You understand the importance of a Vendor Risk Management strategy in mitigating the impact of third-party data breaches. However, you’re still unsure about its application to different vendor cyber risk contexts. To help you bridge this application gap and leverage the complete benefits of a Vendor Risk Management process, this post outlines three common examples of vendor security risks and how a VRM program could be tailored to address them.
Learn how UpGuard streamlines Vendor Risk Management >
Scenario 1: Finance Entity Outsourcing Sensitive Data
A financial institution is using a third-party IT service to process customer data for online banking
In this scenario, a financial institution partners with an IT service provider to support its online banking infrastructure.
The financial entity is aware of the following cybersecurity details about its vendor:
- The IT third-party vendor has no history of data breaches or significant cybersecurity risks, so no reputational risks are associated with this vendor relationship.
- The IT service provider outlines its cybersecurity standards in Trust and Security pages, indicating that they’re PCI DSS compliant - these pages are public-facing overviews of a vendor’s performance in terms of its cybersecurity and Third-Party Risk Management (TPRM) practices (example of a Trust page).
This scenario presents a very critical vendor risk profile situation. Any third-party relationship processing of sensitive information from a financial entity is a high-risk relationship. Financial customer data is the most likely to be targeted in a cyber attack. These types of vendor risks need to be taken very seriously.
As an example of the potential scale of a security breach involving a financial service, read about the cyber incident involving First Financial in 2019.
Learn how UpGuard helps financial services mitigate data breach risks >
Example of a VRM approach for mitigating banking security risks
Note: The following is a high-level application of a Vendor Risk Management program for this financial cyber threat scenario. For a more in-depth example of how to apply VRM to your unique vendor risk exposure context, request a free trial of UpGuard.
Step 1: List all of the potential security risks associated with the vendor
The most obvious security risk associated with the vendor in this scenario is the risk of suffering a data breach, given the susceptible data they are entrusted with. In a Vendor Risk Management program, all vendor relationships processing sensitive customer information are automatically flagged as high-risk and assigned to the highest level of criticality in a vendor tiering structure.
Beyond the obvious security risks associated with sensiitve data processing, all of the vendor's potential levels of risk across all applicable risk categories should be noted. This will set the context for an official vendor risk assessment that will be completed for the vendor in the next step.
Not all risk categories are relevant to all industries. However, the list of risk categories that should be acknowledged is comparatively larger for financial entities, a sector most likely to suffer a data breach directly or through a supply chain attack.
As a financial entity, the following security risk categories should be addressed in every vendor lifecycle.
- Business Continuity Risks - Operational risks impacting service-level agreements with customers and financial regulators.
- Compliance Risks - Risks associated with violating financial regulatory standards, such as PCI DSS, and data security standards, such as the GDPR.
- Supply Chain Security Risks - Vulnerabilities in the supply chain increasing the potential impact of supply chain attacks.
- Financial Risks - Financial risks associated with vendor service disruptions, inadequate security controls, and regulatory compliance violations.
- Strategic Risks - Risks arising from a vendor’s operations misaligning with your strategic objectives.
Some examples of sources that could help build a preliminary vendor risk profile in preparation for an official third-party risk assessment include:
- Trust and Security Pages - An overview of a vendor’s security measures, which could include their efforts of adhering to regulatory requirements and their choice of risk management framework. Some trust pages include details of attained security certifications and efforts, which could indicate their strength in aligning their business operations with industry standards.
- Attack Surface Scanning Results - A form of third-party risk discovery automation indicating potential risks associated with internet-facing web assets - an essential component of an effective Vendor Risk Management platform.
- Completed Questionnaires - The availability of completed security questionnaires reduces time wasted completing repetitive questionnaires, expediting the formation of a vendor’s risk profile and streamlinling the risk assessment process.
These data sources are commonly referenced during Vendor Due Diligence - the process of onboarding vendor contracts in a manner that aligns with your information security and third-party risk appetite standards.
