Third-party risk assessment is a black hole for most organizations. Some have no concrete list of vendors or even know who they are. Others have a good grasp on who their vendors are but no idea what impact they have on the organization. Still others may understand the impact but have no way to quantify the risk. And then there are those that either have thousands of vendors and don’t know where to begin or those that think they are too small of an organization to ever be affected by a breach.
Regardless of which camp you fall into, vendor breach is a serious threat and something you must address sooner rather than later through risk assessment. As third-party breaches continue to rock the headlines, it’s imperative that companies pinpoint their riskiest vendors through risk assessment and begin the process of evaluating, monitoring and managing those vendors before it’s too late.
To answer the question, “who are my riskiest vendors?” you must first determine which vendors fall into the following three categories of high-impact risk.
- Regulatory Compliance Risk
Heavily regulated industries, such as banking and healthcare, are being held accountable for their vendors’ actions. Auditors want regulated institutions to know who their vendors are, the services they perform, what data they have access to, and if they follow the same compliance regulations. Not conducting a risk assessment to learn this information about your vendors can result in serious fines and consequences.
Regulatory compliance risk involves the risk that your vendors will violate a regulation that you and they must uphold according to the various state agencies and regulators, such as the Office of the Comptroller of the Currency (OCC), Federal Financial Institutions Examination Council (FFIEC), Federal Deposit Insurance Corporation (FDIC), and many others.
If you’re in the healthcare industry, check the Office of Inspector General’s Exclusion Database for vendors that are excluded. This database was setup to safeguard the Department of Health & Human Services programs from fraud, waste and abuse. Contracting with excluded vendors can incur an abundance of fines. The average fine for contracting with an excluded person or entity is $100,000.
- Risk of Data Breach
Since third-party vendors continue to be the linchpin on a number of well-known data breaches, it’s critical to know and document which vendors have access to your data through a risk assessment. Determining this will require a process that involves stakeholders from nearly all areas of your organization including finance, accounting, IT, information security, legal, and compliance.
Organizations need to put a plan in place to identify, evaluate and monitor those third-party vendors that access data. This includes vendors that process, manage and/or store data. The plan begins with vendor contracts, which should document data usage and ownership guidelines. Ongoing monitoring should also be part of your plan to ensure someone is continually managing these high-risk vendors.
- Financial Risk
If your organization relies on third-party vendors to process financial transactions, imagine if that vendor was breached. Not only would your important financial information be in the hands of hackers, but your organization’s finances could be temporarily shut down or compromised. You may experience lost revenue or a delay in accessing your revenue.
Financial risk occurs when your organization suffers financially as a result of a relationship with a vendor. It’s critical to have contingency plans in place for third-party vendors that access your organization’s finances in any way. These vendors include banks and credit unions, credit card companies, payroll processors, fundraisers, or any software that manages your financial transactions, to name a few.
Risk Ranking Third-Party Vendors
To locate and begin managing your riskiest vendors, you first need to conduct a vendor inventory. Next, eliminate any vendor from further review that has no access to your data or financial transactions, such as vendors who provide office equipment, office supplies, food, etc. These are considered low-risk vendors and you simply need to have them on your vendor inventory list to show due diligence.
Every organization can determine the best process for ranking their vendors, but many categorize them as critical, high risk, medium risk or low risk. The medium-risk and low-risk vendors should be inventoried but typically no other action is required since these are the vendors that have minimal impact on your organization if a breach occurs.
Critical and high-risk vendors are those that have access to data or handle your financial transactions. If you’re in a regulated industry, these carry an even heavier burden on your organization. When evaluating these vendors, take the following criteria into consideration and rank them accordingly:
- Data: Does the vendor have access to confidential or private data and not just publicly available data?
- Use of fourth-party vendors: Does the vendor that has access to confidential or private data use vendors that in turn have access to this data?
- Volume: Does the vendor have access to a large volume of records?
- Data flow: Does your data flow outside North America (or the geographical jurisdiction that applies to you) when in the hands of the vendor?
If you answered “Yes” to any of the above statements, these are the vendors you should focus on first as they can have the largest impact on your organization.
Finally, you must conduct a risk assessment on each of your critical and high-risk vendors. The risk assessment questionnaire will vary depending on the vendor’s level of access. This can be a time-consuming and arduous task if done manually with spreadsheets, which is why ProcessBolt has fully automated the risk assessment questionnaire process for organizations. Many organizations have seen a reduction in the time spent assessing vendors by up to 90%.
If you’d like to see how easy vendor risk assessments can be, complete this form to schedule a demo.