6 Steps That Can Help Mitigate Cyber Risk Through Vendor Management

Look to these best practices to enhance your vendor risk management program

University of Miami Health System recently joined Shell Oil Company, grocery chain Kroger and other organizations in launching a data breach investigation related to cloud services provider Accellion. When hackers attacked the vendor’s file transfer servers, they not only gained access to the vendor’s files, but also to the data owned by the organizations they serve.

Similarly, Medicaid provider Health Share of Oregon was affected and suffered a major loss when an unencrypted laptop containing personally identifiable information (PII) was stolen from their vendor’s office. Although the vendor’s office was the reported source of the security incident that resulted in the November 2019 breach, Health Share of Oregon was ultimately left with the responsibility to notify more than 650,000 patients, provide them with a year of credit monitoring, and report the breach to the Department of Health and Human Services (HHS).

Around the same time, an Australian bank announced intruders had stolen PII during a server upgrade, compromising bank account numbers and balances of 96,000 members. The breach occurred through a vendor hosting site.

Vendor partnerships are critically important in today’s business world, especially as the pandemic continues to accelerate many organizations’ digital transformation and the shift toward remote work, cloud adoption, and virtual services, such as those offered through telehealth, FinTech, and other types of technology platforms continues to expand. But this increased reliance on third parties also comes with a price: added exposure to cyber risks and vulnerabilities.

Mitigating ‘Nth party risk’

This increased exposure is called “Nth party risk,” or the idea that a breach to your organization can come through a vendor’s vendor or even a vendor’s vendor’s vendor.

Despite the increased Nth party risk, and the fact that breaches involving third parties cost up to $700,000 more on average, experts warn that nearly three-quarters of organizations still aren’t demanding their vendors implement proper information security practices.

For highly regulated industries like healthcare, financial services, and alternative investments that are increasingly targeted by bad actors, it’s more important than ever to minimize the potential impact of a data breach and the strategic, reputational, financial, operational, and regulatory risks that come along with it.

Best practices for vendor risk management

Organizations should take a holistic approach to champion information security across their business and vendor network.

To start, engage a team of executive management and IT professionals from within your organization to develop a program to both manage vendor relationships and mitigate the associated risks – and consider engaging an experienced and knowledgeable risk advisory firm to assist with these efforts and help identify any gaps.

Below are six best practices that can enhance your vendor management program and help you mitigate third-party cyber risk.

1. Establish risk appetite and tolerance across the entire organization.

Each organization has its own approach and comfort level when it comes to risk. You’ll need to determine your organization’s risk appetite and risk tolerance to serve as a guide for your vendor management program. Specifically, your leadership team needs to decide which types of risks and the amount of each risk the organization is willing to accept.

• Risk appetite is the overall risk or loss exposure the organization is willing to accept or bear in pursuit of its business objectives.
• Risk tolerance is the specific level of risk that an organization can accept or bear with regard to an individual project.

It’s possible that your organization has a low-risk appetite overall but a higher risk tolerance when it comes to a specific area – or vice versa.

2. Assess vendor risk.

Each vendor opens your organization to potential risk — and that risk increases as their access increases — so, do your due diligence. Determine how critical the vendor is to the success of your business and what potential risks they could pose.

Request a system and organization controls (SOC) report from the vendor. For evaluating cybersecurity-related controls, you should specifically ask for a SOC 2 report. The report will include an independent auditor’s opinion on whether cybersecurity controls in place are designed, implemented as of a period in time (Type 1), and operating effectively for a period of time, such as a 6- or 12-month period (Type 2). It’s important that all vendors who manage your client’s data have controls in place to mitigate risks from relevant threats and vulnerabilities to the business.

A qualified risk advisory consultant can perform a comprehensive risk assessment to help you identify vendor-related vulnerabilities, rank each vendor’s risk based on factors such as access to critical data and operational activities, and assist with developing corrective actions to remediate identified control issues or gaps.

3. Establish a universal risk rating methodology.

A vendor risk rating system will help you allocate resources to focus on higher risk vendors. Following the same methodology for the organization’s various risk assessments, including IT, cybersecurity, and enterprise risk assessments, would add uniformity and standardization across the organization and help leadership bring together all risks and identify any areas of risk that are greater than the organization’s risk tolerance.

For example, if you choose three levels (e.g., high-moderate-low), stick with it throughout all your risk assessments. Also consider using an existing framework, such as the one developed by the National Institute of Standards and Technology (NIST), to help you identify and manage risks. Depending on the type of risk assessment, a different framework may be more appropriate.

A qualified risk advisory consultant can help you establish a consistent risk rating system and implement an appropriate risk management methodology across the organization.

4. Create boundaries with vendors.

Set your business up for success by creating boundaries — or a minimum set of requirements for cyber security — with your vendors. The most basic may be requiring vendors to have their own information security program, but it’s also a good idea to clarify the boundaries between your vendor and their vendors or clients.

A recent example of the importance of vendor boundaries is the SolarWinds breach that was disclosed in December 2020. One of the primary lessons learned so far from the ongoing investigation is that providing vendors with unlimited access to your network can have devastating consequences.

While sometimes this situation is difficult to avoid, there are ways to protect your customers by setting boundaries for your vendors to help mitigate the risk that your vendors will compromise your organization’s ability to maintain a secure environment:

• Segregate your vendors from the network
• Have a redundant system working in parallel
• Use an unrelated third-party to actively monitor for anomalies
• Define vendor responsibilities for responding and recovering from incidents prior to engaging with them

In some industries existing regulations may provide clear guidelines on dealing with cybersecurity and vendor risk. Privacy restrictions for healthcare organizations, for example, require a business associate agreement with customers who are sharing protected health information (PHI). The vendor must be able to demonstrate they are taking appropriate steps to protect patient privacy or your business may want to consider forfeiting the relationship.

5. Develop an enterprise-wide vendor management program.

Incorporate all of the above into a formal vendor management program that also includes:

• A formal vendor selection process
• Contract requirements: data breach notification requirements, termination clauses, confidentiality, minimum information security requirements and cybersecurity requirements, defined roles and responsibilities, monitoring/right to audit
• Due diligence: financial review, business continuity planning/disaster recovery planning, incident response procedures, information security program, SOC review, OFAC review, site visit, performance and privacy program review according to their risk rating
• Ongoing risk-based monitoring
• Vendor termination procedures and follow-up

6. Stay up-to-date.

Vendor management isn’t a task to check off your list. It’s critical to review and update your program annually. Pay special attention to material changes such as managerial changes within your organization or new technology that’s been onboarded that may require further action confirm alignment with the organization’s risk and governance policies.

When not managed properly, vendor risk can lead to financial loss, reputation damage, lost business, and in some industries, regulatory penalties. However, cyber risks and other third-party-related risks can be mitigated by developing, implementing, and maintaining a strong and sound vendor risk management program.

Contact Kaufman Rossin’s risk advisory services team for assistance with instituting or enhancing vendor risk management across your organization.