COVID-19 has introduced many challenges to personal and professional lives. While we continue to adapt, we must remember to continue to perform sound security and privacy practices, including when it comes to vendor management. We look to vendors as trusted partners for many aspects of our supply chain, and when it comes to health care, this can be anything from personal protective equipment (PPE) such as masks or hosting of an electronic medical record (EMR) system that helps to track patient care. In any scenario, it is important to have full insight into your business partners at all times.
The 2020 Prevalent-Shared Assessments Third-Party Risk Management Study states that there are real consequences when third party risk management is not done correctly and that when asked if any incidents were experienced within the past two years that originated with a third party, 76% of the respondents said they experienced one or more issue that impacted vendor performance, followed by operational issues (74%), with 55% indicating compliance violations”. The report continues by showing that the top incidents that involved third parties were cyber data breaches, compliance, legal and ethical violations, vendor performance issues, and operational issues. These incidents can result in loss of productivity, monetary damages, and even reputational damage(1).
Whether your organization has to take on new vendors to help provide the needed supplies or services required, such as how hospitals are attempting to increase their capacity as required to handle the increase in patients, or you are continuing to work with the vendors with which you have already established a relationship, here are a few (of the many) key items to keep in mind:
- What lies behind all vendor management is ensuring the continued confidentiality, integrity, and/or availability of services and data.
- The Board of Directors and/or executive leadership need to recognize the potential vulnerabilities introduced by vendors and how your organization is going to manage them (think avoid, accept, transfer, or mitigate). Once this governance is understood, the organization has to work together to understand the criticality of the given vendor and what a disruption in the offering may mean to your organization.
- Ensure that you have a documented risk management and governance program (policy and procedures). Whether the policies and procedures are newly implemented or already established, make sure they are reviewed and updated based on best practices and lessons learned. This will ensure consistency in expectations and requirements across different risk ranked vendors.
- Incident response scenario testing is critical; without the practice, the actual response when something truly happens is hard to pull off, as we are seeing during this virus outbreak.
- Organizations should consider internal and external personnel, products, and supplier ‘backups’ if an individual (such as a subject matter expert) or company becomes unavailable.
- Vendor risk assessments are key as they allow organizations to know their risks with every vendor relationship and enable proper due diligence requirements accordingly. Risk assessments need to be documented and continuously up-to-date, especially as it applies to applicable laws, regulations, and standards (i.e., HIPAA, HITRUST, GDPR, NY DFS, NY SHIELD Act, etc.). If having an assessment or audit performed, some of the key items that need to be part of the assessment/audit are documented reporting, including mitigation and remediation on the most critical risks, a vendor inventory, and a repository of completed vendor assessments1. Managing risk is just as important as managing compliance; unfortunately, sometimes it takes an event like COVID-19 to help point that out.
- Organizations must ensure that they have the ability to collect assurance documentation (such as a SOC 1 or SOC 2 report) and/or have the ‘right to audit’ the third party within contracts. This, along with tracking service level agreement requirements, will help you perform ongoing due diligence. It is critical to have a central system for storing, managing, and reporting on vendor-related information and documentation.
- As more individuals at your vendors work from home/remotely, you should ensure that key security controls are in place to avoid further vulnerability, especially when handling sensitive information, such as personally identifiable information (PII) or protected health information (PHI). Organizations need to understand how the network and user environments are secured (i.e., multi-factor, encrypted devices, multi-factor access, secure virtual private network (VPN) access, etc.).
Risk management and governance require great attention throughout the entire third-party relationship; do it thoroughly but efficiently. Need assistance? We are ready to help.
The information and advice we are providing for this matter relates to COVID-19 legislative relief measures. Because legislative efforts are still ongoing, we expect that there may be additional guidance and clarification from regulators that could modify some of the advice and information provided to you, after the conclusion of our engagement. We, therefore, make no warranties, expressed or implied, on the services provided hereunder.