How to Develop a Vendor Cyber Risk Management Framework
Third-party vendors are an essential part of today’s business ecosystem. A study by Gartner finds that, in 2019, 60% of organizations work with more than 1,000 third parties and those networks are only expected to grow.
But these vendors also represent a significant cybersecurity threat. In today’s interconnected world; vendors, partners, and contractors have unprecedented access to sensitive data and systems across the supply chain – putting your organization at risk of a cyber-attack.
In this cyber risk landscape, any company with sensitive data and third-party connections should develop a robust third-party cyber risk management framework.
What is a vendor cyber risk management framework?
A vendor cyber risk management framework defines the process and procedures that must be followed to assess, monitor, and mitigate third-party cyber risk.
Importantly, a framework is developed before any vendor risk management (VRM) technologies or tools are put in place. In this way, a framework is a proactive step towards defining and optimizing a mature vendor risk management program.
In this post, we’ll discuss best practices and freely-available resources that can help you establish a vendor cyber risk management framework that works best for your organization.
1. Leverage existing vendor cyber risk management frameworks
Fortunately, there are many resources in the public domain that can help you develop your cybersecurity framework.
A useful starting point is Deloitte’s capability maturity model which provides a valuable roadmap for your program.
Another reference point is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. NIST is the foundation for most emerging cybersecurity regulations and its framework outlines standards, guidelines, and best practices for defining controls and managing cybersecurity risk both in your own organization and across third-party relationships. Read more about the NIST framework and what it means in practice in our post: Third-Party Risk Management Best Practices for Enterprise.
Also worth a look is the ISO 27001 information security management certification. ISO 27001 is considered the international standard for validating a cybersecurity program and is a great way of assessing all the different components of your vendor’s security program. If a vendor has ISO 27001 certification it’s a good indication that they’re doing things right when it comes to securing their data.
Also worth a mention is the Fair Institute methodology which provides a model for understanding and quantifying risk in financial terms. It is puts risk in common, easy-to-understand terms that can be shared across the organization.
With so many well-known best practices and established frameworks in place, it’s not necessary to create your own. Furthermore, by leaning on standard approaches and terminology that your vendors already use or recognize (as opposed to a custom framework), the vendor cyber risk assessment and management process becomes much easier.
2. Factor compliance into your vendor cyber risk management framework
There is also a compliance element that must be factored into your framework. Certain sectors are subject to strict third-party cybersecurity risk management regulations.
In the healthcare industry, for example, continuous third-party compliance with HIPAA and HITRUST, among other regulations, must be addressed by the cybersecurity compliance framework.
Exceptions must also be made for industries that classify or “tier” vendors by risk, as often happens in the financial services sector. For example, a vendor may be considered “high risk” if a cyber-attack on their network has the potential to critically impact your business, data, or regulatory status. In such instances, separate policies and procedures must be incorporated into the framework to address high, medium, and low risk third parties.
3. Take an iterative approach
Finally, it’s important that your third-party cyber risk management framework considers the shifting nature of third-party relationships.
Too often traditional third-party risk management programs focus on fixed points in time, such as the pre-contract due diligence phase. This approach fails to capture risk that may arise as a result of a change in scope, personnel, or strategy. Gartner's study found that 83% of legal and compliance leaders identified third-party risks after due diligence and before recertification.
To account for a constant flux in risk, build policies and processes that enable you to iteratively assess and monitor risk over the course of the vendor relationship. Gartner recommends using a data-driven methodology to determine critical risks to streamline vendor due diligence. For example, once the contract is signed, leverage technology, like security ratings, to continuously monitor third-party networks and detect change.
4. Don’t go framework crazy
Depending on your industry and the cyber risks you’re seeking to address, the frameworks mentioned above (or portions of them) provide a foundation that can be augmented to meet the needs of your organization. But try not to overdo it. Too many layers in your framework can be hard to govern and enforce, especially if your organization is decentralized and you’re dependent on different teams and business units to keep these processes and frameworks in place.
But rest assured: as your third-party network expands, a well-thought out vendor cyber risk management framework provides a critical foundation that integrates security and risk management into your vendor relationship lifecycle. With a framework as your guidepost, you’ll gain vital insight into where your highest security risk is and make more informed decisions about managing that risk for the long-term.