Op-Ed: Guarding against cyber threats – The significance of cyber monitoring in vendor risk management

In Australia, there have been several cyber data breaches within major businesses since last year, with prominent examples including Optus, Latitude Financial, and Medibank. These breaches have resulted in data from millions of customers and employees being compromised. With businesses relying on a network of vendors, partners, and contractors and exchanging sensitive data across the supply chain, the substantial risks posed by these third parties are evident, leaving companies vulnerable to cyber attacks. As a result, businesses of all sizes are recognising the imperative of countering this threat through expert, end-to-end VRM programs to secure their operations.

The term “cyber VRM” is sometimes used for the process of predicting, analysing, mitigating, or resolving any cyber security risks posed by an organisation’s third-party vendor, as opposed to traditional VRM or third-party risk management (TPRM) programs that focus on broader risk mitigation when employing third-party vendors. However, at Protecht, we don’t consider cyber VRM a standalone project or product but rather an inherent part of your VRM program for any organisation facing cyber threats – which is any organisation in the modern world!

By including cyber within your VRM program, you can benefit your organisation in several ways:

• Predicting and assessing the cyber security risks posed by vendors at the time of onboarding
• Monitoring vendors and changes in the risk profile
• Responding to threats, remediating, and restoring safety
• Scaling existing VRM to include security around the adoption of cloud-based services

All VRM programs must factor in the end-to-end operations of a vendor and the risks posed at all points of a vendor’s relationship lifecycle – from onboarding to exit. It needs to begin even before the onboarding and end after analysing all changes in threat after a vendor leaves permanently.

For cyber programs, in particular, here are some of the key points you should consider:

1. Onboarding: Start by determining the criticality of the vendor, as this will inform the level of due diligence and risk assessment required. The cyber aspect of onboarding should include questionnaires, both industry standard and self-developed by the organisation. This can help quickly analyse vendors against industry best practices and regulatory requirements, as well as against the organisation’s own requirements and standards. A thorough risk assessment, along with background checks, should also be mandatory before the vendor comes on board. However, it is important to note that vendor risks are dynamic, and the risks posed at the beginning of a vendor’s life cycle might change over time.
2. Checking the vendor’s cyber security ratings: Cyber security ratings are a quantitative measure of a vendor’s cyber “health”. These data-driven, objective, and dynamic ratings give a real-time view of the vendor’s associated risks. Moreover, they can be generated by independent security rating platforms, giving an objective, unbiased view of the risks posed by the vendor before even beginning the official onboarding process.
3. Documentation and service-level agreements (SLAs): After a thorough cyber risk and rating assessment, the vendor and financial institution must communicate their intent and outline risks clearly, as well as document the same through relevant contracts, non-disclosure agreements, due diligence documents, etc. This will also help build a more insightful relationship between the two parties, based on transparency and trust. In the same manner, SLAs should be clearly drawn out, even in terms of mitigating potential risks during their period of service. This will ensure business continuity in the face of crisis and build operational resilience. A good cyber VRM solution will have appropriate security controls and measures in place to navigate any risks once they arise.
4. Consistent monitoring and progress checks: Due to the rapid adoption of cloud-based services, a vendor’s risk to the business can change over the duration of the relationship. It is integral to any VRM program, cyber security or otherwise, to consistently monitor the risks from vendors and their relevant cyber security ratings. The solution used to monitor risks also needs to be up to date with changing risk environments and monitor the latest vulnerabilities and cyber threats.
5. Remediation: A VRM program empowers vendor managers to not just gain powerful insights into cyber security threats and risks but also take action on the findings. It empowers managers through automatic workflows to request remediation from vendors when a new risk or issue arises. It will enable organisations to respond to a change in risk profile and take corrective actions more consistently.
6. Offboarding: Since vendors have access to important and sensitive information, doing a final risk assessment before the vendor leaves the organisation is important. Cloud-based access to information also means a vendor can take sensitive data with them, use or sell it for profit or personal gain, or even unintentionally leak it. Through appropriate checks and balances, it is critical to ensure that no sensitive information remains outside of the company after the vendor relationship ends.

In light of the adversarial nature of cyber attacks, it is crucial for your overall enterprise risk framework to be complemented by continuous monitoring of evolving cyber threats and innovative solutions to combat them. Regardless of your organisation’s current maturity level, it is essential to empower your organisation to identify, monitor, and adapt to these emerging trends. Organisations need to demonstrate their operational resilience and business continuity capabilities, understanding relationships with third-party vendors, fourth parties, and beyond.

By David Bergmark, chief executive officer at Protecht

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

VIEW ALL