
What is your organization’s vendor risk awareness like, and how can you improve your vendor risk management program?
There is a long history of risk and compromise when it comes to using third and fourth party vendors.
As a result, supply chain risk is increasingly under scrutiny. Drivers such as more stringent requirements by cyber liability insurance providers, White House Executive Orders, and the proposed SEC Cybersecurity Reporting Rule for public companies, are pushing cyber security to the forefront.
Important Recent Focus Areas For Vendor Risk Management
General Cybersecurity Practices

Cybersecurity is more of a priority now than ever, as exemplified by the countless headlines of cyber-attacks caused by a third-party vendor. This is true on both the organizational and the consumer sides, as cyber-crime has become an increasingly large concern. Pew Research recently reported that 79% of consumers feel concerned about how their data is being used.
Fourth Party (Sub-Service Provider) Risk
With the COVID-19 pandemic causing supply chain disruptions and forcing third-party vendors to rely more heavily on sub-service providers, fourth-party risk is also on the rise. These recent events have made it clear that organizations need to go beyond evaluating just their vendor risk management program and take the additional step to evaluating their vendors’ own vendor risk management programs as well.
Business Continuity and Disaster Recovery Plans and Testing

Fourth-party risk isn’t the only vendor risk exacerbated by the global pandemic and cyber risk. Business continuity and disaster recovery plans are more important now than ever, especially with the cultural shift toward the remote workforce. A prime example of this was when a well-known logistics company suffered a ransomware attack, disrupting operations for several weeks and impacting retailers all over the globe.
Vendor Risk Management Best Practices
A few best practices that Fastrics recommends as your organizations continues to develop a comprehensive vendor risk management program:
1. Conduct a thorough vendor assessment.
In your vendor assessment, we recommend the use of SIG questionnaires, SOC 1 and SOC 2 reports, and/or appropriately scoped ISO 27001 certifications with associated Statements of Applicability.
2. Implement secure contracting practices.
Whenever applicable, ensure that service level agreements (SLAs) are established so that both the contracting organization and the vendor have a baseline understanding of the minimum level of performance required. (Keep in mind, SLAs are functionally useless without enforcement mechanisms and should be accompanied by service credits or other financial penalties that compensate the contacting organization for faulty service.) Identify recovery time and point objectives (RTOs and RPOs), and single points of failure with your contractors, and be sure to include rights to audit and insurance requirements and indemnification clauses.
3. Conduct re-assessment practices.
Identify your key risk insights, the role your vendors play in your ongoing risk management practices, and if your vendors are continuing to meet your expectations. You may find that you “bucketize” your vendor assessment frequency based on inherent risk and compliance requirements.
If your organization needs support in developing your vendor risk management program, Fastrics is here to help. Stay tuned for a follow-up blog post about how we can help support organizations in their vendor risk management, or contact us directly to discuss further.
Comments