How to Put Together a Vendor Cyber Risk Program Before the End of the Year

Due to the events of 2020, many organizations have been forced to use new and different third parties to solve business needs. Many of these new vendors have not been properly vetted for their potential cyber risk exposure, and even fewer have been examined for their ability to respond to cyber incidents. As you plan your 2021 risk management focuses, third parties need to be on that list. 

How can you do that, however, as budgets have been reduced due to COVID-19? While building a dedicated third-party cyber risk program requires time, resources and technical skill, you can start outlining a program on a reduced budget. The below plan should be considered the first step in building a program. It will help you understand your third-party cyber ecosystem, exercise some of the processes you will need to enhance in a formal program and hopefully reduce some of the risks to your organization.

The first step, which is often the hardest, is to inventory your third parties. Who do you utilize to help you achieve your organization's mission? Anyone you share data with, give access to or directly associate with your organization should be on this list.

Once you have that list, you need to identify what info or access they have. Do any of the contractors on staff have "Admin" access, thereby allowing them to change or edit programs? If they do, you are only as secure as their home organization’s network. What information are you sharing with marketing, outside counsel and application developers? Is any of that data customer-related or protected by regulation? If so, under many regulations, if they suffer a breach, it is considered a breach for you. After organizing the list of who has what, you should organize them into categories to see how big your inherent risk is before applying any controls. This will help you prioritize as we move into the next step.

Now that you have a list, it is time to survey your third parties’ cyber security. While there are different assessment standards and questionnaires you can use, we suggest asking the following at the base level: 

• Do you have an information security policy?
• Does it require you to utilize appropriate encryption for data identified as sensitive?
• Does it require all users to use two-factor authentication for accessing accounts or systems?

These types of questions should be answerable by most third parties. Even if your contact doesn't know, they can easily reach out to the appropriate security or compliance teams within their organization to get an answer. There may be some delays, or even hesitation, as many organizations do not like to share information on their cyber security policies. Still, the three questions listed above fall under many standard cyber security requirements and many organizations already must certify that they meet them. Encryption, for example, falls under the New York State Department of Financial Services and Payment Card Industry regulations, which all require appropriate encryption controls to be in place for sensitive data. 

The purpose of these questions is to understand your third parties’ general level of cyber security maturity and if they have some specific controls in place. Not having policies is a red flag indicating a lack of maturity. Failure to have either of the two specific controls in place increases the likelihood of a vendor's breach or the possibility that your data may be impacted if the vendor is breached.
After sending these questions, be prepared to answer your vendors' questions such as: Why do you need this information? What are you going to do with it? Does any evidence need to be shared? How will answers and any evidence be stored? How you answer these questions will be unique to your organization, the vendors' roles and your resources.

With these answers in hand, you can move towards the next phases of validation and analysis. These may require more resources, technical sophistication and time. With this first round, though, you will have established an inventory of your vendors, what data or access they have and a rough idea of their cyber security maturity, hopefully before the end of 2020. This plan is a good start for you understand your vendor ecosystems' cyber security and make decisions on your program as 2021 approaches.