Learning Center July 20, 2022

5 Steps to Selecting a Vendor Risk Management Framework

Third parties are an inevitable and essential part of your business ecosystem. They’re your vendors, partners, and contractors. They improve efficiency, extend your reach, and make it possible to deliver the best possible products and services. From a security perspective, however, they also bring a significant amount of risk.

Misconfigurations of a third-party’s cloud can lead to supply chain data breach risks. These common third-party risks can cost an organization in reputation, legal fees, and lost revenue.

What are the data breach risks within the supply chain?

Managing your supply chain becomes increasingly difficult as you add more Software-as-a-Service (SaaS) applications to streamline business operations.

The 2022 Data Breach Investigations Report found

  • There are four key paths to compromise:
    • Credentials

    • Phishing

    • Exploiting vulnerabilities

    • Botnets

  • 82% of breaches involved the human element (stolen credentials, phishing, etc)

  • Supply chain was responsible for 62% of System Intrusion incidents in 2021

IBM’s Cost of a Data Breach Report 2021 found

  • The average total cost of a data breach is $4.24 million

  • Lost business represented the largest share of breach costs, at an average total cost of $1.59M

*Business costs included increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation

  • The average number of days to identify and contain a data breach is 287 days

That risk can be managed, however. A solid third-party risk management framework will help you understand the risk you take on with your third parties and limit your liability. Here’s what you need to know when choosing a risk management framework.

5 steps to selecting a vendor risk management framework

1. Review your compliance risk

When a member of your extended ecosystem exposes you to risk, you are liable. It doesn’t matter if the fault is not your own. Under most U.S. data protection laws, the data owner rather than the data holder is liable for breaches and exposure. The same is true under the General Data Protection Regulation (GDPR), which requires companies to track and protect the data they process, even if a third party is storing that data..

To minimize your liability, you must be able to prove you’ve done your due diligence. That’s where a risk management framework comes in.

2. Understand risk management frameworks

third-party risk management framework provides a set of benchmarks, policies, and standards for an entire organization, including the extended enterprise. Such a framework focuses on the third parties and the activities that pose the greatest risks to an organization.

Most frameworks require an organization to do the following:

  • Take inventory of an organization’s third parties

  • Catalog cybersecurity risks to which the third parties can expose the organization

  • Assess and segment third parties by risk

  • Focus on critical activities

  • Develop rule-based diligence testing to stay focused on the third parties with the highest risk

  • Establish a decision-making group to own governance

  • Review critical activities to set a benchmark for the third-party risk management framework

  • Define three lines of defense, including business owners, third-party oversight, and an internal audit team

With several risk management frameworks, it can be difficult to choose the right one.

3. Know which frameworks apply to your organization

Not every risk management framework will work for every organization. Some frameworks are designed specifically for certain industries, while others are used in certain geographical areas. Many can be used together.

The two most widely used risk frameworks are those from the National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO). Others, such as Control Objectives for Information and Related Technologies (COBIT), are often used in Europe. Some standards are used as the basis for regulations, such as the NIST 800-53, which is the foundation of many federally regulated cybersecurity requirements.

Knowing which frameworks apply to your organization depends on your industry as well as your size. Since most incorporate a risk-based approach, you need to review third-party risk, but you also may find that the requirements change based on your company’s unique needs.

4. Be prepared to use more than one framework

In some cases, it makes sense to use more than one risk management framework. If you’re using more than one framework, you’ll want to make sure the frameworks you use are mapped to one another, so they’re assessing the risks and implementing controls based on your organization’s needs without leaving any gaps in compliance.

The criteria for choosing your framework (or frameworks) will depend on your company’s specific needs. For example, a healthcare organization needs to meet the Healthcare Portability and Accountability Act (HIPAA) compliance requirements. If it accepts payments, it also needs to meet Payment Card Industry Data Security Standard (PCI DSS) requirements.

When incorporating multiple third-party vendor risk management frameworks, you need to start with your business objectives to ensure that you choose based on the compliance requirements necessary to meet these business goals. You’ll also want to consider the people you’re accountable for, such as shareholders, board members, or regulatory organizations.

5. Manage third-party risk intelligently

The way companies look at risk is changing. According to Deloitte’s extended enterprise risk management survey, organizations are increasingly using extended enterprise risk management to “exploit the upside of risk,” using their partnerships with third parties to enhance organizational effectiveness and brand confidence, while becoming more innovative and agile.

A good third-party risk management framework protects an organization’s clients, employees, intellectual property, and business operations. Implementing one is not about completely eliminating risk but knowing where the highest risk is and managing it appropriately.

How SecurityScorecard enables intelligent third-party risk mitigation

SecurityScorecard can help enterprises gain operational command across their vendors. SecurityScorecard’s Atlas helps enterprises digitize and automate their vendor due diligence process. Using Atlas, organizations can:

  • create custom questionnaires

  • invite vendors to respond to questionnaires

  • review vendor responses

  • validate responses to the security ratings platform

  • continuously monitor vendor’s security posture

In addition, SecurityScorecard’s Professional Services team provides advisory services to help customers manage risk across their third-party vendor population. Our advisory services help customers implement frameworks, define TPRM processes, and leverage security ratings to continuously monitor the cyber threats across their vendor portfolio.