5 Ways to Get More Value from Third-Party Risk Scores

While cybersecurity scores are an important part of evaluating third-party risk, they only tell part of the story. Here’s what else to look for when it comes to vendor risk monitoring.
By:
Scott Lang
,
VP, Product Marketing
November 18, 2020
Share:
Blog more than a score 1120

Effective third-party risk management (TPRM) requires not only measuring a vendor’s internal practices and controls, but also understanding how external factors can impact their risk profile. Integrating inside-out assessment with outside-in monitoring enables more holistic and coordinated risk management, and both practices frequently appear as regulatory requirements.

Unfortunately, most monitoring tools solely focus on cybersecurity exposures, only telling part of the story. Below are five additional vendor risk categories to monitor, plus five ways you can use this expanded intelligence to make better risk-based decisions.

5 Vendor Risk Categories to Monitor Beyond Cybersecurity

Expanding the scope of outside-in monitoring begins with acknowledging that vendor intelligence can benefit teams outside of IT security. For example, a fire at a manufacturing plant, a visit from OSHA, bad financial results, or an SEC investigation are red flags that can influence procurement decisions. These types of intelligence is typically not available in cyber monitoring tools. Given that, here are five categories of vendor risk to consider in addition to cybersecurity exposures:

1. Operational Risks

Operational risks can arise from leadership changes or mergers and acquisitions that alter a business’ strategic focus. Partnerships and OEM relationships may provide early warnings of price changes or a shift in marketing strategy, and natural disasters or health crises can significantly affect operations.

2. Brand Risks

These occur when a vendor is required to recall products, suffers a data breach, or experiences another incident resulting in negative PR or adverse media coverage. These events can also result in financial penalties and remediation efforts that can affect the vendor’s ability to deliver their products and services.

3. Regulatory, Sanctions and Legal Risks

Class action lawsuits, international sanctions (e.g., OFAC, EU, UN, BOE, FBI, BIS, etc.), and court filings from the FDA, FSA, SEC and other regulators can substantially delay the delivery of third-party products and services. They may also signal the need for actions to protect your business from white-collar crime, money laundering, and reputational damage.

4. Financial Risks

Financial events such as bankruptcy proceedings, customer losses, missed earnings, and any of the previously discussed areas can lead to vendor restructuring and service disruptions.

5. Politically Exposed Persons (PEPs)

Corruption and bribery risks are often overlooked in third-party evaluations. It can be damaging for your company to be connected with PEPs, their families and associations, so it’s important to gain visibility into this vulnerability.

These risks make it essential to monitor for business and financial events that can impact the supply chain. However, it can be complex and time-consuming to get useful data—especially when you’re relying on RSS feeds, stale credit reports, and disparate news websites. Prevalent Vendor Threat Monitor (VTM) can help.

Prevalent VTM continuously tracks and analyzes external threats to your third parties. The solution not only monitors the Internet and dark web for cyber threats and vulnerabilities, but also combs over 530,000 sources of business and financial intelligence on your vendors. These insights enable you to supplement and validate internal assessment responses for a 360-degree view of third-party security and compliance.

Executive Brief: How to Get More from Third-Party Risk Scores

Discover how to build a more comprehensive, actionable and cost-effective vendor risk monitoring program.

Read Now
White paper get more third party risk scores 1120

5 Ways to Benefit from Expanded Vendor Risk Intelligence

Here are five ways that risk managers, security practitioners, and procurement specialists can gain value from a more complete approach to vendor risk monitoring.

1. Validate Controls-based Assessments

A common use case for vendor monitoring is to validate the results of internal controls assessments with intelligence from externally observable events. For example, if a vendor appears on regulatory watch list, then you can correlate that event with their assessment answer regarding that specific regulation. This enables you to better anticipate risk and maintain a more proactive defense.

2. Supplement Point-in-Time Assessments

Vendor organizations are not static. They experience personnel changes and implement new policies and procedures. Continuous cyber, business and financial monitoring can provide visibility into material risk changes between internal assessments, which are often conducted on an annual basis. Monitoring intelligence can also trigger supplemental assessments to address interim immediate risks.

3. Procurement and RFP Pre-Contract Analysis

Monitoring provides information on historical data breaches, current external cybersecurity hygiene, business stability, financial and credit ratings, executive changes, acquisitions, and major lawsuits for procurement teams looking to source low-risk alternatives for their organizations.

4. Mergers and Acquisitions Due Diligence

As with pre-contract analysis, continuous monitoring can signal the business health of an acquisition or partnership target. This intelligence can include financial events and reports, regulatory actions, compliance violations, breaches, leadership changes, and events impacting brand reputation.

5. Internal Assessments

Monitoring can be used for internal operations in addition to external organizations. Monitoring internal business units or other business divisions can deliver early warnings based on cyber chatter, PEPs or other risks in the public domain.

Vendor risk assessments provide valuable information on internal security and compliance controls. Continuous monitoring further reduces risk by gathering information from thousands of external sources and applying machine learning to reveal risk trends and anomalies. By uniting cyber, business and financial monitoring intelligence with assessment results, you can proactively manage your third-party risk surface and get “more than a score” from your vendor risk management solution.

Part of the Prevalent Third-Party Risk Management Platform, Vendor Threat Monitor is integrated with Vendor Risk Assessment. All monitoring and assessment data are centralized in a unified risk register for each vendor, enabling you to quickly correlate findings and streamline your risk review, reporting and response initiatives.

Take the Next Step

For more on how you can maximize the value of your continuous monitoring intelligence, download the executive brief, How to Get More from Third-Party Risk Scores, or request a demo today.

Tags:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo