04-27-20 | Blog Post
In the areas of technology and compliance, third parties create a special set of challenges. Third parties are your vendors, business partners, and a significant part of your supply chain. Security and compliance are difficult to assure across this hierarchy of third parties and their own vendors; for your business to be compliant the entire chain of vendors must be compliant.
One of the keys to maintaining business compliance and reducing breaches associated with third parties is an in-depth and regular vendor assessment plan that contributes to a Vendor Risk Management program (VRM.) According to a 2019 Protiviti VRM survey, only 40% of organizations have fully mature Vendor Risk Management programs in place. The survey goes on to describe the increased vulnerability associated with not having a VRM: 2019 saw a 67% increase in the number of organizations experiencing a significant disruption from cyber-attacks or hacking. Additionally, there is potential for long-term business impact, as 37% of respondents reported fixes from a cyber attack took three months to a year. With IBM reporting the average cost of a data breach at US $3.92M, and third party involvement typically adding 10% to that figure, it’s clear that immediate steps are needed to protect the business and assure third party compliance.
Let’s consider the example of third parties and HIPAA breaches. According to a Health and Human Services report published by the HIPAA Journal, there were over 500 breaches of 500 or more medical records in 2019. Many of these breaches were associated with third party vendors, the largest of those breaches was 11.5 million records compromised via a server hack. Using vendor risk assessments and implementing a VRM can identify similar areas that are vulnerable to breaches in your business and lay out an expedient mitigation plan. An assessment will also consider the amount of cyber liability insurance required to reduce the financial impact of a breach. Both the primary business and third party vendors should be adequately insured. Sticking with the HIPAA example, for assessments, vendors are required to provide written documentation of compliance that meets or exceeds mandated levels. The preferred HIPAA compliant vendor should have business associate agreements (BAA) to maintain public health information (PHI) security as well as ePHI compliant clouds, colocation, disaster recovery and back-up. Similar requirements will exist for other compliance governance including PCI, SOC 1,2 &3, Privacy Shield, and ISO 27001.
A qualified assessment begins with the business identifying and evaluating its own systems, processes and personnel, ranking their risk levels based upon involvement with proprietary data, intellectual property and handling of compliance-based information. The assessment then considers each critical compliance requirement for vendors, partners and suppliers; corresponding actions are taken to eliminate or replace non-compliant vendors and services. All elements of compliance must be assured in writing with a stringent change or modification disclosure requirement. A comprehensive security policy as well as a security test plan is added to the assessment (for both the primary business and vendors, partners and suppliers.) The assessment is completed, testing plan executed, and results rolled into a VRM program. This is a very high-level description of a vendor assessment program and VRM. There is a significant amount of resources and data collection required to create and maintain a program like this which leads many businesses to seek outside assistance. When you consider the detrimental impacts on the business resulting from a breach, then the costs and activities associated with conducting assessments and establishing VRMs are justifiable to reduce business risk.
Ready to begin a defense-in-depth and compliance-based approach to securing your environment and assuring business continuity? Otava can help. We employ stringent defenses in our people, processes and technology to protect organizations of all industries and sizes from human error and malicious attacks. Check out our blog about protecting against attacks, contact us to chat with a security expert or call us today at 877-740-5028.
Did you attend our webinar on March 27, covering security and compliance, business continuity and preparing for a pandemic? Imagine if your business was knocked offline for even an hour, leaving you or your users unable to access your systems and data. What would you do? What would the impacts be? Chances are, you don’t have to imagine it–it’s already happened. 41 percent of IT decision makers reported unplanned downtime in the last year. (Read more)
As National Cybersecurity Awareness Month (NCSAM) continues, it is important to remember that companies of all sizes should look at cyber risk through an organizational lens. A cross-functional team representing IT, security, risk management and leadership is ideal to help…(read more)