How to Review Critical Vendors' Cybersecurity
Third-party vendors are frequently responsible for data breaches at financial institutions and other companies. Criminals exploit vulnerabilities of third-party vendors to access data or find ways into a financial institution’s systems.
A good vendor management program recognizes the threat of data breaches, ransomware, and other cyberattacks. It has a system in place for reviewing and assessing the cybersecurity of critical vendors.
Make sure your institution is following these six steps for reviewing critical vendor cybersecurity.
1. Identify critical vendors. Before you can review critical vendors’ cybersecurity, you need to identify critical third-party vendors. (Depending on your regulators, you might call them critical, significant, or high-risk vendors.) These are vendors that provide critical functions to your institution or have access to sensitive data. Critical vendors require greater due diligence and monitoring because they present a greater risk to the institution. Identifying and assessing critical vendors is a key function of any vendor management program.
Download our free on-demand webinar: What a Difference a Vendor Makes: Determining Your Critical Vendors
2. Identify the documents you’ll need to review. A site visit can’t tell you much about a vendor’s cybersecurity, and you can’t expect a vendor to fill out a long, detailed questionnaire for each of its customers. That makes reviewing vendor cybersecurity an exercise in collecting and analyzing documentation.
It’s important to identify the key documents your institution will need to review critical vendors’ cybersecurity. An SSAE 18 audit (and the SOC-2 reports it generates) is one of the most comprehensive and valuable tools for assessing vendor cybersecurity. The SSAE 18 objectively assesses a company’s internal controls, providing assurance the vendor has controls to protect data, maintain availability, protect privacy, and accurately process payments. It can also reveal how exceptions are corrected—or aren’t corrected—to determine vendor reliability.
If a vendor doesn’t have an SSAE 18 audit, you’ll need the results of any other independent audits or test results covering these areas as well as policies and procedures describing cybersecurity and other related controls. Audited financial statements and proof of insurance, including cybersecurity insurance, are also useful to show a company is financially sound.
3. Ensure contracts require vendors to deliver IT security reports and documents. Assessing a vendor’s cybersecurity requires documents, but a vendor is not legally required to give you anything if it’s not written in the contract. When negotiating or re-negotiating a vendor contract, make sure your critical vendor guarantees your institution will receive the specific documents it needs to assess cybersecurity.
Be specific: do not just say you want IT security due diligence documents. That could be anything—including every cybersecurity policy and procedure the vendor has down to the most minute, unimportant detail. While it’s bad when you don’t have all the documents you need, it’s also inconvenient to be flooded with irrelevant documents that make it hard to pick out what matters.
When requesting vendor documents, focus on areas such as:
4. Before conducting a review, make sure all the documents are in-hand, up-to-date, and relevant. Just because you have a large pile of vendor cybersecurity documentation doesn’t guarantee they are the right reports. Make sure you have the right documents, that they are up to date, and that they apply to the products and services your institution uses. You don’t want to waste time reviewing documentation for a product your institution doesn’t have. Only review documents related to fourth parties if that fourth party-vendor critically impacts your operations.
Don’t wait until or the last minute to check to make sure you have all the documents. It can take weeks for larger vendors to respond to due diligence documentation requests, and you may have to ask multiple times.
5. Ongoing risk assessment. The goal of assessing a vendor’s cybersecurity documents is to understand the controls a vendor has in place to protect your institution and its data. Is there someone on staff with the time and expertise to read through the documentation and interpret what it means?
Assess vendor controls in key areas (IT security, business resilience, incident response, data security, fourth-party risk, etc.) Take the time to understand the cybersecurity risks the vendor poses to your institution. Are those risks within your institution’s risk tolerance? Can the vendor be doing more to enhance the maturity of its cybersecurity program? Is it adequately insured in the event of a breach? Is your institution comfortable going forward or continuing with the vendor?
Make sure you set a schedule for regularly reviewing vendor cybersecurity. Cyber threats are constantly evolving—you want to know if critical vendors are doing everything they should to keep pace.
If there isn’t someone on staff with the time to track down all the documents and review them to understand how they apply to cybersecurity risk, Ncontracts’ managed vendor services can do the heavy lifting for you.
5. Ongoing vendor cybersecurity monitoring. Vendor cybersecurity monitoring provides real-time data on critical vendors’ cybersecurity postures by collecting and assessing publicly available information. It prevents breaches by detecting threats and vulnerabilities before they can be exploited.
Good cybersecurity monitoring lets institutions know if there is a real-time cyber risk to a vendor, triggers actionable alerts that allow the institution to respond promptly to the threat, and provides the information your vendor needs to eliminate the vulnerability.
This data can also feed into vendor cybersecurity risk assessments to help institutions make more informed assessments.
Don’t be caught off guard by a breach of a critical vendor. Make sure you’re regularly reviewing critical vendors to assessing their ability to effectively prevent, identify and resolve incidents and mitigate exposure to cyber risk.
Want to learn more? Check out our on-demand webinar Assessing Third-Parties and Measuring What Matters.