Vendor Risk Management: Playing with Fire and Risking Getting Burned

In 2019, the global average cost of a data breach is $3.92 million; a 1.5 percent increase from the 2018 study. While it is impossible to predict exactly where and when a data breach will occur, the costs associated with the breach of personal data is one no organization can really afford. Over the past several years, we have seen third party vendors becoming a bigger source of vulnerability for a company. Hackers are targeting these vendors as a method of infiltration to their customers/clients. Instead of chipping away one company at a time, hackers can target vendors that work with numerous organization thereby increasing their realization rate. One good hack could reveal personal data from a multitude of clients. While employees still represent a huge vulnerability for organizations, a company cannot afford to ignore its vendors. To do so is to play with fire and risk getting burned. 

Creating an effective and workable vendor management program is a key first step to combat this risk. Keep in mind, however, cybersecurity is not about risk elimination but risk mitigation.  Cybersecurity is not a zero sum game. Using electronic devices means assuming some risk. However, the difference between assuming certain calculated risks and being a sitting duck is having a good vendor management program. 

Admittedly, vendor management is a difficult and complicated matter but one that cannot be ignored. In addition, many cybersecurity and data privacy regulations require (or as good as require) an organization to conduct vendor due diligence; think NYDFS Cyber Reg 500 and the General Data Protection Regulation (GDPR) out of Europe. So gather your strength and prepare to arm your organization with the tools necessary to protect itself. 

Given the complexity of vendor management, it may be helpful to look at some key areas to start the journey.  First, identify the high risk vendors. All vendors for an organization are not the same. Vendors that have a higher level of visibility or accessibility into a system are generally the ones that are the biggest risk. Couple that access with the type of data that the vendor accesses and you should be able to create the category of “high” priority vendors. It is important to evaluate each vendor using the same type of scale, that will ensure that the vendor management program operationally works. Another issue to consider is how critical that vendor is to the functionality of business operations. Scaling each vendor on the basis of the type of data, the sensitivity of the data, and criticality to the business is key to an effective vendor management program.

In order to analyze each vendor, the organization needs information on that vendor. The second step is to create a vendor questionnaire based on those identified risk factors. Risk factors can and will be different for different businesses. One critical issue that can affect risk factors is regulatory compliance. If your organization is required to comply with GDPR, HIPAA, NYDFS Cyber-regulation 500, this can dramatically impact they risk factors and, by default, the questions your vendors will need to answer. In addition to the questions about data security, cyber-liability insurance, and written information security programs, an organization will also want to focus on questions that will demonstrate the vendor’s regulatory compliance.  

Third, your organization should evaluate the proposed contractual language of the vendor. Now it is true that some vendors will not negotiate the contract (for those vendors consider the last and final point below). However, you will never know unless you ask. Review the contracts for limitation of liability provisions, breach notification provisions, and data privacy provisions. For some regulations, like GDPR, NYDFS, and HIPAA, you are required to have certain express contractual provisions in place. Make sure that the contract provisions accurately and appropriately assign risk. If the vendor will not negotiate, you can also transfer liability using insurance. However, be sure that the organization can use that insurance in vendor-related situations.

Fourth, be prepared to walk away.  It may sound harsh, but if your vendor does not have sufficient data privacy and security standards, they may not be worth the risk. Also, if they have suffered a breach, but have not made any changes to address the vulnerabilities, working with that type of organization is dangerous. All organizations are susceptible to cyber threats, but that just means that all organizations must take cybersecurity seriously. If the vendor cannot demonstrate to your organization that it is constantly assessing and addressing risk, that is not a “good ” vendor or calculated risk. 

Vendor due diligence and risk management is not a “set it and forget it” situation. Time and time again vendors are the source of vulnerabilities and threats to a company. Vendor assessments should occur regularly (and be set by internal policy and procedures). With all of the technology that makes our lives easier, it also makes us more vulnerable. As we continue to build our businesses on a matrix of complex vendor relationships, the convenience of technology (and outsourcing functions) has a corresponding price of vendor management. Keep in mind, that all vendors are a potential threat vector and the only way to combat that is to know and understand your vendors. Ensure that they are treating cybersecurity and data privacy the way your organization does. Because when it comes to vendor risk management, luck favors the prepared. 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.