The Ultimate Service Provider Due Diligence Checklist
When you’re managing your cyber risk, you’re not just managing the risk that comes from within your organization. You need to worry about your third parties as well.
Third parties like service providers can be a worrying source of risk. They often have access to sensitive information, you don’t control their cybersecurity, and if they’re involved in a breach, they often drive up the cost. According to Ponemon’s 2019 Cost of a Data Breach report, third-party breaches cost more than $370,000 more than in-house breaches.
Many organizations aren’t prepared for third party breaches, however – Protiviti’s 2019 Vendor Risk Management Benchmark Study found that only 4 in 10 organizations have a fully mature vendor risk management process in place.
This is why it’s critical to do your due diligence when it comes to service providers, who are some of the most important third parties in your organization’s extended enterprise.
First, however, what exactly is a service provider, and how do they differ from other third parties, like vendors?
How is a service provider different from a vendor?
Like vendors, service providers are third parties in your businesses’ extended enterprises. While there may be some overlap between your vendors and your service providers (and in some cases, organizations use the terms interchangeably) there is one big difference between the two: vendors sell a product while service providers sell a service.
Take the FDIC’s definition of service providers, for example. According to the FDIC, a service provider can provide “…core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers.”
The above offerings are often core functions of an organization, and that means that many service providers have access to sensitive data, like customer information and other financial data. Because of this, it’s critical that you perform your due diligence before entering into a relationship with any service provider.
Your service provider due diligence checklist
Take inventory of your service providers:
__ List the providers of major core functions
__ Catalogue any smaller providers who might be working with individual departments
Collect information on each service provider including:
Basic information:
__ A business charter or articles of incorporation (or similar corporate charter)
__ Business license
__ Business location, and proof of location.
__ Overview of company structure
__ Information about executives and board members
__ Financial information
Information about general risk:
__ Is the service provider on any watch lists?
__ Is the company or any key personnel the target of major lawsuits?
__ Is there negative news coverage of the service provider?
__ Are there major complaints or negative reviews from consumers?
__ Is the site physically secure?
Information about cyber risk:
__ Security rating
__ Assessment questionnaire
__ IT system outline
__ Are any assets exposed to the open Internet?
__ Is there a history of data breaches?
Classify your service providers from highest to lowest risk asking the following questions:
__ What service does this organization provide?
__ Who owns the relationship with this provider?
__ Is this provider tied to your organization’s most critical business operations?
__ What data do they have access to?
Analyze your risk:
__ Calculate your risk using this formula: Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost
__ Set a risk rating of high, medium, or low
__ Compare the above information with your risk appetite and determine whether your organization should pursue a relationship with the service provider
How SecurityScorecard helps manage and respond to risks
Your work isn’t done when you understand the risks associated with each of your service providers. It’s your job to monitor your third parties continuously to ensure they don’t become lax and put your data at risk.
SecurityScorecard can help you do this in a few ways. For example, our platform can document a service provider’s security rating, relate it to their risk tolerance, and use it as a qualitative metric that links to both data controls and financial stability. Additionally, our easy-to-digest grades of A through F make it easy to explain risks to your board.
Our continuous monitoring also scans and identifies leaked credentials and other factors that will let you know if your third parties have been the victims of social engineering. Your service providers might be providing employee security awareness training, for example, but SecurityScorecard can tell you whether that training has worked.
Lastly, SecurityScorecard’s intelligent tool Atlas can help you streamline your third party risk assessment process by comparing service providers’ questionnaire responses to previous questionnaires and the platform’s analytics.
Managing third party risk can be difficult. With SecurityScorecard, organizations can make the process simpler and gain a window into their service providers’ risk.