In our previous article on Vendor Risk Management , we mentioned that it has become a common norm for organizations to outsource some of their business processes to external service providers to allow the business to focus more on its core capabilities. In the process, sensitive data is shared and stored in vendor networks, which can be a source of risks that some companies are not aware of. Previously, several incidents have been reported to have been caused by these suppliers.

For instance, Target’s Breach in 2014 was a result of security lax at HVAC vendor , an outsourced software was blamed for the giant breach at Equifax , and the Paradise Papers incident where a law firm was a source of a breach for 13 million files on offshore tax avoidance . A study conducted by the Ponemon Institute found that data breaches caused by third parties are on the rise, with 56 percent of organizations reporting to have experienced a breach caused by a vendor. The study further shows that on average, U.S. companies pay $7,350,000 million per incident in fines, loss of customers, and remediation procedures.

Unfortunately, a majority of companies lack visibility into the security practices of third parties, but continue sharing sensitive information and processes, despite the alarming study findings. In fact, they lack an updated inventory with all third parties that receive critical data. This automatically means that firms do not know if their vendors have policies that would mitigate a cyber-incident. In effect, efforts are needed to enhance the effectiveness of third party governance programs. Now more than ever, before forward thinking organizations are approaching vendor risk management proactively, the strategies are now being treated as a board-level concern.

This means that vendor risk management is a crucial process in cybersecurity . It is evident that proper governance of vendor risk reduces the likelihood of a cyber incident. This blog goes in to detail on identifying and maintaining critical vendors in vendor risk management programs. This is a critical step to reduce future data breaches that might originate from a critical third party.

Ultimately, you need to look at: what data of yours (including customer data) do you share with them? What access do you give them (to your systems and information) and why? And, how dependent are you on their services/how quickly can they be restored/replaced?”said
James Goepel, CEO and General Counsel of Fathom Cyber LLC.

Critical Vendors and Critical Activities

Who is a critical vendor? A quick Google search gives several definitions of a critical vendor. The criticality of a third-party is determined by a business or a unit. Some of the general definitions that can be used to define critical activities and vendors include:

  1. The OCC definition of critical activities covers crucial functions and significantly shared services that could cause a business to face significant risk if a vendor fails to meet expectations, or could cause an impact to customers, or could have an effect on business operations, or require noteworthy resource investment to implement the relationship and manage the risk .
  2. An article on American Banker defines a critical vendor as any service provider or third party that could attract regulatory scrutiny or imposes significant impacts on a business, including the risk of loss if the services provided are disrupted . A third-party is categorized as a critical vendor if they have access to a corporate’s network and sensitive data or offers crucial services to the organization.

According to John Eckert, Director of Operational Risk and Core Policy at the OCC, “Critical activity is a popular topic now.” It is important for a business to rank their vendors as critical or non-critical for business disruption, and they should be ranked based on predetermined regulatory items. For all critical vendors, a company should:

  • Conduct a thorough assessment of certain aspects of the vendor’s due diligence
  • Conduct a review of the vendor’s business continuity program
  • Develop an exit strategy

Based on the above recommendations, it is imperative for businesses to identify and perform due diligence on all critical vendors who will gain access to the company’s network or information.

Factors That Contribute to Determining Criticality of a Third-Party

Notably, a third-party who is accessing, sharing, or storing non-sensitive data in an environment may not pose a similar risk as a vendor accessing, processing, sharing, or storing personal information for your business in their data centers. Therefore, some factors should be considered to appropriately identify risks and separate the third-parties based on their criticality.

Some of the factors deployed to determine the criticality of a vendor include:

  • Business Disruption Factors
  • Data Volume & Type
  • Regulatory Requirements
  • Vendor Type
  • Specific Services Provided

The above factors, and many others that could be defined by specific businesses, can effectively be applied to determine the criticality and the level as well as frequency of due diligence on vendors. Third-parties can be categorized into various levels such as:

Risk Level Risk Rating/ Criticality Risk Factors Risk Assessment Type
Level 1 High Breach causes business disruption, vendor stores, processes, and shares PII belonging to a business at the third-party’s data centers. The business should conduct onsite risk assessments periodically. The vendor should provide evidence of security controls.
Level 2 Moderate Breach causes regulatory compliance issues. An onsite assessment can be conducted but not on a regular basis. The business should require evidence of controls used by vendor.
Level 3 Low Vendor accesses non-sensitive information at the business environment. An onsite risk assessment is not necessary. The vendor can however be examined in case of an incident.