The more cybersecurity performance data sources that are available for prospective partnerships, the more streamlined and secure the vendor selection and procurement processes are.
In this scenario, the financial institution only has one of the data sources available on this list - a Trust and Security page indicating their objective of meeting the compliance requirements of PCI DSS.
For a real-life example of how a financial institution leverages Vendor Risk Management to mitigate data breach risks, read this case study for ANZ Bank.
Step 2: Perform a risk assessment for the third-party IT service
The IT service provider’s Trust and Security page forms a basis for the vendor’s initial risk assessment. The financial entity should aim to meet three primary objectives in this vendor assessment:
- Determine the vendor’s likelihood of suffering a data breach - this evaluation must consider the location of the vendor’s servers and whether they are considered ‘high-risk”.
- Determine the potential degree of impact on business operations should the vendor suffer a data breach.
- Outline an action plan for the remediation and ongoing monitoring of all data breach risks discovered in this comprehensive audit.
For non-critical vendors, referencing Trust and Security pages and automated scanning techniques could be a sufficient standard for tracking security liabilities in place of a full risk assessment.
Automated scanning techniques leverage security rating technology for real-time continuous monitoring of the third-party attack surface. This technology is an invaluable tool when implementing a vendor risk assessment process.
Given that the IT service provider is classified as a critical vendor, they will need to undergo a complete risk assessment - one also involving security questionnaires.
As a minimum, the vendor’s risk asses,emt should include the following security questionnaires:
- PCI DSS Questionnaire - To ensure the vendor’s compliance with security measures aligns with your compliance metrics.
- Web Application Security Questionnaire - To determine any security risks associated with any SaaS solutions the IT service provider uses to support the financial entity's web app.
For a list of other security questionnaires commonly used in risk assessments for new vendors and existing third-party relationships, refer to this list of questionnaires available on the UpGuard platform.
As a financial entity bound to strict third-party security regulation standards, the organization should implement a scalable process of managing vendor risk assessments. Otherwise, overlooked or delayed risk assessment tasks could leave the business vulnerable to critical third-party attack vectors, leading to a costly data breach.
As such, using spreadsheets to manage vendor security assessments is not ideal. Instead, the financial entity should manage its vendor risk assessments in a VRM platform specifically engineered to optimize all direct and indirect processes supporting the risk assessment workflow.
To illustrate how a VRM tool streamlines the complete risk assessment workflow, watch this video:
Step 3: Manage all security risks discovered in the risk assessment
After completing the risk assessment, the financial entity should differentiate the most critical risks and implement a plan for their remediation. Depending on how involved stakeholders are in the financial entity’s risk management plans, they may need to be included in the strategizing process. If the financial entity is implementing the cybersecurity framework NIST CSF, it will need to increase stakeholders' involvement according to the latest updates in version 2 of the framework.
Related: Choosing cyber risk remediation software
For this vendor risk context, the financial entity should focus its risk management plan around the vendor’s data security standards, ensuring sufficient encryption and access control standards are followed.
To provide additional direction to a prospective risk management plan, the financial entity should revise the vendor’s business continuity and incident report strategies.
Related: How to create a business continuity plan
Step 4: Continuously monitor the security posture of the vendor
Beyond immediate responses to critical security risks, the financial entity should follow a long-term plan for managing the vendor’s emerging risks, also known as a continuous monioring strategy.
For continuous monitoring efforts to be effective, they should track real-time variations in the IT service provider’s attack surface. The benefit of leveraging such technology is that it will expedite onboarding new vendors moving forward by offering an additional source of security performance evidence during the vendor due diligence process.
Attack surface monitoring is a subset of Attack Surface Management, a continuous monioring feature supporting Vendor Risk management. Watch this video for an overview of ASM:
With a VRM platform, a continuous monitoring process is embedded into the Vendor Risk Management framework.
