Studies about vendor risk related to data security always fascinate me, because conceptually those risks are so similar to the vendor risk challenges corporate compliance officers face with anti-corruption — and yet, the practices companies use to manage vendors’ data security risk are so much worse.
For example, the Ponemon Institute publishes an annual report on data security and vendor risk management every autumn, and 2018’s findings (which surveyed more than 1,000 IT executives) were as dismal as ever.
Fifty-nine percent of respondents said they have experienced a data breach thanks to one of their third parties.
Businesses today have more third parties touching their confidential data than ever before: an average of 583. Fifty-nine percent of respondents said they have experienced a data breach thanks to one of their third parties. Forty-two percent had experienced such a breach within the last 12 months.
Then came statistics about companies’ attempts to manage those data risks, and those numbers are no better. Only 29 percent said their third parties would contact them about a data breach. Fifty-seven percent said they don’t know whether their third parties have proper safeguards to prevent a breach. Heck, only 34 percent said they even know how many third parties they have.
Imagine talking to your audit committee about anti-corruption risk and citing numbers like that. “We know that most companies experience an FCPA lapse through their third parties, and the number of those lapses is rising. But us specifically? We don’t know the compliance posture of our third parties, and we’re not even sure how many high-risk third parties we have.”
A corporate compliance officer working at a large organization today would be lucky to make it out of the boardroom alive if he or she said something like that.
Even worse is that the remedies for those dire numbers about data security aren’t hard to describe. If you don’t know all the third parties your company has, take an inventory of existing third parties and enforce thoughtful policies about hiring new ones. If you don’t know whether third parties have sufficient safeguards for a risk, ask them about it and assess their safeguards. If they don’t tell you about adverse events, adopt contract language forcing disclosure, plus monitoring procedures to make sure they follow through.
Those aren’t new ideas. Corporate compliance officers have understood and been implementing them for years to tame their vendors’ anti-corruption risk.
So why is doing the same for data security risks so hard? What makes this particular vendor risk so tricky?
The Best Practices Struggling to Emerge
The Ponemon Institute also identified several practices that “high performers” employ to manage vendors’ data security risk. Let’s examine three to explore why they’re so difficult for most companies to implement.
Bring Up Vendor Data Security Risk with Your Board
Among high performers, 53 percent discuss the issue regularly with the board of directors. Among the others, the figure is 25 percent.
But hold on; aren’t boards already talking about cyber security all the time? After all, in Protiviti’s annual survey of enterprise risk issues, cyber security ranked four out of 30. The survey’s 825 respondents (all C-level executives) rated the risk as “severe.”
Consider, then, whether compliance and IT security executives need to tie questions about vendor risk and cyber security together more closely. Those questions get to the nuance of how data is managed at your company: it’s managed through vendors providing services. If your board previously dismissed that level of detail as too specific for their time, revisit that judgment.
Inventory the Vendors that Have Access to Your Data
Among Ponemon’s high performers, 45 percent did this; among the rest, 22 percent.
An inventory of tech vendors seems daunting because employees can so easily hire one; all they need is a payment card and a few moments searching the Internet. Compliance officers can start by borrowing one trick from the audit and IT functions: turn off access to the data. That move typically gets the users of data squawking; then you can ask them about the vendors they’re using.
Review Third-Party Risk Management Policies
Third, and perhaps most important, review your third-party management policies frequently to assure they address third-party risk properly. Ponemon found a huge gap here: 65 percent of high-performers did this, versus only 17 percent of all others.
Again, however – that point really just says, “Assess your vendor security risks,” and that idea is not new. So what’s the difficulty?
The difficulty may well be determining how frequent “frequently” actually is, because it’s much easier for an employee to fiddle with data management (and therefore change your company’s security risk) than it is for that person to fiddle with other business processes.
For example, if your company wants to change strategy from direct sales to using distributors, that can bring significant new anti-corruption risks – but a company can’t implement that change with a few simple keystrokes. You can assess that change to business process at a more deliberate pace.
Not so with vendors and data security; employees can change that risk with a few keystrokes. So reviewing your policies and procedures may need to happen much more frequently, to keep pace with changing business strategy, technology and regulation.
Those are three best practices for vendors and data security; in due course compliance officers can consider many more. Just like anti-corruption, data security is one vendor issue that’s here to stay.