10 Frequently Asked Supplier Risk Management Questions

Supply chain attacks are increasing. According to KPMG, 73 percent of organizations have experienced at least one significant disruption from a third-party in the last three years.

These findings underscore the imperative of implementing a supply chain risk management program. But as your vendor portfolio grows, assessing your vendors for cyber risk can seem daunting and raises many questions.

With that in mind, we’ve compiled a list of 10 frequently asked supplier risk management questions so you can get started quickly and efficiently

1. How long does it take to implement a supplier risk management program?
2. Should I use security questionnaires?
3. Do I need to work with legal counsel to develop a program?
4. What standards should my suppliers meet? How do I know they’re meeting them?
5. Who should my main contact be with my suppliers?
6. When should I go on-site to meet with my suppliers?
7. If a major security event occurs, how can I know if my supply chain is impacted?
8. How-often-should-I-perform-security-audits">How often should I perform security audits?
9. What about fourth-party risk?

1. How long does it take to implement a supplier risk management program?

The answer varies and can depend on the size of your vendor portfolio, how often you enter new partnerships, and so on.

To help speed the process, try tiering your vendors by criticality. This will allow you to focus your resources where they can have the most impact on risk reduction. Critical vendors could be those who host sensitive data, such as cloud service providers and payroll firms. 

Once you’ve tiered your vendors, you can implement procurement and onboarding policies for vendors that fall into specific groups. For example, you may require that vendors in a top tier have a higher security rating or undergo a more rigorous assessment than those in a lower tier. 

Look for ways to automate vendor risk management wherever possible so that you can scale your efforts quickly, using the resources you have.

2. Should I use security questionnaires?

Security questionnaires are a valuable tool for assessing your vendors’ risk postures during onboarding and for the contract duration.

Try to avoid using a one-size-fits-all approach, asking the same questions for each vendor. This can make your due diligence process time-consuming and costly. After all, a food service vendor won’t require the same level of scrutiny as a video conferencing software vendor.

Consider automating the security questionnaire process so that you can prioritize critical vendors and conduct faster, more strategic risk assessments.

In addition, remember that questionnaires only represent a point-in-time understanding of cyber risk and won’t reveal changes in security posture over time. They also rely on the vendor’s self-reporting cybersecurity updates, which can sometimes be inaccurate or unclear. Rather than taking vendors at their word, use the data-driven insights that continuous assessment tools provide to quickly validate your vendor’s responses and track changes in their security postures over time.

3. Do I need to work with legal counsel to develop a program?

If a vendor is breached, you need to know about it so that you can understand your risk exposure and take mitigative action.

Legal counsel can help create contractual language requiring your vendors to inform you if a cyber incident that could potentially impact your security posture takes place. But don’t wait for your vendors to notify you. Continuously monitor vendors’ digital ecosystems for emerging cyber risks. Set up alerts so that you’re notified the moment an issue is detected or their security postures fall below pre-agreed thresholds.

Then work with them to proactively remediate threats.

Legal counsel can also help define risk thresholds and inform compliance standards for your third parties.
 

4. What standards should my suppliers meet? How do I know they’re meeting them?

The answer to this question depends on the industry in which you operate. If you’re in the medical field, you’ll want to ensure that your vendors are HIPAA compliant; if you’re in the financial industry, then SEC guidelines,Service Organization Control (SOC) Type 2, PCI compliance, and more come into play.

To ensure that your vendors are meeting cybersecurity standards, work with stakeholders, including risk management, legal, and HR, to determine:

• How sensitive the data in question is.
• Your industry's requirements for suppliers, along with your own company's expectations.
• Your vendors' adherence to those standards. (Hint: Third-party continuous monitoring tools can help).

5. What’s the average size of a supplier risk management program? How many people do I need internally?

To be most effective, supplier risk management programs need dedicated resources to launch, manage, and scale them.

Depending on the size of your business—and your level of third-party risk exposure—this responsibility may fall on a single individual, a full team, or a larger group. However, there are many tools that can help you and your team balance limited resources with the growing need for vendor risk management.

6. Who should my main contact be with my suppliers?

Strive to have a single point of contact, from onboarding through the end of the contract term. Someone you can collaborate with to monitor and reduce risk.

He or she could be a chief information security officer, chief risk officer, IT leader, or any number of people depending on how the company is structured. You must be able to rely on this contact to get the appropriate team and information together and keep you in the loop should a problem ever occur. This person should have specific insights into IT operations, security components, and the elements of your contract.

Read how Alameda Alliance for Health strengthened its vendor partnerships using third-party collaboration and risk management best practices.

7. When should I go on-site to meet with my suppliers?

Many vendor risk management tasks can be completed digitally without the need for in-person collaboration. However, there may be instances where on-site visits are warranted. For example, during the selection of critical vendors (including those with high levels of network access), an on-site visit can help you understand a third-party’s operations and security practices and provide an opportunity to meet security and risk leaders.

8. If a major security event occurs, how can I know if my supply chain is impacted?

When a major event like SolarWinds or Log4j occurs you need to quickly assess the impact across your supply chain and what your suppliers are doing to mitigate risk.

Calling your point of contact is one option, but these attacks often happen at scale and getting answers quickly isn’t always easy. A better approach is to use monitoring tools that detect and highlight critical vulnerabilities and quickly pinpoint which vendors in your portfolio are impacted. With these insights, you can prioritize vendor outreach at speed, remediate risk faster, and build stronger vendor relationships.

9. How often should I perform security audits?

Once the contract is signed, it’s critical that you understand your vendors’ changing risk profiles. Annual cybersecurity audits can help with this task, but they are often handled by third parties, take time to perform, and are costly.

A cybersecurity audit program has a time and a place, but it shouldn’t be the be-all, end-all solution. Consider reserving in depth audits for your most critical vendors or those who have a track record of security issues.

Augment this approach with continuous monitoring so that you can keep a pulse on the cyber health of every vendor in your portfolio—quickly and confidently.

10. What about fourth-party risk?

Supply chain risk management must also extend to your fourth parties, meaning your vendors’ vendors and subcontractors. If one of these connected suppliers is compromised, your vendors and your organization could also be affected.

To mitigate this risk, question your vendors about their own third-party risk management practices. Even better, extend continuous monitoring to your vendors’ supply chains so that you can automatically discover vendor connections, assess risk exposures, establish alerts, and validate your vendors’ responses about their use of fourth parties.

Empower your organization to manage third-party cyber risk exposure

Developing an efficient and effective vendor risk management process is both important and necessary. Learn how Bitsight’s end-to-end third-party risk management solutions can empower you to manage risk in your digital ecosystem, enable your business, and reduce exposure.