Third-party information security risk is a massive concern for companies of all sizes. And it’s not just because they’re facing greater regulatory compliance demands.
Failing to comply with data protection and privacy regulations can mean severe legal and financial penalties in the short term. But failing to protect customers’ privacy rights can trigger even bigger financial issues in the long term when customer trust and loyalty are lost.
So your organization needs to be hyper-vigilant about ensuring third-party vendors protect the privacy of your customers’ personal information – as if those customers were their own. Because if you lose customers, so do they.
Privacy is one of the biggest factors in third-party vendor risk
In a recent episode of the EM360 podcast titled Effectively Managing Third-Party Risk I was asked if privacy is one of the biggest challenges companies face in the third-party risk landscape. The answer is yes, of course.
But it’s not a simple answer, because there is a lot of confusion about the current state of privacy and a lot of uncertainty about the future state of privacy – all of which has great implications for effectively managing third-party risk.
Many companies tend to be reactionary to risk. So this can mean there isn’t a consistent approach to managing third-party vendor risk: some are more cybersecurity focused, and others are more privacy focused.
Previously, information security teams typically took the lead in assessment and management of vendor risks related to data protection, but now the explosion of the Internet of Things makes data privacy equally important, and privacy teams need to have a seat at the table.
Procurement teams will need to reach agreements with cybersecurity and privacy teams on their desired outcomes when selecting and managing vendors. It might not be easy, but it will be even more challenging if clear risk principles and guidelines aren’t established internally first.
I believe the assessment and management of third-party risk should be a shared approach between the privacy office and cybersecurity.
Given the prevalence of data sharing across any organization, this approach will help ensure you have company-wide clarity on both data privacy and cybersecurity risks. And then you can set expectations and standards for any third parties who may collect or have access to your customers’ personal data.
Which approach do you use to identify and assess third-party risks?
We see various ways privacy and security risk assessments of third-party vendors are administered among the organizations TrustArc meets. Though they usually fit into one of the following approaches:
- Low-tech assessment – administered using spreadsheets.
- High-tech assessment – administered within a software platform.
We used to encounter some organizations with no approach to assessing third-party risks because they didn’t know how or where to begin – or they didn’t see the need – but these cases are now rare thanks to recent enforcements of privacy regulations, particularly from California.
Pros and cons of low-tech third-party risk assessments using spreadsheets
Pros:
- Spreadsheets are readily available in business software packages.
- Most employees know how to work with spreadsheets: they’re easy to use and easy to start.
- They offer a low barrier to entry for recording third-party risk assessments.
Cons:
- Spreadsheets are very labor-intensive to maintain and become increasingly cumbersome to work in, year on year.
- It is difficult to identify gaps or risks recorded in a spreadsheet-based assessment due to its basic (and often rigid) structure.
- One size fits all: vendors can only respond to the questions they’re asked, and there is no conditional logic that opens up additional questions based on the relevancy of a vendor’s answers.
- There is no automated reporting, making it difficult to track what has changed in third-party vendor risk over time.
Pros and cons of high tech third-party risk assessments using specialized software
Pros:
- Specialized risk assessment software allows for conditional or logic-based questions: for example, if X is selected show Y, which means vendors answer only relevant questions and companies gain better risk insights.
- Risk assessment software includes automated workflows, which improve the quality of data on each risk assessment process, such as vendor collection, follow-ups, approvals, and revalidation efforts.
- They give companies useful controls to flag and generate plans of action or lists of potential risks that need to be addressed.
- Their automated reporting capabilities give companies useful insights for managing vendor contracts over time, including a risk summary that scores inherent and residual risks. Insights from automatic pivot tables, for example, prompt actions, such as alerting legal teams to add clauses into vendor contracts based on the results of a risk assessment.
Cons:
- New software needs to be bought, which is an additional expense that needs to be added to a company’s risk management budget.
Employees need to be trained on using the software, and a user guide needs to be created and given to vendors so they can meet their third-party risk assessment obligations. - Like most software as a service (SaaS) solutions, risk assessment software depends on external support.
- SaaS is managed off-premises, meaning a third party is involved, and thus normal security concerns are triggered about data and systems managed externally.
TrustArc’s recommendation: adopt risk assessment software
Your company is likely already working with multiple vendors with access to some of your customers’ personal data, all of whom need to be regularly assessed to ensure they meet security and privacy compliance.
Just as your company must keep up to date and be compliant with new privacy and data protection regulations, you are also responsible for auditing third-party compliance.
This means you can no longer rely on occasional audits. Third-party privacy risk assessments must be part of your ongoing privacy risk management program.
How TrustArc helps companies manage ongoing third-party vendor risk
Managing third-party risk can seem complicated, though it doesn’t have to be. As the leader in privacy management software, TrustArc offers outstanding expertise, experience, and intuitive solutions to help your company quickly adopt smart and effective vendor risk assessment processes.
