Managing vendor and supplier risk during COVID-19

19 May 2020

How well do you understand the resilience and security controls of your key vendors and suppliers?

By now many organisations have transitioned their systems and workforce to enable remote working; and very likely it has gone smoothly and your people have adapted well. Perhaps you’ve even considered the impact of the changes on your risk profile and control environment, as well as raised the awareness of your people regarding increased malicious cyber activity and phishing scams during the pandemic.

With this massive transition agenda to keep your business operating in the new COVID world, perhaps the last thing on your mind is the impact on your key vendors and suppliers, their businesses, as well as the security of their technology environments.

In an ideal world, you have an established regular program of work and a framework whereby you assess the risks pertaining to your key vendors, in particular, those that host or manage essential business and IT functions and host or process sensitive and critical data. In an even more ideal world that program was completed just before the COVID crisis.

If not, there are some actions you can take now.

Activities, functions and systems can be outsourced but responsibility cannot. This leaves regulators, customers and other stakeholders holding organisations accountable for keeping their personal and sensitive data safe, regardless of where or by whom the data is held or processed.

Step 1: Undertake a Vendor and supplier audit

Start with an inventory of your suppliers and vendors; understand where they are and what service they provide to you.

A key part of business continuity planning is determining the ability of your suppliers and vendors to meet their contractual obligations to you during a crisis. Whether you’ve outsourced software, technology or professional services, you must take responsibility for assessing the security, reliability and business resilience of the suppliers and vendors whose support is critical to your business.

Once you have a complete list of suppliers and vendors, categorise them based on the criticality of the service they provide to you as well as the sensitivity of the systems and data they host or process on your behalf. Then it’s time to pay some immediate attention to those who have the potential to adversely impact your business operations, finances, customers, and your reputation.

Step 2: Assess control frameworks and the ability for vendors & suppliers to continue to provide support

Now it’s time to establish a plan and framework to evaluate these key suppliers and assess their ability to continue to support you during the crisis, the robustness of their controls framework, and consequently your exposure.

It is important to ensure that there is a relationship between your operational leadership and your suppliers’ leadership to establish personal accountability. Use these relationships to check in regularly.

At a minimum, your supplier assessment framework should consider:

  1. Business viability: Understand the impact the COVID crisis may be having on vendors and suppliers’ businesses and their capacity to continue to provide the services you require.
  2. Resilience and continuity: How effectively are your vendors and suppliers able to continue operations during the crisis? For cloud-based services or suppliers that manage, host or process data and systems on your behalf, consider whether their systems have sufficient redundancy built-in and whether they are resilient to potential interruptions. Geographical locations and backup regimes should also be understood. 
  3. Cyber and information risk: Just as you would assess your own security capability, privacy considerations, incident response processes etc., so should you also determine the effectiveness of your vendors and suppliers’ arrangements and capability. This may be done directly by your own teams or through a third party.
  4. Managing a remote workforce: Are your vendors and suppliers’ personnel working remotely? Determine what safeguards have been put in place to protect your information, data and systems. 

Whilst it is not possible to eliminate all vendor and supplier risks, it is important that you understand your exposure and are comfortable that your vendor and suppliers have an established risk management structure and processes in place to regularly assess and report on the effectiveness of their control environment. It is your responsibility to ensure the safety and integrity of your systems and data and to protect your clients’ information. It should also be noted that this responsibility extends beyond the current COVID crisis and there is an ongoing need to understand the security and continuity risks posed by your vendor and supplier network. This evaluation process should be undertaken at least on an annual basis.