Security Risk Management

Why a Proactive Approach to Vendor Risk Management is Necessary

Sonali Shah | March 11, 2014

When third party vendors, partners, processors and contractors find out about a breach of your customers' data, do you know what their notification practices are? Would you be surprised to know that almost a full third of them probably won't ever let you know that they've put your data at risk?

It's true, though. According to figures from the Ponemon Institute, only about 6 percent of third-parties let their clients know about loss of their data immediately upon discovery. And 29 percent of companies said that when they suffer a breach involving a partner or client's data they simply don't notify their business partners at all.

Proactive-Reactive-Vendor-Risk-ManagementAs we mentioned in a previous post, breach notification laws and standards today are very spotty in their requirements for third parties who have compromised partner or client data. The void has led to extremely inconsistent notification practices among third parties, with only about 41 percent claiming to have some kind of timely notification policy in place.

Often times, though, businesses can work around these issues through crafty vendor risk management practices and shrewd contract negotiations. Placing more rigorous audit and breach notification stipulations in contracts can greatly improve the chances of being told when problems crop up (I recommend organizations that are still figuring out vendor risk management best practices to check out this article, which offers a good primer on some of the considerations).

But that's only a start. Because even more troubling than these low notification figures is the consideration that these are only a percentage of a subgroup, namely those third parties that actually know that they've been breached. Case in point: the high profile Adobe and Neiman Marcus breaches both went on for months before the incidents were discovered, giving criminals unfettered access to data for an incredible amount of time. So how can you rely on your partner to tell you they've been breached when often times they don't know themselves?

Think about it; according to the Verizon Risk Team Data Breach Investigations Report (DBIR), 70 percent of companies today had to be told by an external entity that it had been breached. If you extrapolate that phenomenon out to the businesses that you work with, it only follows that they could very possibly experience exfiltration of your data that they may never find out about. So, not only do you have to contend with a partner not letting you know when they find a breach, you've also got to consider all those other breaches that they never suspected.

When it comes down to it, the only way that organizations can truly ensure they have a good handle on how well their data is being protected by vendors and partners is through proactive measures. As outlined in the new PCI 3.0 guidelines, organizations should be conducting more frequent audits and assessments to evaluate third party policies, operations and history. They would also do well to use a security rating solution to extend visibility into the organization’s true security posture, since, as we’ve learned in recent breaches, an increase in malicious activity is often an indicator of trouble. That way you don't have to wait until the next contract negotiation or audit period to check into a third party's security effectiveness. Instead, you may find yourself in the driver’s seat with the ability to truly manage and reduce third party risk across the extended enterprise.

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.