Many of the recent cyber attacks in the news have something in common. A third-party vendor or affiliate is involved. Proper oversight of these third parties is an essential element of your institution’s cyber resilience strategy. You can outsource the function, but never the responsibility.
If you are a regulated entity such as a financial institution, you already have a process in place to identify your critical vendors and perform due diligence reviews accordingly.
But what if you’re a non-regulated business that doesn't have any regulatory pressure to perform vendor reviews, but still want to follow “best practice”? Here’s an easy way for you to think about vendor management.
First, conduct a risk assessment on the vendor’s application.
There are two key questions to consider:
- Will this application be critical to my company’s operations?
- Will it contain sensitive data, and would the loss/breach of said data be critical to my company?
If the answer to either question is yes, then consider conducting a due diligence vendor review. Here’s what you should ask your vendor to provide:
- Evidence of security controls (via contract and documentation).
- Evidence that security controls are effective (SOC reports, independent assessments, etc.).
- Evidence that it can continue to provide contracted services in the event of a disaster.
- Evidence that it has a strong incident management program, and will duly report incidents to your as required by law, regulations and best practice.
The vendor’s ability to deliver the evidence in a timely and sufficient matter will be key in determining if further investigation is warranted. Ideally, they know exactly what you’re looking for – almost without asking – and provide a comprehensive (and current) set of documentation that verifies their controls. On the other hand, if they are hesitant, and if the documents they provide are brief, insufficient, and dated, then that should be a red flag.
If the vendor attempts to verbally reassure you that they have the proper security controls in place, but don’t have the documentation to back up their claims, that’s another red flag. In fact, that should be show stopper. Good documentation provides evidence that the vendor cares about security. Weak documentation tells a different story.
Now that you know what questions to ask, it's time to start building your vendor list. Not sure where to start? You can get some tips here.
Are Your Vendors Cyber Secure?
Proper oversight of your third-party service providers is an essential element of your cyber resilience strategy. Tyler Cybersecurity’s Service Provider Cybersecurity Assessment Program supports the management of all your third-party service providers. Our specialized approach helps you create the most efficient review process - saving you time while ensuring compliance.