Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

The Increasing Importance of Vendor Cybersecurity in a Pandemic World

6 min read
Featured Image

While vendor cybersecurity preparedness has always been important, it's an especially hot topic in our current pandemic environment. With a massive shift to remote work environments, better understanding of our vendors’ cybersecurity has never been so crucial. It's also a non-negotiable part of any holistic third-party risk management program.

Vendor Cybersecurity Risk Increased Due to the Pandemic

Unfortunately, chaos often begets chaos, and the effects of the pandemic are no exception. The rapid shift in our workforce has opened us up to a plethora of threats related to expanded network access.

Here are three to consider: 

  • Remote workforce risks. Working from home stresses a lot of systems, internet service providers, cable service providers and operating systems. Additionally, many organizations don’t have policies or security systems in place to protect data accessed outside of normal operating facilities, increasing exposure to risk exponentially.
  • Bad actors are especially alert. Unfortunately, scammers don’t slowdown in times like these, in fact they're more primed than ever to take advantage of vulnerabilities, using phishing schemes, malware and generally preying on overtaxed systems.
  • Loss of key workers. During the time of pandemic and response, if your vendor’s team is depleted due to sickness or quarantine procedures, what is their contingency for response? If they have a true incident in their environment, how will they handle it if the primary incident handlers are unavailable?

Why Is Vendor Cybersecurity Important? 

Monitoring your vendor’s cybersecurity posture has always been a hugely important part of regular due diligence practice. Yet, our current environment underscores its importance more clearly than ever.

Here are the top two reasons you need a strong cybersecurity posture:

  1. Cybersecurity preparedness mitigates risk. How? By allowing you to influence the vendor to strengthen their controls, supplement their controls with your own and decide on whether you should stay with that vendor, as needed. A good way to monitor a vendor’s security controls is by reviewing their SOC 2 report  or a comparable audit report available. A vendor breach can have a big impact on you and your brand – it’s what we call reputational risk and it’s not territory you ever want to find yourself in.

  1. Cybersecurity is a hot button for regulators. Now, more than ever, regulators are watching to make sure organizations are following through with guidance and regulation. It’s commonly required to demonstrate your organization is taking proactive steps to identify and mitigate potential areas of cybersecurity weakness with your vendors. You’re expected to cover the CIA Information Security Triad in processes, which covers confidentiality, integrity and availability, as well as be compliant with regulations like GDPR and CCPA, just to name a couple. There's also been talk of many more states following California and New York’s lead to crack down on regulations which means there will only be an increase in cybersecurity oversight and requirements.

Additionally, it’s important to remember that in many cases your own clients are required by a government or industry regulation to ask for documentation in order to determine if they should continue doing business with you. If you want to serve those industries, you need to be prepared and have proof that your vendors are, too.

What Should You Look for in Your Vendor’s Cybersecurity Plan?

Because our current pandemic situation has seen such a huge shift towards remote workforce and bad actors are attempting more fervently than ever to knock down doors, it’s important to reinforce that our vendors have the appropriate cybersecurity controls in place. So, what else should you be looking for?

As you’re reviewing your vendors’ cybersecurity plans, there are 4 primary areas to consider:

  1. Security testing. This is a great way to identify weakness in a tangible format. Your vendors’ reported security testing should include regular, standardized penetration testing of internal and external networks as well as social engineering testing. Social engineering testing should include things such as:

  • Simulated phishing emails
  • Employee awareness tests

    Regular security testing should also come with documented follow up to findings as well as mitigation of any issues that were found. You want to make sure that your vendor has demonstrated that they’re testing for weaknesses, following up on any issues and fixing them within an appropriate time window. Your vendor should be able to provide documented evidence that security testing is done annually (at least) and by an impartial third party.

  1. Sensitive data security. In our current environment, you want to make sure that vendors have measures in place for any changes in storage to sensitive data. Understanding how vendors secure your data at rest and in transit is monumental. They should have controls such as:

  • Encryption
  • Data retention and destruction policies
  • Data classification and privacy policies, access management, etc.
  • Remote access and infrastructures policies

    Ask yourself: If their workforce is working from home now, what measures do they have in place to secure data for remote workers? 

  1. Employee, contractor and vendor management training. With employee, contractor and vendor management safeguards and training, you have to understand the vendor’s ability to ensure their agents are prepared to protect your data. Training of these groups as well as documented and enforced access management are critical to data protection. Some of the ways a third party can offer assurance that anyone with access to your data is properly trained include: 

  • Confidentiality agreements
  • Security training
  • Management of vendors
  • Access management

  1. Incident detection and response. It’s inevitable: incidents will happen. The key to minimizing the impact is discovering them quickly and having a plan to address them effectively. Your vendor should be able to demonstrate what they plan do if an incident occurs, and should be able to provide documentation around the following:

  • How they’ll identify an incident
  • Their response plan and notification procedures
  • Contingency for response if the team is depleted due to sickness or quarantine procedures, especially during the time of pandemic
  • How they’ll handle a true incident in their environment if primary handlers are unavailable

    Pro tip: Cyber insurance isn’t a substitute for security, but it can offer a level of assurance that a vendor takes cybersecurity seriously. As far as insurance goes, errors and omissions, cybercrime and sabotage are just some insurance coverages that offer a level of risk transfer to your organization and protection against cyber exposures.

From a planning standpoint, you need to consider all of the possible problems that could occur, what steps you need to be prepared to take and how long until normal operations can resume in order to minimize the impact to your organization and your customers.

When it comes to cybersecurity, we all must consider our current climate and how organizations are choosing to work. Whatever you do, don’t forget the importance of documentation. When it comes to the regulators, if it isn’t documented it didn’t happen. The same goes for ongoing monitoring... make sure to keep it up!

You’ve heard the saying before that a chain is only as strong as its weakest link, and that’s particularly true of the world of third-party risk management. Industry best practice and regulatory guidance wants you to consider all of the potential ramifications posed by a third party, whether in the form of a data breach or a significant business disruption like we’ve experienced with COVID-19.

There are 10 steps that you need be taking during a pandemic for third-party risk. Download the infographic.

vendor risk management practices covid-19 pandemic

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo