The Importance of Third-Party Risk Management Policy Programs

By Phil Marshall

Posted on Apr 10, 2018

A crucial, but often overlooked, part of the vendor relationship is cyber security. Expanding networks and partnerships boosts the economy, but a disrupted network can do the complete opposite.

 So how can a business manage third-party risks?

Managing supplier and third-party risk helps mitigate undue risk and excessive costs associated with cyber risks. Vendor policy management starts at the very beginning of the relationship by making sure that businesses and management build security as a fundamental pillar in having a healthy relationship. While this seems like common sense, the Ponemon Institute Tone at the Top and Third Party Risk study reported that 49 percent of respondents had no security risk evaluation of vendors. Neglecting this basic step can result in high priced breaches.

Establishing a solid, secure foundation in a business-to-vendor relationship requires: insight into how third-party business partners manage their cyber security and what level and type of access the vendor has to customer data. Vendor policy management programs can help ensure that both businesses and vendors mitigate risk and protect corporate assets data. 

A vendor policy management program enables companies to:

  • Identify all vendors that have access to sensitive data or a network and rank vendors  according to the level of risk associated with the relationship. This helps distinguish vendors imperative to business operations from those less necessary to the business operations.
  • Perform due diligence to determine vendor resiliency  against threats, including due diligence of incident response programs.
  • Consider the contractual language necessary to provide assurances of a certain level of cyber security performance and/or to reserve the right to audit when needed.
  • Document important aspects of the vendor relationship such as vendor name, purpose, services, access, and risk level.
  • Report findings so they are assessed and approved by senior leadership, auditors, etc.

Establishing a successful and secure business and third-party vendor relationship is an initial effort, but maintaining that security requires continuous and informed monitoring.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!