Why a Proactive Approach to Vendor Risk Management is Necessary

When third party vendors, partners, processors and contractors find out about a breach of your customers' data, do you know what their notification practices are? Would you be surprised to know that almost a full third of them probably won't ever let you know that they've put your data at risk?

It's true, though. According to figures from the Ponemon Institute, only about 6 percent of third-parties let their clients know about loss of their data immediately upon discovery. And 29 percent of companies said that when they suffer a breach involving a partner or client's data they simply don't notify their business partners at all.

As we mentioned in a previous post, breach notification laws and standards today are very spotty in their requirements for third parties who have compromised partner or client data. The void has led to extremely inconsistent notification practices among third parties, with only about 41 percent claiming to have some kind of timely notification policy in place.

Often times, though, businesses can work around these issues through crafty vendor risk management practices and shrewd contract negotiations. Placing more rigorous audit and breach notification stipulations in contracts can greatly improve the chances of being told when problems crop up (I recommend organizations that are still figuring out vendor risk management best practices to check out this article, which offers a good primer on some of the considerations).

But that's only a start. Because even more troubling than these low notification figures is the consideration that these are only a percentage of a subgroup, namely those third parties that actually know that they've been breached. Case in point: the high profile Adobe and Neiman Marcus breaches both went on for months before the incidents were discovered, giving criminals unfettered access to data for an incredible amount of time. So how can you rely on your partner to tell you they've been breached when often times they don't know themselves?

scalable vendor risk management ebook

Know what it takes to create a VRM program that’s ready and able to stand up to the current state of affairs and find a step-by-step guide for creating a sustainable and scalable vendor risk management program from the ground up.

Download Now
Button Arrow

Think about it; according to the Verizon Risk Team Data Breach Investigations Report (DBIR), 70 percent of companies today had to be told by an external entity that it had been breached. If you extrapolate that phenomenon out to the businesses that you work with, it only follows that they could very possibly experience exfiltration of your data that they may never find out about. So, not only do you have to contend with a partner not letting you know when they find a breach, you've also got to consider all those other breaches that they never suspected.

When it comes down to it, the only way that organizations can truly ensure they have a good handle on how well their data is being protected by vendors and partners is through proactive measures. As outlined in the new PCI 3.0 guidelines, organizations should be conducting more frequent audits and assessments to evaluate third party policies, operations and history. They would also do well to use a security rating solution to extend visibility into the organization’s true security posture, since, as we’ve learned in recent breaches, an increase in malicious activity is often an indicator of trouble. That way you don't have to wait until the next contract negotiation or audit period to check into a third party's security effectiveness. Instead, you may find yourself in the driver’s seat with the ability to truly manage and reduce third party risk across the extended enterprise.