Don’t Let Third Parties Be Your Downfall — How to Ensure Your Vendors are Protecting Your Assets
In the wake of the recent Equifax breach that potentially affected the personal data of more than 143 million Americans, Equifax is pointing the finger at one of its third-party vendors as the cause.
When dealing with third-party vendors, there is more at stake than organizations may realize. Vendors are entrusted with sensitive data and play a critical role in your ecosystem. According to a recent survey by Soha Systems, third-party breaches accounted for 63% of all breaches in 2016.
Every vendor selected to store or access data for an organization has to not only protect that data, but also protect the organization’s reputation. Many organizations assume that signing a contract mitigates all risk. However, this could not be further from the truth and serves to highlight why vendor due diligence is critical.
7 Steps to Ensure Your Vendors are Protecting Your Assets
Having a thorough and well-defined process for reviewing vendor relationships is critical to the long-term success of your organization. Here are 7 steps your company should take to protect your data when vetting a new vendor.
- Research potential service providers — Check for common vendors, customer reviews, and determine the scope of the project/relationship to narrow down the selection.
- Determine if a Request for Proposal (RFP) is necessary and select a timeline for the vendor selection process — If an RFP is needed, develop a clear description of the service necessary outlining any specific compliance requirements. Require a formal response and set a reply-by date.
- Begin the comparison — Detail the positives and negatives of each vendor as well as what is required for the service. Determine if the vendor meets the needs of the organization financially and functionally.
- Perform due diligence if sensitive or confidential data is involved — Make sure each questionnaire is custom-tailored to the specific vendor type, industry, service line, and compliance requirements identified. If you’re not using a questionnaire, obtain other sources of information such as an on-site report or audit documentation.
- Complete a risk assessment to help determine if the selected vendors put the organization at risk — High and medium findings can impact the organization and lead to reputational damage. The vendor should help determine what can be remediated or mitigated.
- Present due diligence results — This includes research, risk assessment reports, and planned monitoring or mitigation activities to senior management for approval. This will help management make a decision and incorporate identified risk into a holistic risk management strategy for the organization.
- Review the contract and negotiate any terms for data protection, including audit and monitoring clauses — Identify if the vendor is critical and incorporate an exit strategy for the organization and the data.
Contract negotiation and annual reviews, although necessary, should be the last step in the vendor management lifecycle. Before a contract is reviewed, there are certain foundational risks that need to be addressed for every new and continuing relationship. Don’t let third parties be your downfall.
For more information on mitigating vendor and third-party risk, check out our Introduction to Risk Management webcast series:
- Part 1: Vendor and Third-Party Risk
- Part 2: A Demonstration of the ACA Aponix Module in ComplianceAlpha
For More Information
If you have any questions, please contact your regular ACA Aponix consultant or email us at [email protected].