In this example taken from the UpGuard platform, a vendor risk overview provides a snapshot of the vendor risk exposure as determined by security ratings. Such a vendor risk matrix differentiates critical vendors (such as the IT service provider in this scenario), grouping them in a separate vendor tier for more focused monitoring.
For an overview of an efficient Vendor Risk Management program that can be established with a VRM platform like UpGuard, watch this video:
For a real-life example of a financial entity using UpGuard to manage its third-party risks, read this case study.
Scenario 2: Healthcare entity outsourcing PII data processing
Healthcare provider using cloud-based patient record management system
Scenario overview
- A healthcare provider depends on a third-party cloud service to store and manage electronic patient records.
- The healthcare provider is concerned about the growing risk of ransomware attacks in the industry.
- As a healthcare provider, the entity must comply with the Health Insurance Portability and Accountability Act (HIPAA), which stipulates third-party risk management requirements.
Learn how UpGuard helps healthcare services mitigate data breach risks >
Example of a VRM approach for mitigating healthcare security risks
Note: The following is a high-level application of a Vendor Risk Management program for this healthcare cyber threat scenario. For a more in-depth example of how to apply VRM to your unique vendor risk exposure context, request a free trial of UpGuard.
For a real-life exampe of how a healthcare entity is leveraging Vendor Risk Management to address its vendor security risks, read this case study.
Step 1: Identify potential security risks
The healthcare entity should set the context for its upcoming VRM strategy by listing all known potential security risks associated with this vendor. Given the brief in this scenario, such a list would likely consist of the following items:
- Data Breach Risks: Primary risk due to the sensitive nature of health records being outsourced.
- Ransomware Attacks: Potential for system lockdowns and data hijacking given the business industry.
- Insufficient Data Encryption: Risks related to data in transit and at rest not being fully encrypted.
- Non-compliance with HIPAA: Legal repercussions and fines due to non-compliance.
- Access by Unauthorized Entities: Risks of data being accessed by third parties not authorized or intended to view patient information
Step 2: Classify the vendor as "critical"
Due to its handling of highly sensitive and regulated customer healthcare information, the cloud service provider must be classified as critical to be readily prioritized in a VRM program.
Given the vendor’s heightened risk of being used as an attack leading to the healthcare entity’s internal data, they are likely to be targeted in a supply chain attack through their vendor network (the healthcare entities fourth-party’s). As such, the healthcare entitiy's fourth-party vendors mapping from this cloud service could be flagged as “critical” in a Fouth-Party Risk Management (FPRM) program.
Step 3: Perform a comprehensive risk assessment
The cloud-based patient record management system should undergo a full-risk assessment, evaluating HIPAA compliance and the potential attack vectors through which they could be exploited.
Some important aspects of their cybersecurity performance that should be investigated include:
- Security and Compliance Audits: Whether regular audits take place to test and verify compliance with HIPAA.
- Data Encryption Verification: Whether all data transmitted to and stored on the cloud is adequately encrypted
- Ransomware Preparedness: The cloud provider's safeguards against ransomware attacks, including their backup and recovery procedures and recovery plans.
- Access Controls Review: The effectiveness of the third-party provider’s identity and access management policies.
Step 4: Manage identified security risks
After evaluating the baseline strength of all security controls across primary cyber risk categories impacting the vendor’s security posture, the healthcare entity could implement a risk management strategy bolstering the following control areas:
- Access Controls: Implement a robust access control policy enforcing the Principle of Least Privilege as part of a Zero-Trust architecture - a strategy that could also obfuscate supply chain attack attempts.
- Encryption Standards: Ensure best encryption practices are adhered to. For a healthcare entity, this should ideally be the Advanced Encryption Standard (AES) with a variable key length of 256 bits.
- Incident Response Plans: Ensure incident response plans include a clear response strategy with notification processes to recover compromised systems quickly. The healthcare entity could track the efficacy of these exercises by requesting incident response reports for each training event.
