While working with vendors and third parties is an inherent part of doing business and they provide tremendous value and opportunity – vendors also present significant risks. These risks are of growing concern, particularly when it comes to data privacy and security. Forrester states, “The repercussions of security incidents across the value chain, as well as the EU General Data Protection Regulation’s (GDPR’s) more stringent compliance requirements, make managing third-party risk a top priority for S&R [security and risk] pros.”1
And you don’t have to look far to find examples in the news of data breaches that vendors caused. Forrester research also found, as shown in the below Figure 1, that third-party attack or incident caused 21% of confirmed security breaches in 2018.2
Additionally, the cost of data breaches is estimated by Ponemon to be between $750,000 and $35 million3 with the global average cost in 2018 at $3.86 million and increasing each year.4 On top of the monetary costs for fines related to a breach, it’s important to consider other critical factors in calculating the true cost of a breach. For example, these may include damage to the company’s brand, loss of trust with customers and potential lawsuits and regulatory actions following breaches.
In addition, privacy laws and regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Whether you are focused on GDPR, the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), EU Privacy Shield or a combination of different frameworks, one of the most important components of your privacy and security risk management program is to understand how your vendors are handling your data and whether they too can maintain compliance.
The privacy experts at TrustArc recommend that you expand your vendor management approach to address privacy and security. It’s important that your vendors:
- Demonstrate privacy and data protection awareness from the beginning of the relationship
- Complete privacy and security assessments
- Comply with regulatory and internal privacy and security governance
- Implement and maintain terms of a Data Processing Agreement (DPA)
In addition, the TrustArc Vendor Risk Management solution provides a centralized place and method to collect, maintain and track critical data for ongoing vendor management. The solution, powered by the TrustArc Platform, enables companies to assess vendors, evaluate and monitor vendor risk, track vendor status and report on key compliance metrics. Our experienced privacy consultants are available to help you understand your regulatory environment and risks; design your vendor management program; define your risk scoring model and vendor prioritization; develop policies and procedures and more.
To learn more about how to minimize vendor risk, vendor management best practices and how to build a successful vendor management program read our Vendor Risk Management Guide.
To learn more about the TrustArc Vendor Risk Management solution, visit www.trustarc.com/products/vendor-risk-management/
 Manage Third-Party Risk to Achieve and Maintain GDPR Compliance. Forrester. April 2018.
 The State Of Data Security And Privacy: 2018 To 2019. Forrester. December 2018.
 Royal, K. Third-Party Vendor Management Means Managing Your own Risk. iapp.org.
 Shepard, Sydny. The Average Cost of a Data Breach. Security Today. July 17, 2018.