CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
February 24, 2023
In today’s digital environment, businesses seem to have vendors for everything. How you run your meetings, how you talk to customers, how you communicate internally—practically every aspect of a modern business is supported by third-party vendor. That’s why vendor risk management and third-party risk management (TPRM) is so essential. Research shows that organizations share their data with over 730 different vendors. And often, those vendors share your data with their own vendors.
Okay, vendor risk management is important: what exactly is it, and how can you implement it?
We’re glad you asked.
Often used interchangeably, vendor risk management and third-party risk management (TPRM) are both terms used to describe continuous monitoring and risk mitigation associated with outside people and organizations with which your company does business.
In short: vendors are a subset of third parties. While this may sound confusing, it really boils down to subtle differences.
Outsourcing aspects of your operations to vendors is a necessity in modern business. Vendor risk management is understanding who your vendors are, their privacy practices, and the risks associated with doing business with them. If a breach did occur through one of your vendors, what impact would it have on your business, its operations, and its customers?
There are many types of risks, and your company’s threshold for each type may vary depending on the vendor and its access to your company’s data. For example, a company that handles your organization’s social media is not as big of a risk as a vendor that processes payroll simply because of the types of information they each need to provide service. Some types of risk include:
Without a robust third-party vendor risk management process, a company opens itself up to a host of consequences ranging from regulatory actions to the potential shuttering of the business. In fact, 60% of small businesses that suffer a cyberattack are unable to withstand the impact and end up going out of business within six months, according to the National Cyber Security Alliance.
That’s because of the costs associated with recovery and remediation, reputational damage, or paying cyberattackers’ ransoms. But a major cost associated with data breaches are fines related to the data privacy violations uncovered by a breach.
Today, data privacy is more important than ever. The European Union’s GDPR ushered in a new era of data privacy. Now if businesses want to operate in a given region, they have to comply with the patchwork of U.S. privacy laws, like California’s CPRA, and other international laws, like the Brazilian LGPD or Canada’s PIPEDA.
Because vendor risk is such an real threat to data privacy, many of these consumer data protection laws have requirements for what data can be transferred to vendors and what vendors are allowed to do with that data.
When vendors fail to live up to these standards, they increase their (and your) risk for a data breach; when such a breach occurs, it’s often because of negligence in their duty to protect your customers’ data.
Managing and reducing risks—particularly with regard to security and privacy—should be a priority for all companies. Vendors often have access to a lot of your company’s (and, more importantly, your customers’) information.
If a vendor doesn’t follow cybersecurity best practices, their vulnerabilities become your vulnerabilities. The average cost of a data breach in the United States in 2022 was $9.4M ($4.3M global average), according to a report released by IBM. Legal and investigative costs, lost revenue and investment, and negative impacts to a company’s reputation are all other potential costs of a data breach.
Many companies have become targets of cyberattacks. In one recent example, Texas-based SolarWind’s software was hacked without immediate detection. When software updates were sent to their 33,000 customers, the malicious code went with it creating a “backdoor to customer’s information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations,” Business Insider explained.
This highlights the importance of vendor risk monitoring and management—had more companies identified SolarWinds’s vulnerabilities earlier, they might have gone with another vendor.
Vendor risk management is an ongoing process that, when practiced consistently, can help protect your organization from risks introduced by vendors.
If you’re thinking “That sounds complicated,” that’s because it is—when it’s done manually.
Osano’s Vendor Risk Management solution automates the privacy aspect of vendor risk management by:
This creates a scalable, manageable, and sustainable process that will save your company time, money, and headaches related to vendor risk.
Schedule your free demo today to learn how Osano can help continuously monitor and manage your vendor risk.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”