In an increasingly interconnected business world, on-time delivery of products and services is crucial. As technology and innovation continue improving the way businesses operate, we all must rely on a web of third party vendors and partners to make it happen, whether it be QPay Europe or other providers. Revenue, growth, and brand reputation are at risk if a company’s third party vendors are ever disrupted, breached, and unable to deliver their services. For example, credit unions rely on their payment processing partners to always be running at 100%, law firms must have uninterrupted access to client casework information, and retailers need their key suppliers to produce and deliver goods no matter what. Regardless of what business you’re in, identifying and assessing the preparedness levels of your key vendors is critical to your business continuity and cybersecurity program.
Recently, the SEC published new guidelines for cybersecurity and identified third party vendor assessments as a key component. The reason: asset management firms and hedge funds manage large amounts of capital, process many transactions, and house sensitive client information on their clients while relying on dozens of outside vendors to support these core activities. If any one of their vendors goes down, or worse is breached, the ramifications can be devastating. In fact, of all the industries studied in the PwC Viewpoint on Third Party Risk Management, the financial sector has the highest customer churn following a breach. As it turns out, customers don’t really care where the breach originates-either within the institution itself or within a vendor’s organization-resulting in monetary and reputational losses. In a related study by Javelin Strategy & Research, data show that financial and banking institutions, healthcare providers, and retailers can lose up to one-third of their customers after a major breach.
So where should you start? Here are a few things you can do to begin your vendor management program, and mitigate Third Party Risk factors.
- Create a complete list of your third party vendors and identify the impact to your business if the vendor could not serve you or was compromised. Could the vendor impact your revenue, operations, brand reputation, or compliance?
- Create a set of questions that addresses specific details on their business continuity, risk management, IT, and cybersecurity programs. For example, do they have written policies and plans, when was the last time they tested their plans, do they train their staff on the plans, how robust and secure is their IT infrastructure, what third party vendors do they rely on and have they been assessed?
- Have your identified list of vendors complete the questionnaire; tailor it to the specific vendor where appropriate.
- Collect responses and perform a review. Present a summary report of findings and key risks for further analysis and audit review.
- Establish a vendor risk assessment questionnaire toolkit/set of procedures for ongoing vendor management that is incorporated into operational daily processes.
Think about this topic this way: your vendors’ uptime is your uptime. You’re only as operational as the partners you rely on, and conducting thorough vendor risk assessments is critical to serving your customers.