Vendor risk management is nothing new to most security and privacy professionals. Programs for managing vendors are typically well-established and have run like clockwork for quite some time — with many firms requiring their critical vendors to allow access for periodic on-site assessments of privacy, security, and other controls. But as with so many things this year, the coronavirus pandemic has brought well-oiled vendor risk management processes to a screeching halt. Now, without the ability to conduct on-site audits, many organizations lack their usual visibility to assess risk factors and validate whether their providers are doing all they have agreed to in their contracts and service-level agreements (SLAs).
This is particularly concerning given that vendors and third-party providers are a prime source of breaches in security, privacy and/or compliance. Risk Based Security reported that the incidence of breaches, "involving companies handling sensitive data for business partners and other clients," rose by 35% from 2017 to 2019 and exposed 4.8 billion records last year.
Security and privacy professionals are well aware of the potential for exposure among their outside partners, which is why most follow the best practice of ranking their vendors on a hierarchy spanning low risk to high risk, with close attention, auditing, and on-site visits paid to the highest risk vendors. Even without on-site access, organizations still face the same risk management and regulatory obligations to monitor and ensure third parties are protecting their information. But obtaining a high level of assurance without seeing items firsthand is tricky. Organizations must now take their previous assessment plans and modify the testing steps to enable virtual assessments.
Here are some key considerations for making those adjustments.
Start With a Review of Risk Rankings for All Third Parties
This will help determine if their rankings have changed as a result of the pandemic. Have any vendors missed SLA obligations? If so, a safe bet would be to increase their risk rating until there's visibility into the root causes for those slips in service. This step also includes examining the countries in which each vendor operates and how those countries have been affected by the events of this year. This may require engaging internal stakeholders that represent the user group to understand any service disruptions they have seen.
Update Previous Assessment Criteria
Updates will focus on additional or elevated risks that may have been introduced by remote workers at your organization, or your vendors' remote workers. Work-from-home conditions and supply chain impacts are two areas that should be looked at closely in today's risk assessments. Work-from-home conditions should focus on what measures the third party has put in place to ensure a secure work from home environment, including training on protecting sensitive information and security requirements for connecting to the network. Vendor resiliency — i.e., what third parties have done to stabilize their operations during the pandemic and what lessons they've learned along the way — should also be added to assessment criteria.
Leverage Existing and Past Reports
Everything from SOC 2 and other audits will help you understand where to focus scrutiny during assessments. Likewise, if you completed an assessment on a vendor within the past couple of years, it is likely many of the controls observed are still in place. While this does not remove the need to test the controls, it can provide a higher level of assurance for controls that can't be validated remotely.
Use Collaboration Tools
Collaboration tools will let you verify controls and how training systems are managed and tracked. Live demos of key systems and video tours of critical areas and materials can provide sufficient alternatives to in-person visits. Ask your vendor to provide you with insight into its change management tools, including ticketing systems, and use secure portals for sharing policy documents and evidence, so you can gain a more comprehensive picture of the vendor's internal procedures.
Establish Ongoing Monitoring for Key Service and Compliance Metrics
Pay close attention to red flags, including SLAs as well as data breaches and any gaps in vendors' business continuity.
Increase Sample Sizes
It's especially useful to look at broader time frames for higher-risk areas. This will help ensure the process or control being evaluated has been in place and is operating effectively and consistently for an extended duration — particularly during the pandemic.
Someday, we'll return to a version of life as we knew it, and in-person visits will resume. But until then, remember that risk of a business and/or vendor failure is higher in our current environment than it is in typical circumstances. Organizations need a contingency plan for various scenarios, including exposure due to third-party actions (or inactions) and in the event that a high-risk third party fails. Be ahead of and prepared for these scenarios by establishing strong incident response, developing plans for moving systems in-house or to alternate providers as needed, and maintaining continuity for ongoing and robust risk assessments.Ryan Smyth, Managing Director, FTI TechnologyRyan Smyth is a Managing Director in FTI Consulting's Technology segment. He advises clients on a wide range of regulatory and compliance issues, with a specific focus on privacy, information security, data governance and business ... View Full Bio