Headed to RSA in San Francisco? May 6-9 | Join us!

An Inside Look at Vendor Risk Management Programs

In the past year, we’ve seen new privacy legislation introduced throughout the world. At the same time, the number of data breaches grew significantly from 2020 to 2021. In 2022 and beyond, we expect more of the same. Cybersecurity and privacy concerns are increasingly becoming top of mind for companies across all industries. These concerns are exacerbated by new threats to remote-first workforces and the looming threat of downtime, financial loss, and reputational damage that can occur from a cybersecurity incident.

Companies have long sought to mitigate their own risk through certifications like ISO 27001, compliance with regulations like GDPR, or by conducting risk assessments and penetration tests to strengthen their cybersecurity posture. But now, we’re seeing a shift in the ecosystem.

For service and technology providers, a growing number of customers are demanding providers step up their security efforts and participate in vendor risk management programs to ensure cybersecurity and data privacy efforts extend to the provider’s network of partners and other third-party vendors as well.

What is a Vendor Risk Management Program?

Vendor risk management (VRM) programs present a formal way for companies to evaluate and measure risks associated with using third-party services and IT suppliers. It’s a way for companies to ensure that linking their systems with a provider’s does not expose them to any threats that would negatively impact business performance or cause disruption. It’s also a way for partners to ensure that service providers aren’t opening the door to any new threats when onboarding and working with new customers.

Vendors are now an extension of internal teams and must be evaluated as such. Risks to a vendor’s business can create a butterfly effect for partners and result in major damage to a network of customers. As a result of this shift, partners are holding each other accountable and to a higher standard.

This new standard has led to a significant rise in the number of vendor risk management programs being implemented. It’s a sign of the times: More companies are becoming aware of the threat landscape and more deliberate in how they manage their own vendor risks. Plus, with the rise of globalization and cloud services, reliance on third-party vendors to execute major components of a business’s operations is more critical than ever.

The Rise of Vendor Risk Management Programs

What prompted this rise in awareness? Beyond the rise in cybersecurity incidents (and rise in reporting of such incidents across news outlets), three things brought cybersecurity and privacy to the top of everyone’s mind this past year:

  • An increase in privacy-related legislation
  • The prolonged shift to remote work
  • A rise in turnover driven by “The Great Resignation”

1. Privacy Legislation

Data privacy has been a top priority for regulators over the past few years. From the introduction of GDPR in the European Union to LGPD in Brazil, and many state-by-state laws within the U.S., the consequences for improper protection of customer data are at an all-time high. Organizations that store and use customer data are at risk of paying hefty regulatory fines if that information is not properly protected. Therefore, when evaluating vendors, especially those who will also have access to customer data, it’s become even more important to select partners who have sufficient data protections in place. After all, if a data leak or breach were to occur as a result of poor security practices through a partner, the responsibility would fall on your organization’s shoulders as the primary provider.

2. Shift to Remote Work

Remote work presented an interesting challenge for security professionals. It forced security teams to place an increased emphasis on educating employees about threats — like phishing scams and accessing private networks in public spaces.

But it also presented an opportunity for many cybersecurity professionals to reassess how their networks are accessed (and by whom) and which services are most essential to conducting business. As those services are evaluated, so too are the security threats associated with them.

3. Turnover and “The Great Resignation”

Employee turnover proved to be another area that forced security professionals to re-evaluate their systems and processes. “The Great Resignation” ushered in a wave of turnover that left companies with gaps in institutional knowledge at various levels and a lack of resources to execute on pre-existing strategies. Experiencing turnover within their own organizations brought awareness to many companies about how similar employee turnover at their vendor organizations could trickle down and impact business continuity, and thus the security of a vendor’s link to their own internal systems.

What Does This Mean for Service Providers?

These factors have created somewhat of a perfect storm, alerting companies to the risks of working with third parties and creating more urgency to implement systems that address and mitigate that risk. As a result, service providers will likely face an increased burden in 2022 to furnish additional attestation and certification documents to comply with each customer’s own vendor risk management programs. Some customers will request standard documentation — like the ISO 22701 certification or a SOC 2 attestation — while others may layer on custom requirements for vendors based on the specifics of their relationship and business. Service providers can also expect to spend more time reporting back to customers as they implement new processes for ongoing oversight of vendors.

With custom risk management and reporting requirements for each customer, the administrative oversight of simply doing business can become much more burdensome on service providers. To ease that burden, rely on experts like A-LIGN to ensure you are up to date with the necessary audits, attestations, and data privacy best practices.