Based on the levels, a business can decide the frequency and type of risk assessment conducted on a vendor. Evidently, a successful risk management program considers several components. The initial step involves a business reviewing a set of consistent assessment questions to services that derive inherent risks from vendors. At the same time, categorizing vendors into risk levels based on particular factors helps avoid stuffing all third-parties into a common risk category, which may take up too much resources to ensure risks are identified and management appropriately. In effect, it is imperative for businesses to describe the inherent risk factors and to determine the ones that are more critical than others.

Identifying Critical Vendors

Target, Equifax, and Paradise Papers breaches, among others, teach critical lessons to organizations. Perhaps, the most important lesson learned from the incidents is that any vendor with access to a company’s customer data or corporate network and systems is a potential risk.

Thus, a vital step in vendor risk management involves identifying critical suppliers in a business. Unfortunately, organizations face challenges while establishing standards and procedures for identifying their critical vendors. Fortunately, they can create comprehensive strategies based on a risk to be evaluated and the scope of third parties. An organization should be able to examine the risks each third party poses to an organization to effectively manage the risk. The process involves examining and understanding all suppliers and identifying their criticality based on the amount of access they have to the corporate information and network. In effect, a comprehensive strategy should be established and deployed to parse through all vendors.

The following steps can be followed to identify and rank vendors based on their criticality:

  1. Vendor Inventory: The first step involves creating a list of all third-parties  you work with. The list should explicitly identify all those vendors that have access to sensitive data and the corporate network. If a vendor will have access to this information, then it is imperative to determine the impact of a vendor’s data breach on the business. Sources of information for vendors include:
    1. Review contracts
    2. List all known vendors
    3. Examine information on accounts payable from the finance department
  2. Critical Vendor Criteria Development: Vendors are ranked based on the risk associated with the relationship they have with a company. A policy containing various risk classifications as guided by industry-best practices and regulatory requirements can be used to create vendor risk rankings.
  3. Testing Vendor Rating System: After identifying and ranking all vendors based on their risks in the relationship, it is vital to conduct a test of due diligence to assess the cybersecurity resiliency of third-parties. Testing your rating system involves running through a realistic scenario with a single vendor to ensure the process is sound. The test should involve examining vendors’ security controls, their business continuity plans, incident response policies, and breach notifications requirements among others. Due diligence involves acquiring and analyzing evidence documentation from vendors and sharing requirements that a business deems crucial for its cybersecurity posture.
  4. Documenting and Improving the Rating System: This step involves documenting all areas requiring improvement in your rating scale that determines vendor critical. Defining and providing meaning behind the nominal or ordinal scale used. And lastly, aligning the scale to enterprise risk management activities and to ensure when communicating “High Risk” to other business units, the vendor risk management team is using similar language.

In conclusion, it is recommended that critical vendors should be identified by considering their impact on an organization’s reputation or stability if the data held by the third-party was compromised. Vendors are categorized as critical if they can cause immeasurable harm and loss if they fail to deliver services as promised, or if they are breached. In most cases, such vendors are easy to identify. For instance, a third-party that offers payroll services to a company will be graded as critical since personally identifiable data will be shared with the vendor. However, in some cases, the process of classifying a critical supplier requires more effort and factors should be developed and considered.

In the next blog, we will discuss how to properly link vendor criticality to the classical cybersecurity Confidentiality, Integrity, and Availability (CIA) Triad!Sources:

https://www.csoonline.com/article/2601021/security0/11-steps-attackers-took-to-crack-target.html

https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html

https://www.opus.com/ponemon/#infographic-form

https://occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html

https://www.americanbanker.com/news/new-rules-force-banks-to-decide-which-vendors-are-critical