Are you and your company at the early stages of implementing a supplier risk management program — or are you just beginning to explore the idea? Either way, there’s a lot to learn when it comes to assessing your digital supply chain vendors for cyber risk, and it may feel a little bit daunting at first. Perhaps you’re a bit afraid to ask some of the more basic questions that have you stumped.
To help your introduction go a little more smoothly, we've compiled a list of 10 frequently asked supplier risk management questions that may help you gain more insight into the process:
1. How long does it take to implement a supplier risk management program?
This answer is, of course, variable. When developing your supplier risk management program, you must build out a strategy that empowers you to group your vendors by criticality, define thresholds for acceptable levels of risk, determine how you will continuously monitor your suppliers’ security postures, and develop contract language that makes thresholds and remediation enforceable.
As a best practice, you should start by determining which of your suppliers present the most risk — in other words, which vendors have access to the most sensitive data — so that you can determine the appropriate level of assessment. If you have a thousand vendors, but only 10 have access to your network or other sensitive information, you’re going to want to know that so that you can allocate your resources to the areas that require greater due diligence.
This process, albeit critical, can be time-consuming if you don’t have a solid understanding of each supplier relationship — or a standard set of cyber risk KPIs through which to evaluate your vendors’ security postures. You may need to have conversations with various departments and team members in order to get a handle on the suppliers you’re currently working with, and what type of data each has access to.
Of course, after you’ve developed your strategy, you’ll need to review and update your existing contracts, develop assessments for each group or tier of suppliers, and give each vendor time to complete your evaluations. Depending on the size and scale of your vendor ecosystem, this process can take anywhere from weeks to months.
2. Should I use questionnaires? If so, when should I send them out, and how often?
A questionnaire is a great way to get a sense of the security measures and protocols that your supplier has in place. These surveys can vary in length dramatically — some could be 10 questions, while others could include several hundred questions! The length of the questionnaire and depth of the questions should be determined based on the level of risk that specific the vendor poses. Pretend for a moment that you are Coca-Cola, and one of your suppliers has the secret formula for Diet Coke. You’re probably going to want to ask that vendor a ton of questions to ensure that the formula is secure.
The optimal time to send out a questionnaire is when you’re onboarding a vendor. Frequency after that is variable. Some companies opt to send shorter questionnaires annually (in an attempt to follow up), while others simply ask that suppliers send any important changes to their IT department. Either way, you’ll want to be updated if your vendor makes a large change (like, for example, if they stop doing an important function in-house and decide to outsource to a third party).
3. Do I have to implement a supplier risk management program for all of my vendors or just the most critical ones?
As a best practice, you should prioritize monitoring your most critical vendors. In order to do so, you’ll need to understand which suppliers pose the greatest security risk to your organization. Don’t underestimate the importance of this step, as not doing so could expose your network to a breach or other security incident.
Take Target for example. They probably had a supplier risk management program before their infamous 2013 breach, but it seemingly didn’t include the HVAC vendors. What they didn’t take into account was how much access they had actually given this particular vendor. Because the HVAC vendor had a great deal of access, they should have been considered critical. Let that be a lesson: It’s not just the sensitivity of the data that a vendor has access to that’s important to consider when determining the appropriate level of assessment. You must also consider the amount of access the supplier in question has to your network.
4. How much will I need to work with our legal counsel to develop a program? Aren’t my vendors legally obligated to share security information with me?
One of your legal team’s main priorities will be to establish a disclosure obligation with your suppliers. Pretend once more that you are Coca-Cola. If your vendor is breached and they lose customer data or other sensitive information, there are laws in place to protect the customer — in other words, you are legally required to tell a customer if their information, like their credit card number, has been compromised. But what happens if one of your vendors is breached and Diet Coke’s secret formula has been compromised? Are they legally bound to tell you, Coca-Cola? No; unless they have a legal obligation to do so, that is.
So, you can see how important it is to have your legal team intimately involved in the supplier risk management process. You need to be sure that your vendors are legally bound to inform you if an incident that affects your security posture takes place. As a best practice, you should establish acceptable risk thresholds in all of your contracts — and align on the remediation process that will need to occur if a supplier’s security posture falls below the agreed-upon threshold.
5. What standards should I have my suppliers meet? How do I know they’re meeting them?
The answer to this question is almost entirely dependent on the industry in which you work. If you’re in the medical field, you’ll want to ensure that your team is HIPAA compliant; if you’re in the financial industry, you’ll need to ensure that you’re meeting OCC guidance, PCI compliance, etc.
To ensure that your vendors are meeting standards, your lawyers and IT department should work together to determine:
What standards your industry dictates your suppliers must meet, and what company standards you’d like them to meet
How to determine if they’ve met those standards
Here, enacting a lot of the critical processes comes down to your ability to establish a continuous monitoring program. With older, more traditional methods, it was nearly impossible to monitor suppliers in real time from outside of their network. Unless a vendor actually let you come on-site and watch their network directly (unlikely), you’d never be able to truly know what was going on. Learn how continuous monitoring technologies are transforming risk management processes.
6. What’s the average size of a supplier risk management program? How many people do I need internally?
In order to ensure your supplier risk management processes are as efficient and effective as possible, you’ll need certain team members to be responsible for launching, growing, and scaling your program. Depending on the size and scale of your business — and your level of third-party risk exposure — this responsibility may fall on a single individual, a full team, or a larger group.
7. Who should my main contact be with my supplier?
You should strive to have one individual at your vendor’s company who is in charge of managing the risk to your organization’s data. This person should be your point of contact if and when there is a problem — and should be able to easily obtain relevant and important information at any point. He or she could be a lawyer, an IT security leader, the chief information officer, or any number of people depending on how the company is structured. You should be able to rely on this contact to get the appropriate team together should a problem ever occur. This person should have specific insights into IT operations, security components, and the elements of your contract.
8. When should I go on-site to meet with my supplier?
For some vendors, you can conduct all business in writing, though many require phone conversations or in-person meetings. Depending on the strategic nature of the relationship and the goods or services delivered, on-site visits may be warranted, both during supplier selection and for ongoing relationship management. According to the OCC: “On-site visits may be useful to understand fully the third party’s operations and capacity.”
The important thing here is to make sure you are focusing your scarce resources and travel budget on visiting those vendors that are most strategic to your business and/or have the highest levels of network access.
9. Do I need to go beyond penetration tests and questionnaires to adequately assess my supplier’s cyber risk?
Penetration tests and questionnaires, while helpful, only provide a point-in-time assessment of your supplier’s security posture. In order to make more informed, strategic security decisions, you need to leverage continuous monitoring tools to regularly identify any gaps in your suppliers’ security controls and see how their security postures are changing over time.
10. How important is supplier risk management? Is everyone else doing this?
As time goes on and the cyber landscape becomes increasingly complex, more and more organizations are seeing the value and importance of proactively managing the cyber risk in their digital supply chain. While this is a newer concept for some organizations, industries like the financial sector have been monitoring vendor risk for a very long time. As the cyber threat environment continues to evolve, many regulators are recommending — and in some cases requiring — the implementation of vendor risk management programs.
The bottom line after answering these common supplier risk management questions is that developing an efficient and effective vendor risk management process is both important and necessary. Learn how BitSight for Third-Party Risk Management empowers you to launch, grow, and optimize your supplier risk management program with the resources you have today.
This post was updated in July 2020 to include new BitSight and industry information.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...