A significant part of creating and sustaining a successful organization is managing risk of all kinds. Effective vendor risk management (VRM) is particularly relevant with companies increasingly interconnected by technology, and supply chains extending to cover not just territories or nations, but the entire globe.

Diverse fields such as cybersecurity, regulatory compliance, management of vendor relationships, and third-party due diligence need to be addressed when developing a vendor risk management process. With the ever-changing cyber landscape, new parameters need to be addressed each day.

Let’s take a look at what a vendor risk management program is, and how an effective risk management program should look in 2020.

What Is A Vendor Risk Management Program?

A risk vendor management (VRM) program is a systematic way of handling third-party risk assessments, monitoring and measurement for vendors. The aim of such a program is to evaluate a vendor’s effect on all aspects of a company; and to build compensatory controls or other ways of mitigation to reduce the impact on your company should something happen. A program of this sort provides you with continuity for the management of your suppliers and vendors as well as offers a way to raise awareness of their impacts within your organization.

As for security, companies must change the way they view security. It’s not just about securing your network, software, and digital assets against cyber attacks and data breaches. It’s now about your vendors’ network, the software they provide to you and the assets you share with them as well as yours.

With all this in mind, what should an effective VRM program look like?

1- Standards-Based

Leveraging a standards-based framework or a ‘best-practice’ mindframe is always useful in managing your VRM program. There are various standards, best practices and regulations referring to vendor obligations in the security risk context.

There are also commonalities among these frameworks such as “auditing your third parties or suppliers routinely to confirm they are meeting contractual obligations” and “considering each party/vendor and their obligations including the agreements.” In spite of these commonalities, some diverge on sector-specific concerns such as HIPAA’s:

  • Disclosure of protected health information for marketing and fundraising purposes
  • Prohibit the sale of protected health information without individual Authorization
  • Disclose protected health information (PHI) to a business associate under a written contract with certain assurances

Of all the standards and frameworks, the NIST CyberSecurity Framework (CSF) stands to be most applicable to different verticals. For a detailed reference to vendor relations within NIST CSF, read our due-diligence guide.

2- Data-Oriented

It’s important that organizations take care of their assets with scrutiny, and particularly their data when it comes to vendor relations. Whether it be company confidential data such as proprietary manufacturing, engineering process, or the PII of a customer, businesses must know where their data extends in the entire ecosystem. Black Kite’s third-party data breach portal displays numerous breaches over the years caused by cloud vendors, software vendors, and even suppliers. A significant percentage of these breaches result from once-shared and then forgotten data on cloud servers and/or vendor servers. Black Kite’s 2020 Third-Party Data Breach Report highlights that misconfigured servers, being an easy target on the cloud, are in fact good lures to attackers.

It’s also important to know what type of data is shared with vendors. Companies face different consequences when the leaked data is either:

  • Health data (PHI)
  • Payment data
  • Contact data
  • Company confidential data

Third-party vendors working with healthcare providers account for about 23 percent of health-care related breaches in 2019. Therefore, the nature of the data shared with these third parties eventually led to higher costs, leading some of these vendors to the edge of bankruptcy as in the case of AMCA breach.

*Data source: hipaajournal.com

Similarly, British Airways was recently issued a £20m fine – ICO’s (Information Commissioner’s Office, UK) largest fine to date, as the leaked data included payment data. The hackers are believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

It’s important to feed these parameters, namely the Data Element, into your Vendor Risk Management (VRM) program.

3-Keep Up the Due-Diligence Process

The due diligence assessment should start from the very beginning of the vendor interaction, namely the RFP process.

Carrying out due diligence of the vendor on a periodic basis is also a  must-have. Any changes to the vendor can affect the risk posed to your organization. Due diligence is not just a method for requesting and receiving. As part of the vendor risk management process, you also have to evaluate frequently to avoid breach scenarios.

Unfortunately, 31 percent of organizations fall short [1]. They report being “well under optimal maturity level with regard to accessing and managing critical vendors.”

Photo by RF._.studio from Pexels

If done right, here is a glimpse of what periodic due diligence would look like:

  • Review the financial statements of the vendor each time they are released. Weak financials reflect far more than poor numbers! This may mean there is a fall in the vendor’s service levels. This shortage is extremely dangerous if the vendor chats with your customers, or could even mean the vendor will go out of business.
  • Request and assess the SOC reports, business continuity and disaster recovery plans and procedures for information security from the vendor. This process can have a huge effect on your company and customers if there are vulnerabilities in defective security controls.
  • Utilize a continuous vendor risk assessment.

