With ever increasing regulatory requirements, a growing focus on reputational risk and the emergence of complex, distributed supply chains, third-party risk or vendor risk reviews and management is becoming increasingly necessary for all businesses.
The increase of rising fines and regulatory penalties, the desire to outsource non-core strategic strengths, and a demand for responsible operations have made third party risk management a critical activity to protect your business.
These complex relationships with suppliers, vendors, distributors, agents and/or joint venture partners need to satisfy the requirements of regulators, shareholder and customer expectations around corporate responsibility, reputational risk, and transparency.
As a reliable and trusted provider of third party vendor assessments, Mathom Solutions can help you create and manage a comprehensive risk-based third party management program or work within your current process, whilst increasing efficiency and growth in your business by providing comprehensive risk assessment of your third and fourth parties.
Vendor Risk Reviews
A vendor risk review (a.k.a risk assessment) helps you understand the risks that exist when using a vendor’s SaaS product or service. Performing a risk review is especially critical when the vendor will be handling a core business function, will have access to customer data such as PII, PHI or even PCI related data, or will be interacting with your customers.
Vendor risk reviews are not only critical when evaluating a potential vendor, onboarding a new vendor, but are also needed to ensure that the vendor is maintaining expected quality standards without causing any additional risks to your company or customers.
The goals of a risk review are to:
- Identify any risks the vendor will pose
- Evaluate if the vendor is able to eliminate those risks
- Monitor the risks that cannot be eliminated
- Assess the extent that any outstanding risks may bring to the company
- Determine if your company is willing to accept those risks
Risk assessments are typically a series of questions and the answers to those questions result in an overall point or risk value, which then identify the vendor’s risk level. Mathom Solutions uses many types of questionnaires such as the Shared Assessments SIG, the Cloud Security Alliances CAIQ, Google’s VSAQ, MVSP’s Minimum Viable Secure Product, and and the Vendor Security Alliance VSA. along with industry certifications, penetration tests, policies, and in some cases in person reviews/audits in order to help determine the vendor risk level.
When to Perform Vendor Risk Reviews?
Initial Risk Review
Risk reviews should be introduced to vendors preferably during the Request For Proposal (RFP) process but if not possible, the prior to onboarding. Depending on your current RFP process, you may be able to embed your risk review assessment into the RFP. However, if you have already selected the vendor, then you should do the review prior to onboarding and definitely before granting the vendor access to any data.
The risk review should also be used to gauge the vendor’s or third party’s ability to be accurate and timely with their responses, especially in providing the documents you request (e.g. SOC 1, SOC 2, PCI, HITRUST, SIG,…). Everything at this point should be monitored closely, as the vendor’s performance at this stage will likely have a strong correlation to future performance and data protection.
Red flags to look out for during the risk review that could remove the vendor from consideration:
- Does not provide any processes for safeguarding confidential data (i.e. disk or file encryption, TLS transport,…)
- Does not perform risk assessments or business impact analysis internally
- Does not have a formal information security policy or related policies
- Does not perform security checks across all functions
- Does not have a business continuity, disaster recovery and/or pandemic plan
Ongoing Risk Reviews
Mathom Solutions has found that the best time to perform the risk review is 90 to 180 days prior to the renewal. This normally provides ample time to identify any deltas to the vendor’s risk level and lets you respond accordingly.
It is our best practice to allow 10-15 business days when sending the review to the vendor to complete. Once the review is back in-house, it should only take a few hours to review the files and upload them into a vendor management software system to identify the risk levels. At this point, you can also compare the current review to the vendor’s previous reviews and spot any trends or deltas.
How Often Should Ongoing Risk Reviews Be Conducted?
Ongoing risk reviews should be conducted based on several factors such as level of access to data, current risk rating and your company’s risk appetite.
Mathom Solutions typically recommends that reviews should be performed as such:
- Low Risk Vendors – Bi-annually
- Medium Risk Vendors – Annually or bi-annually depending on the level of data access
- High Risk Vendors – At least annually with quarterly check-ins.
- Critical Risk Vendors – Quarterly
Also, you can review the vendor more frequently if they have not been in business very long, experienced a bankruptcy, experienced a recent breach or ransonware attack or even recently had layoffs.
If you find your current vendor risk assessment process is insufficient or ineffective or think its needs a tweak, Mathom Solutions can develop a vendor risk review process or program tailored to the exact risks you face—all within the framework of laws and regulations of each country in which you operate. Depending on your needs, we can assist with either comprehensive security programs or individual components, such as vCISO Servcies and Security Policy and Procedure development.