings from any vendor audits resulting from contractual commitments can all be stored, analyzed, and combined to yield a more precise understanding of your vendor risk footprint across your lines of business. Doing this helps foster a collaborative environment. It also reduces the opportunity for needless duplication of effort. Further, compliance managers and monitoring regulators will have reliable consistency of information when there is a single authoritative source for vendor data. And, of course, these efficiencies will help managed down the costs of vendor management, regulatory and contractual compliance, while contributing to a more complete picture of your overall risk profile as an enterprise.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.