4- Incorporate Lessons Learned from Breaches

Breaches have dire consequences, whether it be costs due to lawsuits, forensic investigation or reputational loss. In the last decade, hackers have learned to prey on weaker vendors rather than the company itself. It could be an employee of a consultancy services vendor that has been granted access to a Financial Institution’s network or a cloud vendor who hosts healthcare data of a hospital. 

A recent vendor-caused breach, the Blackbaud breach, affected dozens of beneficiaries including healthcare organizations and universities. After falling victim to a ransomware attack, there were millions of victims. These institutions are now sending their patients and users letters of breach notification.

Another sensational third-party headline was the CapitalOne breach in 2019. The breach compromised 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, credit scores, limits, and balances. The breach occurred through a former Amazon employee who took advantage of a misconfigured Amazon bucket, where CapitalOne kept its data.

The famous Target breach was about giving internal access to a HVAC vendor. Hackers gained access to customer data — including names, credit card information, and more. As a result, Target agreed to pay $18.5 million to 47 states and the District of Columbia, in addition to the $202 million they spent on legal fees and other costs related to the breach.

Thus, it is important to learn from the past breaches. As a general guideline, network access and cloud configuration must be on the top of the list when it comes to security controls.

5- Security Controls Oriented

When companies think about security, they often think of securing their networks, software, and digital assets against cyber attacks and data breaches. Vendor security is often overlooked in the security process. Security, and in particular cyber hygiene, should be an integral part of the Vendor Risk Management program. Companies should make sure their vendors are entirely onboard with the Risk Management program that is being undertaken. Therefore, stakeholders should continuously check:

The status of access granted to vendors:

The use of VPN has been expanded over the years not only to link points within the same network, but also to an external point from within a network, such as through a third-party vendor. As the security landscape has developed, it has become apparent that VPN is too vulnerable to be used to facilitate connections like these because they are not set up to give any good, granular control.

Internet-facing assets:

Companies utilize cloud-servers and software for increased collaboration with vendors so they can encourage innovation for products or services, etc. These servers host a wealth of assets, corporate documents, customer data, etc. When a hacker targets a company, the first thing they look at will be misconfigured servers on the cloud (e.g., S3 buckets and Sharepoint Servers.)

The Human Element:

Photo by Josh Hild on Unsplash

The human element is the weakest link in the entire vendor ecosystem. Companies might already have an Employee Security Awareness program in place. However they should think twice before giving access to employees of the vendors, even if that is a temporary access to the corporate network.

Hackers conduct various reconnaissance activities when they target a company including reconnaissance on its vendors. A leaked vendor credential sought on the dark web could end up gaining access to a company’s network. 

6- Have A Process for Continuous Monitoring

As with any risk management process, VRM is not a one time event. Vendor ecosystems and the landscape they are dwelling in are continuously evolving.

Tools save you from manual effort. In the previous steps, we talked about how security is not a point-in-time configuration but an ongoing effort for the entire vendor ecosystem. Tools provide the automation of managing the security of complex and ever-evolving vendor ecosystems.

It could be a vulnerability assessment tool, or an SRS (Security Rating Service), or even a GRC  tool (Governance, Risk, Compliance) integrated with other tools, but should provide the trending Security Performance of the vendor over time.Black Kite’s Third-Party Risk Assessment continuously assesses an entity or a vendor throughout the entire vendor ecosystem, capturing critical information in the cyber risk dashboard and providing detailed drill-down capabilities to fully understand and mitigate the risk. Ongoing monitoring surfaces prioritize risks and measures cyber risk posture improvement over time.


Black Kite correlates cyber risk findings to industry standards and best practices in the Compliance Module. The classification allows organizations to measure the compliance level of any vendor for different regulations and standards including NIST 800-53, NIST CSF, CMMC, ISO27001, PCI-DSS, HIPAA,  GDPR, and Shared Assessments.

7- Auditable

In order for a vendor risk management plan to be effective, your organization must understand the vendor risk assessment process and be able to collaborate with the compliance, internal audit, HR and legal departments to ensure that the vendor risk management strategy is followed for each new and current vendor.

The internal audit program should be able to assess the controls and processes needed within your company to effectively conduct and handle the risk associated with the overall vendor management program.

It also needs to ensure that risk mitigation controls have been established that are suitable for the size, scale and nature of third parties used to provide goods or services. The scope and priorities of the audit would also focus on the overall maturity and governance framework of the vendor management program and should include all areas involved in the implementation of the program within the organization.

Learn more at www.blackkite.com.


[1] https://www.protiviti.com/US-en/insights/vendor-risk-management
Featured image by Karolina Grabowska from Pexels