Cybersecurity and Vendor Risk Management

Compliance officers hear that cliche phrase “do more with less” as often as every other executive in Corporate America.

Cybersecurity and vendor risk management, however, really are two birds that can be killed with one stone— and an effective compliance program is the stone.

Consider a recent report from financial regulators that cited vendors to the financial sector as a prime source of cybersecurity risk. Those vendors provide all manner of services to the sector, but regulators don’t have visibility into exactly who those vendors are, and even less ability to evaluate the vendors’ cybersecurity postures.

Meanwhile, as we noted in November, the Securities and Exchange Commission is preparing new guidance to help public companies understand their cybersecurity duties and disclosures under federal securities law. Apparently that guidance will focus on internal procedures to escalate cybersecurity events to senior executives; and on controls to prevent a security lapse from causing some other violation. (Say, insider trading ahead of reporting a breach.)

These two issues — assessing the risks of vendors, and ensuring procedures exist to escalate reports of trouble to the proper senior executives — are two sides of the same coin. Compliance officers have been grappling with them for years in the context of anti-corruption.

Sure, the risk is evolving from intermediaries providing transactions; to vendors providing services. But the basic tools to confront the challenge remain the same: astute risk assessment; policies and procedures; training and internal controls.

For example, compliance officers trying to tame FCPA risk often need to work with procurement, accounting, and business functions. First you try to identify third parties providing help with overseas transactions. Then you assess the risk that they might violate the FCPA, and the risk that your accounting procedures wouldn’t prevent it. Then you build compliance procedures into business operations to prevent those risks.

Managing the cybersecurity risk posed by vendors is, fundamentally, no different. You might work with the IT security team more closely. You might emphasize training more, since insider threats are so high. But the “compliance building blocks” noted above are the same. The compliance officer’s role — working with other departments to help them understand the business risk, and their role in addressing it — is the same, too.

The bad news is that corporations have a long road in front of them. According to a report last September from the Ponemon Institute, 57 percent of companies can’t determine whether a vendor’s safeguards and security policies will actually prevent a breach as promised. Only 17 percent rate their ability to manage third-party risks as highly effective.

The good news (for compliance officers, at least) is that strong vendor risk management is emerging as a business imperative: the better your company is at managing its own vendor risk, the more attractive you become as a vendor to other businesses. And the steps necessary to tame vendor risk are tailor-made for the corporate compliance officer.

String all that together, and compliance officers have an opportunity to participate in risk management and demonstrate how effective compliance brings strategic advantage to the whole enterprise.

That’s killing two birds with one stone, too. Your board will thank you for it.