Assessing cyber risk for potential vendors is one of the most important aspects of managing third-party risk for any organization. The vendor risk assessment process helps businesses decide which partners or service providers to work with and, more importantly, who to trust with their most sensitive data.
The cybersecurity risk assessment process has to be well-defined and procedural so organizations can choose the right third-party vendors and avoid risking data breaches or data leaks that result in significant financial, reputational, and legal damages. Organizations will also be at fault if the vendors they choose to work with fail to uphold basic security requirements and do not comply with regulatory requirements.
This guide will focus on how organizations can identify and assess cyber risks for potential vendors and how they can prepare themselves for the process.
What Does a Cyber Risk Assessment Need to Accomplish?
The cyber risk assessment process needs to accomplish one main goal: identify and categorize risks to determine their potential impact and likelihood of occurrence.
To do so, organizations need to understand the nature of the risk, how it occurs, who or what it affects, and all potential outcomes in a worst-case scenario. Each organization must perform its due diligence during the vendor procurement process to reduce its operational risk.
Along with assessing cyber risk, an overall vendor risk management strategy must also consider risk analysis before choosing to partner or work with new vendors. Risk analysis complements risk assessments by qualifying the significance of the risk and quantifying its scope of impact on business operations should a cyber attack occur.
It’s important to note that risk assessments should not just be performed during the onboarding process of new vendors — they must be performed periodically throughout the vendor lifecycle to ensure that they are maintaining their cybersecurity postures. If a vendor begins to fall off and neglect their security programs, it is up to the organization to decide if it will replace that vendor or work with them to remediate its risks. This is called “vendor relationship management” and is essential for any vendor risk management program.
Find out more about how to perform cybersecurity risk assessments >
Step-by-Step Guide for Assessing Vendor Cyber Risks
Organizations and businesses can follow the next steps as part of their cyber risk assessment process:
- Identify all business-critical assets, systems, and data
- Identify all potential risks, vulnerabilities, and cyber threats
- Determine risk criteria and risk tolerance
- Review existing security controls
- Verify compliance with existing industry standards, frameworks, and regulations
- Calculate the likelihood of risk occurrence and total impact
- Define contractual terms and service-level agreements (SLAs)
1. Identify All Business-Critical Assets, Systems, and Data
Understanding which assets are most critical to your organization is the first step in the vendor risk assessment process. Vendors that require access to more sensitive information must meet stricter security requirements as part of the process.
It is impossible for businesses to assess cyber risk for their vendors without first understanding which of their assets is most valuable and invites the most risk. After identifying the most important assets, organizations can begin tailoring their vendor risk assessments around those assets and focus on the most relevant security controls.
2. Identify All Potential Risks, Vulnerabilities, and Cyber Threats
Once all the critical assets have been identified, businesses must determine the types of risks they face when sharing their data with vendors and how they could potentially be exploited or exposed. Potential vendors with unpatched vulnerabilities, large attack surfaces, and a lack of threat management may be initial red flags to review in the early stages.
Once all risks and vulnerabilities have been identified, they should be tiered and categorized by criticality level (Low, Medium, High, Critical) and the likelihood of occurrence (Unlikely, Likely, Extremely Likely).
Additionally, businesses need to determine how the assets will be handled in the supply chain, if at all. If multiple vendors are handling the assets, including additional fourth-party service providers, those organizations will need to consider extending their third-party risk management program to include fourth-party risk management as well.
3. Determine Risk Criteria and Risk Tolerance
Organizations must establish minimum security requirements for ALL potential vendors before they enter the procurement process. This establishes a baseline for measuring vendor security to help streamline the entire process. Vendors that do not meet these requirements, whether they are potential or existing vendors, should be automatically flagged and subject to rejection or termination of their contract.
In doing so, organizations define their risk tolerance or risk appetite, which specifies the level of risk they are willing to accept when evaluating potential vendors. Because each vendor will also have their own risk profile, determining acceptable levels of risk will allow organizations to prioritize their risk and threat management across all of their vendors. Vendors can also be tiered by their overall criticality level so that organizations can quickly view who needs to be reviewed and addressed first.
4. Review Existing Security Controls
Security controls are the backbone of every company’s security program and must be evaluated for all potential vendors. This means verifying that the vendor has the appropriate security measures to handle your organization’s most important data. If the vendor does not have the appropriate security controls, it is up to the organization to help implement them or provide guidance on implementing adequate controls.
