Skip to Content
Cyber and Privacy Risk and Insurance

Third-Party Vendor Risk Management

Mark Lanterman | March 26, 2021

On This Page
Multiple locks sit on a circuit board while one lock glows red

It is an unfortunate truth that organizations are really only as secure as their least secure third-party vendor. This reality has been recently brought to the forefront. Granting access to a third party broadens an organization's cyber risk landscape. Therefore, these relationships should be frequently assessed.

Consider, for example, the SolarWinds breach that compromised the data of major government entities and Fortune 500 companies. 1 Consider also the 2014 Target breach, in which a compromised third-party vendor led to millions of customers' personal information being leaked. 2 The potential risks associated with outsourcing, external data housing, and supply chains may be impossible to completely eliminate, but it is important to consider third-party risk management as a component of overall security posture.

Storing Data

Regardless of where your data is being stored, all data should have a readily known location. Silos within organizational settings can lead to confusion and a lack of communication between relevant stakeholders. With an increasingly prevalent migration to cloud technologies, having an awareness of what data is being stored in the cloud at any given time is essential.

It can often be the case that organizations are not completely aware of what is being stored externally and where. Data mapping and establishing an inventory system is a crucial component of third-party vendor management. Incorporating considerations on the cloud into existing security documentation helps to ensure alignment with best practices and provides a necessary resource for employees. Furthermore, documenting the security practices of third-party vendors as part of an organization's general security plan better ensures an efficient response to cyber events if, or when, they arise.

Assessing Vendor Security

In assessing the security posture of a third-party vendor, it is important to identify the proactive and reactive cyber security procedures and policies currently in place. Does the vendor utilize encryption? How is the data accessed, and by whom? What are the vendor's data backup policies? How is sensitive data segmented? What degree of access has the vendor been granted? Regular security assessments should include third-party vendors.

It is also important to review all existing or prospective third-party agreements. Contractual language should specify breach or cyber attack notification procedures, as well as recovery times. It should be made clear how your data is processed, accessed, and secured and whether or not audits or inspections can be conducted at the organization's choosing.

Conclusion

Just as we have to regularly update and maintain legacy systems, we also have to remain diligent about evaluating and vetting existing third-party vendors. Even if a particular vendor relationship has been in place for years with no incident, performing due diligence is applicable for old and new vendors alike.

Depending on the type and size of the organization, establishing a responsible party or committee for the management of third-party vendors may be advisable, but it should also be noted that all relevant parties that directly work with outside vendors ought to be aware of their security practices and reporting mechanisms. From the initiation of the vendor relationship to its termination, managing this source of risk is a strong component of maintaining a strong security culture.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.


Footnotes

2 Thor Olavsrud, "11 Steps Attackers Took To Crack Target," CSO, September 2, 2014.