Vendor Risk Management

How Third-Party Risk Management Will Change In 2016

Melissa Stevens | January 7, 2016

Over the last few years, we’ve seen many new regulations and legal requirements put into place around third-party risk management affecting a number of sectors. But even companies without legal requirements forcing them to examine third-party risk are realizing that it’s a thoughtful and intelligent thing to do to deter all kinds of security issues.

At the start of this new year, with third-party risk on the minds of many, we’ve been examining what changes might come about in 2016. We’ve detailed our thoughts below.

Further Involvement Of Upper Management

CEOs and boards are going to be much more involved in third-party risk management this year. The reason? Security itself has become a market differentiator. Companies will win and lose contracts because of cybersecurity alone. Therefore, senior executives and board members are going to have to be involved in the conversation around vendor risk management (VRM).

Better Assessment Of Critical Vendors

The way that companies go about building a VRM program will likely change this year. People will be placing more focus on VRM best practices in 2016, so more organizations will be focused on identifying the critical vendors that have direct access to their corporate network or have access to sensitive data. It’s important to assess which vendors are critical from the get-go, because that’s when companies have the power and authority to do something about it through the language in their vendor contract—which brings us to our next change.

More Specific Contractual Language

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark

Previously, some contracts may have stated generalities like, “We want you to implement reasonable security measures.” But what does that really mean? “Reasonable” could mean any number of things. This language will likely follow some kind of international standard, like the NIST framework. By clarifying vague language and making security expectations very clear, companies can safeguard themselves from vendors who breach contract.

Smarter Assessment Processes

The assessment process is an area where we’ll see a significant amount of change during 2016. Traditionally, the VRM process begins with a questionnaire that asks the vendor high-level questions about their security practices. Documentation is still relevant today—and will remain relevant into the future—but organizations have realized over the last few years that most vendors answer security questionnaires similarly. Thus, there’s not a tremendous amount of value in subjective assessments alone, because the information alone isn’t actionable or verifiable.

In response, more first-party organizations are utilizing continuous assessment tools in their comprehensive VRM program to derive more valuable information. More sophisticated organizations will begin to take security performance and configuration information about their vendors and build that data into their security, procurement, and acquisition programs. In other words, they’ll set up processes where metrics inform the decisions they make with a vendor. Eventually, we expect assessment tools will replace subjective approaches to VRM altogether—but probably not for many more years.

The Standard Of Care

The final big change we expect in regard to third-party risk management in 2016 is the concept of “standard of care.” From a legal perspective, what do we expect a reasonable VRM program to look like? The answer to this question today is very different than it was 15 years ago—and what was “reasonable” yesterday isn’t necessarily so today. This dramatic shift in definition has a major impact on a company’s legal obligations. Companies understand (or are beginning to understand) that if they aren’t taking every step necessary to provide reasonable oversight in their VRM programs, they could be held liable if a vendor breach affects their customers’ information.

In Conclusion

There is so much more attention around third-party risk management today than there ever has been, and it has become a problem that involves an entire organization. We expect many more conversations to take place about these changes in the coming months, and we’re looking forward to being a part of them.

DOWNLOAD GUIDE: 5 Ways Your Vendor Risk Management Program Leaves You In The Dark

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark

This guide offers real, tangible ways you can manage your vendor risk more effectively.


Suggested Posts

5 Examples Of Sensitive Data Hackers Look For

This piece was originally published by BitSight in April of 2017. This updated version includes current information about BitSight, our security rating and third-party monitoring software, and the cybersecurity space.

As a security...


Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Subscribe to get security news and updates in your inbox.