However, because each vendor’s security controls will be unique and different, this step of the process can be especially time-consuming and resource-intensive. This can pose a problem for scaling businesses or large enterprises already managing hundreds of vendors.
To ensure that the security of each vendor is being monitored completely, organizations need to consider using dedicated vendor management services or tools that can automate these steps and scale the assessment process. Some solutions or tools that can be especially helpful are:
- Security rating services
- Risk and vulnerability scanners
- Continuous monitoring solutions
- Security questionnaire and compliance managers
In some cases, enterprise-level organizations may want to consider outsourcing the entire cyber vendor risk management process on a larger scale.
5. Verify Compliance with Existing Industry Standards, Frameworks, or Regulations
Compliance is an important part of the security assessment process because it identifies if vendors are meeting their security requirements as defined by the law, based on the industry they operate in. Organizations can verify compliance with various regulations and frameworks using risk assessment questionnaires.
Although not all assessment standards or frameworks are mandatory by law, it’s more than likely vendors will need to follow one or more of them to meet minimum security requirements set by the organization. In many cases, the minimum requirements are based on industry standards for information security. Vendors not compliant may be classified as higher risk, lowering their potential for a business partnership.
Some of the biggest or most common assessment standards include:
- HECVAT (The Higher Education Community Vendor Assessment Tool)
- HIPAA (Health Insurance Portability and Accountability Act)
- PCI-DSS (Payment Card Industry Data Security Standard)
- ISO (International Organization for Standardization) 27001
- EU GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- SOX (Sarbanes-Oxley Act of 2002)
- COBIT (Control Objectives for Information and Related Technologies)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act of 2014)
- CIS Controls (Center for Internet Security Controls)
- Standardized Information Gathering (SIG)
- Cloud Security Alliance (CSA)
6. Calculate the Likelihood of Risk Occurrence and Total Impact
The simplest method to calculate vendor risk is Likelihood x Impact = Risk. However, the methodology for calculating risk cannot be reduced to a single equation. Other factors, such as the type of threat, severity of vulnerabilities, and information value, must also be considered. Instead, one common (and popular) method that many IT security experts use is qualitative and quantitative risk analysis.
Qualitative risk analysis is usually scenario-based and uses hypothetical situations to determine perceived risk. Qualitative approaches are more subjective than quantitative methods and require an understanding of the reputational risks and financial impact of each public-facing risk.
On the other hand, the quantitative risk assessment approach measures cyber risk from a statistical point of view to quantify the exact cost of a risk by using metrics including the likelihood of occurrence, loss expectancy, and risk remediation costs.
Organizations can incorporate the results from their risk calculations into their assessment process to make the final decision on whether to onboard or reject a potential vendor. Third parties considered high-risk vendors may result in the organization finding a replacement or instituting stricter requirements and closer monitoring to ensure all risks have been mitigated or remediated.
7. Define Contractual Terms and Service-Level Agreements (SLAs)
If a vendor has been deemed acceptable and meets the organization's requirements, the final step is to define the contract terms in an SLA, including agreements to uphold strong cybersecurity practices and terms of violation. Part of the process of managing third-party relationships (or any business relationship) is ensuring that vendors understand the terms of the business agreement, which can be reviewed on an annual basis.
It’s important to note that during the procurement process and before any SLAs are signed, organizations do not have to begin the risk remediation process unless the vendor has been deemed as a “critical vendor” or one that is essential to the business to continue operating. If the vendor has been classified as a “critical vendor” at a critical risk level, it may affect the subsequent SLA to be drafted with stricter and more rigorous security requirements.
How UpGuard Helps Organizations Assess Cyber Risk in Potential Vendors
UpGuard supports organizations building out their Third-Party Risk Management programs through UpGuard Vendor Risk. UpGuard Vendor Risk is an end-to-end vendor management platform that helps businesses gain visibility into vendor security postures, identify areas with the highest risks, create remediation workflows to minimize those risks, automate the security questionnaire process, and provides managed services to assist the process from start to finish.
Businesses looking to scale with hundreds or thousands of vendors can use UpGuard Vendor Risk to assess each and every vendor quickly and efficiently through its user-friendly dashboards. Additionally, UpGuard Vendor Risk provides continuous monitoring services to ensure that no vendor falls behind in their security programs and puts the entire supply chain at risk.