Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Top Stories

Catching the Blind Spots of Vendor Risk Management

Catching the Blind Spots of Vendor Risk Management

Written by Tom Turner, CEO and President, BitSight

In my experience there are a number of common blind spots associated with vendor risk management (VRM), or third-party risk management’ as it is sometimes called. In this article I will share with the readers what I see as six top misconceptions surrounding VRM and suggest strategies for businesses to overcome or avoid some of these pitfalls.

  1. Only the highest value business relationships have the most inherent risk

Today we see many high profile data breaches hitting the headlines. That’s because businesses are more connected than ever before, and organisations are having to deal with increasing numbers of third parties. Often, there will be a direct relationship where data is exchanged. However, we’re seeing more indirect relationships where a third party may not be deemed critical to the organisation’s service or product, yet they still have the potential to introduce risk. Take the Netflix ‘Orange Is The New Black’ leak in April last year from Larson Studios. This was a post-production company that was probably thought to be a distant vendor in the supply chain, yet when they were hacked it had a massive impact on the core business.

Likewise, many businesses are using the same third party, which is often unavoidable. For some products and services, there’s only one dominant player in the market to choose from if you need to outsource. This situation can result in massive downstream effects if there’s a data breach, compromise, or service disruption.  For example, theNotPetyamalware hit many companies in Ukraine particularly hard, such as the shipping giant Maersk. This happened because a Ukrainian based software accounting platform was compromised, and the ransomware spread to its customer base.

Breaches and outages aren’t just resulting from typical third parties anymore. They’re also stemming from more distant vendors. While these organisations may not have access to your network, you may rely on their technology or services which could cause considerable risk downstream. 

  1. Your most trusted form of assurance is a diligence questionnaire 

VRM programmes have traditionally focused on setting contractual obligations for vendors. Risk managers would periodically check on whether vendors were meeting certain obligations and move on to the next item on their “to do” list. For a long time, the only way to manage risk was to use questionnaires, audits, and penetration tests. This haschanged, and businesses are now actively ‘hunting’ for risk. They are consuming multiple data feeds about operational, financial, and cyber security risk. In doing so, many organisations have taken a more collaborative approach with vendors, rather than a combative one. The notion that VRM is a game of strong arming between risk and legal departments is changing. Organisations and their vendors are having more constructive dialogues. 

  1. VRM is not a Board level issue

According to Gartner, 80% of security risk management leaders are being asked to present tosenior executives on the state of their security and risk programme and 75% of Fortune 500 companies arenow expected to treat VRM as a board level initiative to mitigate brand and reputation risk. Boards are beginning to request updates more than once a year and this has led to the emergence of security committees.

The challenge for risk managers is how best to contextualise the company’s level of risk. This is where objective, quantitative measurement can really help. For example, being able to say that the aggregate level of cyber risk posed by vendors has dropped 20 percentage points is a lot more insightful than saying, “We’ve mandated that all of our vendors implement multifactor authentication.” It’s important to learn how to speak the right language to the Board. 

  1. Regulations and VRM programmes are two different issues 

The impact of regulationvery much depends on the industry sector, but if you are subject to any regulation at all, then it needs to be included in your VRM programme. Regulations that encompass all industries, such as General Data Protection Regulation (GDPR)which comes into force on 25th May this year, will need to be part of the risk management programme of every single organisation. Article 32 states that organisations that collect personal data must have rigorous due diligence processes to ensure that appropriate controls are in place before sharing data with vendors. 

  1. VRM can be handled manually with existing resources 

Relying solely on subjective point-in-time questionnaires can leave a lot of risk unidentified or unaddressed. Many companies now understand that having a continuous objective view is needed.

Also, you can’t simply just throw people at this problem. There are too many vendors connected to the enterprise and not enough risk professionals in the world to manage them. Companies need to automate processes whenever possible to manage this risk. There’s going to be a huge breakthrough when businesses across all sectors recognise the importance of automation and allow human intervention when urgent action is required. 

  1. Engaging with vendors and the supply chain to correct risk is difficult and confrontational 

Companies have different approaches for engaging with vendors and some have more influence than others. However, we are learning that presenting data and accessing a common platform providessignificant benefits.

Giving non-customers free access to a security ratings platform via a trusted partner will allow third party vendors to investigate potential network issues and allow access to remedial resources. This is a good example of how engagement with vendors can be driven by objective data. It also offers vendors a benefit in return for their engagement and reduces some of the confrontation that can accompany risk assessment.

With economies of scale at play, there are potentially long-term benefits too. With many organisations using the same vendors to rectify issues, we can reach a wider audience and the whole digital economy is better off.

To learn more about vendor risk management, visit www.bitsighttech.com

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post