5 Steps to Navigating Third-Party Vendor Relationships
Every week, there seems to be yet another data breach occupying news headlines. With thousands of companies and millions of employees amassing and exchanging data, there is always room for risk—and there is something to learn from each breach story.
Recently, on an episode of Off the Books podcast, I discussed a particularly oddball data security snafu suffered by video game behemoth Nintendo. A security breach of a former third-party vendor led to the leak of valuable intellectual property. (Although that episode was recorded a few weeks back, another more recent Nintendo data leak could point toward the same lessons.)
We got into curating successful relationships with outside vendors, finding the right vendors for your organisation, operations maintenance, terminating obligations—we covered it all.
Check out the five main steps I outlined in the podcast, and learn how to keep your data safe.
1. Planning and researching potential vendors
Before even finding a vendor, you need to know exactly what tasks you want to outsource. Sounds obvious, but having exact wants and requirements will ensure that your research is timely and accurate.
With that shortlist of potential vendors in hand, research them, research them, and then research them again. You don’t want any of your valuable data in the wrong hands.
I suggest combing through any available financial records to ensure if a company is financially stable. Plus, you can uncover any past issues they may have faced concerning security, past partnerships, stakeholders or anything else you may find.
2. Do your due diligence
Now that you've found one, what are you doing to review that third party and ensure their qualifications? What risks are being raised by a partnership with this vendor?
This can be done through audit and assessment—either a self-assessment or through an external auditor. For example, a Service and Organisation Controls report, also known as a SOC 2. These assessments are performed by an outside party to evaluate the effectiveness of controls an organisation has in place about security, availability, confidentiality and process integrity.
SOC 2 reports are assessed annually, so you can have continuous monitoring and validation throughout your relationship with a third party.
Another useful exercise in this scenario is the use of a risk assessment matrix. This tool can help your organisation identify and prioritise different risks, by estimating the probability of the risk occurring and how severe the impact would be if it were to happen.
3. Write the perfect contract and execute it
Figure out who is going to do what, and make sure parties involved will be able to execute it.
A few provisions you may need to consider include the following:
- Control how much and the nature of the data a third party uses and has access to
- Limit your company’s liability
- How to mitigate disputes about performance
- Declare your right to audit
Our experts suggest always including a Right to Audit clause. Such a provision can give you the right to look into your vendor’s financials, audit operations and IT security.
In many contracts, such a provision is an expected condition. But, many companies never execute it. Especially when working with high risk vendors, don’t be afraid to use the Right to Audit clause.
4. Monitor the relationship
Once a contract is in place, continuous monitoring of risk and performance is critical to maintaining a healthy third-party relationship.
As issues are identified, they need to be mitigated and escalated to the appropriate decision-makers within the organisations. This is where any provisions included in the contract may be implemented.
5. Responsible contract termination
Termination sounds bad, but it’s not always a negative experience. Contracts end, and if they don’t, they change and are renegotiated over time. As these changes occur, there are risks.
Data needs to be returned to its appropriate owner and access terminated when the contract itself terminates. Not doing so can leave data in the hands of a third party and lead to a chance for data security breaches, such as what happened to Nintendo and their past vendor.
Check out the full podcast episode here to hear my full thoughts on this matter (and my full thoughts on Mario—much more important, honestly).
Nintendo is a registered trademark of Nintendo of America Inc.
Internal Audit’s Guide to Planning, Managing and Addressing Risks
This e-book from MISTI and Workiva explains best practices on internal audit.