Relationships with vendors are important (or even vital) for many organizations, but unfortunately, there’s a trade-off—the more data you share, the more risk you acquire.
Over the last few years, we’ve seen many new regulations and legal requirements put into place around third-party risk management affecting a number of sectors. But even companies without legal requirements forcing them to examine third-party risk are realizing that it’s a thoughtful and intelligent thing to do to deter all kinds of security issues.
At the start of this new year, with third-party risk on the minds of many, we’ve been examining what changes might come about in 2016. We’ve detailed our thoughts below.
Further Involvement Of Upper Management
CEOs and boards are going to be much more involved in third-party risk management this year. The reason? Security itself has become a market differentiator. Companies will win and lose contracts because of cybersecurity alone. Therefore, senior executives and board members are going to have to be involved in the conversation around vendor risk management (VRM).
Better Assessment Of Critical Vendors
The way that companies go about building a VRM program will likely change this year. People will be placing more focus on VRM best practices in 2016, so more organizations will be focused on identifying the critical vendors that have direct access to their corporate network or have access to sensitive data. It’s important to assess which vendors are critical from the get-go, because that’s when companies have the power and authority to do something about it through the language in their vendor contract—which brings us to our next change.
More Specific Contractual Language
Previously, some contracts may have stated generalities like, “We want you to implement reasonable security measures.” But what does that really mean? “Reasonable” could mean any number of things. This language will likely follow some kind of international standard, like the NIST framework. By clarifying vague language and making security expectations very clear, companies can safeguard themselves from vendors who breach contract.
Smarter Assessment Processes
The assessment process is an area where we’ll see a significant amount of change during 2016. Traditionally, the VRM process begins with a questionnaire that asks the vendor high-level questions about their security practices. Documentation is still relevant today—and will remain relevant into the future—but organizations have realized over the last few years that most vendors answer security questionnaires similarly. Thus, there’s not a tremendous amount of value in subjective assessments alone, because the information alone isn’t actionable or verifiable.
In response, more first-party organizations are utilizing continuous assessment tools in their comprehensive VRM program to derive more valuable information. More sophisticated organizations will begin to take security performance and configuration information about their vendors and build that data into their security, procurement, and acquisition programs. In other words, they’ll set up processes where metrics inform the decisions they make with a vendor. Eventually, we expect assessment tools will replace subjective approaches to VRM altogether—but probably not for many more years.
The Standard Of Care
The final big change we expect in regard to third-party risk management in 2016 is the concept of “standard of care.” From a legal perspective, what do we expect a reasonable VRM program to look like? The answer to this question today is very different than it was 15 years ago—and what was “reasonable” yesterday isn’t necessarily so today. This dramatic shift in definition has a major impact on a company’s legal obligations. Companies understand (or are beginning to understand) that if they aren’t taking every step necessary to provide reasonable oversight in their VRM programs, they could be held liable if a vendor breach affects their customers’ information.
There is so much more attention around third-party risk management today than there ever has been, and it has become a problem that involves an entire organization. We expect many more conversations to take place about these changes in the coming months, and we’re looking forward to being a part of them.