With massive supply chain incidents such as the ones involving MOVEit, OKTA, Crowdstrike, CDK Global/Brookfield and many others, we saw how thousands of the world's largest - and presumably most secure - enterprises were impacted by security gaps that affected hundreds of government agencies, over 19,000 companies, 8.5 million windows machines and cost billions of dollars in unbudgeted expenses from IT teams working around the clock to reset servers to paying exorbitant ransoms for a chance to get back to business.
With the vast terror attacks in Lebanon and interdiction of shipping routes in the Red Sea, we have seen the tragic effects of untrusted devices causing injury and death, the risk of environmental and ecological disasters and even risks of severe economic hardship on entire countries.
When conducting due diligence on companies, one is always tempted to take a checklist and either present it to vendors or fill it out based on verbal interviews. Unfortunately, considering third-party risk management (TPRM) just a formality can be a fatal mistake. A few of those mistakes include:
• Overreliance on questionnaires - interviews and self-assessments establish very little without supporting certifications and audits
• Inadequate risk assessment - a rigid questionnaire leads to missed risks and high impact threat vectors
• Failure to align with the scope of the relationship - not all vendors are created equal. Some have more access to sensitive assets while others may offer a lighter, long-term operational touch with an impact on service quality and reputational integrity
• Fourth party risk - today most innovative suppliers tout the benefits of AI services and cloud-based solutions that depend on deep integration with faceless vendors with strong appetites for data. Misunderstanding the way accountability, liability and service levels trickle up can pose a huge risk to organizations.
By far, the verifiability of vendor claims is the biggest deal during the due diligence process as such oversight poses significant risks including:
- False Security Claims: Vendors may claim compliance with security standards or best practices without implementing them effectively. Without evidence, such as certifications (e.g., ISO 27001, SOC 2), audit reports, or penetration test results, the organization could be misled, leaving security gaps that may be exploited by threat actors.
- Increased Likelihood of Data Breaches: Vendors handling sensitive information, such as customer data, without proper security measures pose a direct risk of data breaches. Failing to verify their security posture with evidence can increase the likelihood of exposure to cybersecurity incidents that could lead to loss of sensitive data and regulatory penalties.
- Regulatory Non-compliance: Many industries, especially those governed by data privacy laws like GDPR, HIPAA, or CCPA, require organizations to ensure their vendors follow stringent security controls. Not requesting evidence during assessments can lead to non-compliance, resulting in hefty fines, legal liabilities, and reputational damage if a vendor fails to meet regulatory requirements.
- Misalignment of Security Practices: Without evidence, you may fail to detect that a vendor’s security practices are not aligned with your organization’s risk tolerance or compliance standards. For example, they may not have sufficient encryption, disaster recovery plans, or incident response capabilities.
- Undetected Fourth-party Risk: Vendors often rely on subcontractors (fourth parties), and failure to ask for evidence regarding the management of those relationships can introduce hidden risks. Without visibility into fourth-party practices, your organization could be exposed to security lapses beyond your vendor’s direct control.
- Inability to Hold Vendors Accountable: Without documented evidence, it’s challenging to enforce security requirements and hold vendors accountable if an incident occurs. Contracts may include security clauses, but without evidence of compliance, it’s difficult to prove negligence or breach of contract in case of a security failure.
To adequately illustrate the impact to management and boards of directors, we need to do at least a bit of the work of quantifying the impact, and it may be difficult to know where to begin, even when safety threats and existential risk are not looming. Here are a few suggestions:
- Cost of Data Breaches:
• According to IBM’s Cost of a Data Breach Report 2023, the average global cost of a data breach is $4.45 million. Many of these breaches involve third-party vendors, as 19% of breaches were attributed to third-party suppliers. Not verifying a vendor's security practices could significantly increase the likelihood and cost of such breaches.
• Additionally, companies that do not take adequate measures with their vendors, such as requiring evidence of security controls, tend to have breach costs 15% higher than those that do.
- Regulatory Fines:
• Under GDPR, companies can be fined up to €20 million or 4% of annual global turnover, whichever is higher, for data breaches involving vendor non-compliance. In 2020, British Airways was fined £20 million after a data breach affecting 400,000 customers, partly due to weak third-party risk management.
• The U.S. Health Insurance Portability and Accountability Act (HIPAA) fines for non-compliance can reach $1.5 million per violation, with several healthcare organizations fined heavily for third-party vendor breaches, such as Advocate Health Care’s $5.55 million fine after a breach involving vendor mishandling.
- Reputational Damage and Customer Churn:
• The Ponemon Institute found that following a data breach, organizations can expect a 3% to 4% increase in customer churn, which can result in significant revenue loss, particularly for companies dependent on customer trust (e.g., financial institutions).
• Not verifying a vendor’s security practices and being breached as a result could therefore cost millions annually in lost revenue, beyond direct breach-related costs.
- Operational Costs:
• Failing to verify vendor capabilities often results in longer recovery times after breaches. The IBM Report also states that companies with poorly prepared third-party risk management can take 30 days longer to identify and contain a breach, adding an average of $1 million to the total breach cost.
My suggestion is to start simple. Group your due diligence under the following rubrics:
- Checking Vendor Risk and Compliance Functions - do they have the capacity to supply to a customer of your calibre?
- Availability of External Audit Reports - this is where you want to press for current, legitimate evidence.
- Availability of a Risk Management Program - are their internal policies, incident management and employee awareness up to snuff?
To get the full checklist, go to www.SupplyChainSecurity.ca and help yourself to the downloadable PDF as a starting point to your Supply Chain Risk Management (SCRM) program. Remember to insist on evidence: It may be worth millions in avoided costs of remediation, breach response and associated productivity impact!
Member discussion: