Vendor Risk Management

Why Your Business Needs a Vendor Management Policy

Jake Olcott | March 3, 2016

This post was updated on January 27, 2020.

A vendor management policy is a best practice for organizations seeking to tier their vendors based on risk. Such a policy identifies the vendors which pose the greatest cybersecurity risk to your organization and then outlines the controls the company will implement to lessen this risk. These controls might include rewriting all contracts to ensure vendors meet a certain level of security or implementing an annual inspection.

Unfortunately, many organizations overlook the importance of a vendor management policy, instead focusing their attention on their own internal security posture. However, there are several reasons why you should consider implementing a vendor management policy today.

1. You could get sued

12 Cybersecurity Metrics

There are a growing number of legal requirements in a variety of sectors — from finance, to retail, to healthcare, to energy — on how companies should manage their third-, fourth-, and nth-party risk. 

Regulators have recognized that data breaches through third and fourth parties can present a significant and sometimes catastrophic consequence to an organization — and have created various legal requirements in an effort to ensure organizations manage their supply chain and partner cyber risks more carefully. 

If you don’t have a vendor management policy today and you’re in a regulated industry, you could be out of compliance (and in a lot of trouble).

2. You’re a target

An organization should be concerned about third and fourth parties that have either access to their most sensitive data or direct access into their corporate network. 

If you work with an extended business ecosystem of vendors, sub-contractors, and partners, you’re naturally creating more targets that hackers and criminals can exploit. This is becoming more common, because organizations are outsourcing to vendors more frequently in an effort to either save costs or capitalize on vendor expertise. 

The more vendors you have, the larger risk landscape you create. This is a well-known risk — but too many companies don’t give it enough thought.

3. You have vulnerabilities you don’t even know about

Not all vendor risks are easily understandable. Many organizations today have entered into business relationships with third parties without fully understanding the risk to their data. And what’s more, the first party may not have set requirements for how their vendors should secure their data. 

A lot of organizations struggle with even knowing who has access to their sensitive data, how much access they have, where it resides, and more. These “unknowns” give plenty of folks a valid reason for concern.

4. You might face some severe consequences

To see how very real the consequences of not managing vendor policy are, simply read some of the latest cybersecurity headlines. Today, 59% of data breaches originate with third-party vendors

In the healthcare sector, for example, these breaches are rising exponentially. In June, 2019, Quest Diagnostics, one of the biggest blood testing providers in the country, sounded the alarm that nearly 12 million of its customers may have had their financial, social security, and medical information breached due to an issue with one of its vendors.

The truth is, if you don’t have a vendor management policy in place today, your company is being negligent. Unfortunately, not having a policy in place means that there’s a good chance your organization’s sensitive data may be handled by someone who shouldn’t have access to it. And this puts the health of your entire company on the line.

How to create a vendor management policy

If the above reasons have convinced you to implement a vendor management policy immediately, do you know where to start? You might be feeling a little overwhelmed — and that’s where we step in. Below, we’ve outlined four tips that will get you started with your vendor management policy right away.

1. Build a team

It’s critical to have people from many different positions and perspectives on your vendor management team. Aside from upper management, you want to have someone from acquisitions and procurement, a lawyer, an IT security person, and someone representing the business unit, so you can understand the data. This team will be charged with taking on the next step, which is to gather a list of vendors and determine which of them are critical.

2. Gather a list of your vendors

Keep in mind that the definition of a vendor isn’t as narrow as you might think. This all-encompassing list should include every third-party, contractor, or associate your organization does business with or works in partnership with. Having a vague idea of which companies might make the list isn’t enough — you need to know exactly who these vendors are.

Once the list is compiled, you’ll begin the critical assessment process. You’ll need to determine which vendors:

  • Have access to your sensitive and important data
  • Have direct access to your corporate network

Once you’ve sorted out these vendors, they should be categorized as “critical.” These are the vendors you’ll want to spend the most time learning about and monitoring — because if one of these vendors is compromised in any way, and the hacker finds a backdoor into your organization through the vendor, the destruction to your data or network could be catastrophic.

3. Keep vendor management in mind during the diligence process

At this point, you have already identified vendors you’re working with and whether or not they’re categorized as critical. But what about new vendors? 

A robust vendor management policy takes into account the vendors you’re looking to onboard, and it helps you determine whether or not you should do business with them. This is based on many things, but it should definitely take into consideration their cybersecurity standings. 

At BitSight, we offer time-limited access to our security ratings to help you determine whether a vendor relationship is worth pursuing.

4. Don’t forget to continuously monitor

Vendor management doesn’t stop after the diligence process. Traditional vendor risk management assessment methods are subjective, unverifiable, and unactionable. Offering a glance at their cybersecurity one day of the year isn’t enough. You need a way to continue to monitor and verify if a third party’s security posture is consistently strong, and you need to be alerted to new risks and vulnerabilities in their network.

Protect your business

Building a vendor management program will give you confidence that you and your vendors are meeting the commonly expected standards of care. 

Continuously monitoring and working with your vendors to ensure they’re meeting your cybersecurity expectations will reduce the likelihood that you will become the victim of a cyber attack through your supply chain. 

By putting a vendor management policy into place immediately, you’ll know that your vendors take cybersecurity as seriously as you do. Download Guide: 12


Suggested Posts

How To Mature Your Vendor Risk Management Program

There are layers of uncertainty plaguing security professionals when it comes to the time, money, and energy they spend focusing on their third-party risk management systems. Without the proper tools and analysis, it is hard to know if...


Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Subscribe to get security news and updates in your inbox.