According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is higher at 61 percent. Also noted that many breaches go undetected: 22 percent of respondents admit they didn’t know if they had a third-party data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach cost.
This is part VI in the series of third-party risk management. In earlier parts, we discuss Major Breaches and Bankruptcy, Drivers, Alignment and Governance, Vendor Categorization, and Initial Risk Assessment. Part VI is about ‘Monitoring Vendor Risks.’
Need for vendor risk monitoring
As the name suggests Monitoring Vendor Risk is about having a program to monitor the third-party risk on a continuous basis. The risk management team spends the most time with existing vendors and the ongoing program anticipates managing risk associated with financial stability, information security, regulatory and compliance risk, change of leadership, service level concerns, etc.
The first step in the process is having third-party risk management policies and procedures to include what to monitor and how to monitor. In certain types of contract, the provisions for monitoring must be included in the contract so that each party – organization and third-party – understand their part in the process. The best example for the contractual agreement for monitoring is an outsourced contract for a call center where the agreement contains clauses for reporting calls abandonment rate, calls blocked, speed to answer, handle time, etc.
The U.K. Bribery Act notes the importance of “continued and regular monitoring,” and the FCPA Guide states that “companies should undertake some form of ongoing monitoring of third-party relationships; where appropriate, this may include updating due diligence periodically.”
Monitoring risk considerations
The focus of ongoing monitoring needs to be risk-based and takes into consideration the risks identified in the earlier stages. Monitoring for several vendors involves lots of data, reports, and analysis. Hence the process will be better managed by automation and use of tools – data management systems, end-to-end workflow tools, and analytics – that will allow the organization to document a vendor’s security rating, compare the rating with risk tolerance thresholds.
Effective monitoring program considerations
Below are certain high-level considerations for effective third-party monitoring program:
- Periodic vendor audits to conduct the review of general controls environment of the vendor through onsite visits to the vendor’s facilities and reviewing audit reports such as SSAE16/SOC, ISO 27001, PCI reports for cardholder data processing vendors, identifying material changes after the third party has been onboarded, etc.
- Use of independent third-party to regularly test the controls to manage risks from vendors.
- Proper documentation is maintained by the organization includes vendors inventory, due diligence reports, contracts, risk management reports, reports to the board of directors, and independent review reports.
- Monitoring to include information obtained from different sources about negative news, change of leadership, screening against the relevant sanctions and enforcement lists, etc.
- Geopolitical risk monitoring if vendors are part of the global supply chain and located in a different country or countries.
- Monitor regulatory and compliance requirements. For e.g., financial institutions must address Know Your Customer requirements to meet anti-money laundering and terrorist financing laws.
The publications by Forrester, Gartner, ISACA and other professional organizations provide questionnaires to assist in categorizing vendors as well as vendor risk analysis based on their criticality to business objectives.
In Part V we will cover the topic “Monitoring Vendor Risks.” Please note the four very important considerations for TPRM governance are:
- Alignment of customer and providers goals
- A comprehensive inventory of third parties
- Accountability for oversight and the overall management of your TPRM Program
- Clearly defined roles and responsibilities across the organization