What questions are you asking your vendors regarding their business continuity and life safety programs? How often do you perform a risk assessment of your vendors? It is important that you don’t just ask your vendors if they have these programs in place, but that you look at the policies and procedures within them. A global study by Trustway showed that 63% of all data breaches were linked to a 3rd party, which makes it clear that you need to be sure you are asking your vendors the right questions. Below are several questions that you can ask during a risk assessment that will help mitigate the risks associated with your vendors.
1. How often do you test and train on your business continuity and life safety plans?
Not only is it important that your vendors have these programs in place, but it is essential that they are testing and training on them as well. Preparis offers numerous interactive Tabletop Exercises in your Preparis Portal. You can read more about the benefits of using a Tabletop to train your crisis team and employees in a previous blog titled “3 Reasons Why You Need to Invest in Tabletop Exercises.”
2. How does your organization develop plans using an all-hazards approach?
No matter the crisis or disaster, you can assume that at least one of four impacts will occur. These include: loss of facility, loss or failure of information or technology, reduced workforce and reputational damage. Using this approach will help any organization to more efficiently recover from a business disruption no matter the incident.
3. What are your proposed recovery objectives and time-line after a business disruption?
Gone are the days that organizations can thrive without being prepared for business disruptions. From natural disasters to cybercrime, any incident can keep an organization from conducting business-as-usual. Not only does this affect your vendor’s productivity, but it could also affect yours depending on the services they provide you. It is just as important to know your vendors recovery policies and procedures as it is for you to know yours. Approximately 80% of businesses affected by a crisis or disaster that do not have a business continuity plan in place fail 18 months after the incident.
4. How often do you update your plans?
Current threat trends are continuously changing and compliance policies and procedures are tightening leaving less margin for error with regulatory organizations including SOX, GLBA, HIPPA, FCPA, PCI, OCC, FINRA, FFIEC, NIST Cyber Framework and FDA. Organizations should review their business continuity programs annually and make any appropriate changes to the content. Ask your vendors when they most recently updated their plans.
5. What services do you outsource and do you conduct a risk assessment for those vendors?
It is important to keep in mind that your vendors may also be outsourcing services. Even if the vendor you are directly working with is able to present you with satisfactory plans, you should also request to see their risk assessment policies and procedures for any third parties.
6. What processes do you have in place to protect internal and client data from a cyber breach?
Cybercrime is at an all-time high and no organization is above reproach. Not only is it important to have the proper technology in place as a defense to a cyber breach, but it is also necessary to be sure employees are educated and trained on the proper measures to take to mitigate the risks of a cyber-attack and to recover if a breach does occur.
7. What are your organizations policies and procedures for conducting inventory of all devices (computers, phones, tablets, etc.), software and applications?
It is important for organizations to stay up-to-date on the status of its technology. Cyber criminals are getting more intelligent and finding new ways to breach an organization’s data. If your vendor allows employees to access files on remote networks then there should be a policy in place to ensure that network is secure. Also, if employees have email connected to their mobile devices then it is best practice to make sure those devices have the proper applications installed to protect against a cyber-attack, such as a data breach or phishing.
Risk management incidents are often caused by one of the three following issues: failure to properly monitor vendors, over-reliance on third party vendors and/or failure to set clear expectations. There are several different categories of risks associated with vendors including compliance risks, reputational risks, operational risks, transactions risks and credit risks. With more in-depth compliance and regulation policies, you need to be sure you are asking your vendors the right questions. Don’t let your organization suffer on account of another.