- Network Segmentation - To address the vendor’s scope of potential cyber attack methods (ransomware, data breach, supply chain attack), ensure network segmentation best practices are being followed.
Step 5: Continuously monitor the security posture of the vendor
The healthcare entity should implement a risk management strategy for tracking the vendor’s ongoing compliance with HIPAA, ideally with a risk assessment tool capable of automatically detecting HIPAA based on questionnaire responses - a feature available on the UpGuard platform.
In addition to the point-in-time cyber risk evaluations of vendor risk assessments, the healthcare entity should include real-time security posture tracking by leveraging security rating technology. This idealistic cyber risk detection set combines teh deep insights gathered from risk assessments with the ongoing coverage of security ratings to achieve real-time third-party attack surface monitoring, a characteristic feature differentiating the most effective Vendor Risk Management programs.
Scenario 3: University implementing EdTech cloud solutions
A University is utilizing EdTech products to support its delivery of educational resources for students.
Scenario overview
- A university partners with EdTech companies to provide online courses and virtual learning environments.
- Being an educational institution, the University must ensure compliance with the Family Educational Rights and Privacy Act (FERPA).
- The university should have a capable incident response and business continuity plans in place to mitigate disruptions to educational services in the event of a security incident, a shortfall that could have a significant impact on the University’s public reputation.
Example of a VRM approach for mitigating the security risks of an Educational Institute
Note: The following is a high-level application of a Vendor Risk Management program for an educational entity’s cyber threat scenario. For a more in-depth example of how to apply VRM to your unique vendor risk exposure context, request a free trial of UpGuard.
For a real-life exampe of how a University is leveraging Vendor Risk Management to address its vendor security risks, read this case study.
Step 1: Identify potential security risks
The educational entity in this scenario is potentially exposed to three primary categories of risk:
- Data Breach Risks: High risk due to the storage and processing of sensitive student information.
- FERPA Non-Compliance: Legal and reputational risks associated with failing to adhere to FERPA guidelines.
- Unauthorized Data Sharing: Potential for EdTech companies to misuse student data or share it with unauthorized third parties.
Step 2: Classify the vendor as "critical"
Given that the university is potentially exposing Personally Identifiable Information of its students to support the vendor’s services, the EdTech vendor should be classified as “Critical” in a Vendor Risk Management program.
Step 3: Perform a comprehensive vendor risk assessment
The university should deploy a full risk assessment for the vendor to evaluate the severity of all potential risks resulting in a data breach. To evaluate the strength of the vendor’s third-party security and, therefore, its risk of suffering a data breach, the risk assessment should include a HECVAT questionnaire - an evaluation of information security and data protection standards.
Since this educational entity uses several EdTech products, it should ensure its risk assessment workflows operate within a scalable vendor risk assessment framework. This best practice will ensure the University remains resilient to third-party data breach threats as it scales its vendor network.
Watch this video for an overview of how to establish a scalable vendor risk assessment process.
Step 4: Manage identified security risks
The vendor’s risk assessment will likely uncover the following risk areas requiring attention:
- Data Privacy Protocols: Implementing advanced data protection measures such as end-to-end encryption for data in transit and at rest and secure authentication methods could keep student data protected even if stolen in a data breach.
- FERPA Compliance - Ensure FERPA compliance so that student data is readily available to students whenever requested.
- Data Security - FERPA compliance alone will not completely protect student data from compromise following a data breach. The University should ensure its vendor implements appropriate levels of data security across all of its platforms, such as AES 256 encryption and Multi-Factor Authentication, to prevent student data compromise from phishing attacks.
Step 5: Continuously monitor the security posture of the vendor
Given the likelihood of education entities exposing their data through third-party services, the university should anticipate its third-party vendors being targeted through their direct attack surface. This risk scenario is addressed by accounting for fourth-party risks in a continuous monitoring strategy.
A Vendor Risk Management product like UpGuard incorporates fourth-party risk tracking into its VRM processes for the most comprehensive degree of data breach protection.
