Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions
Understanding the impact of industry and government regulations on your supply chain is essential for reducing risk to your business and providing assurance to your customers. This article unpacks several compliance requirements to consider addressing as part of your broader supplier risk management program.
While companies have been subject to information security and data privacy regulations for years, several mandates have recently evolved to increase their focus on supplier relationships. At the same time, we’re now seeing the introduction of ESG compliance requirements with significant implications for supply chains. In this post, we cover:
The regulatory environment is constantly evolving, so we can’t provide an exhaustive list of all requirements that apply to supply chains. However, we will outline major compliance categories and share specific examples of regulations that may factor into your SRM program.
At Prevalent, we define a supplier as a third party that provides your organization with physical goods such as raw materials and other related components of supply chains. Conversely, we define a vendor as a third-party that delivers logical goods or services, such as software from a SaaS company, IT service provider, or other IT-related organization. While this post focuses on suppliers, much of the information can also be applied to your third-party vendor risk management program.
There are three principal types of compliance requirements that apply to third-party suppliers:
It’s no secret that information security compliance is a core consideration when working with software companies, SaaS service providers and other IT vendors. However, it’s critical to ensure that your non-IT suppliers also incorporate information security standards into their business practices.
Any supplier can pose data breach risks if they have access to your organization’s sensitive information, systems or facilities. Consider the following examples:
Environmental, social and governance (ESG) practices in the supply chain are increasingly important to many organizations, particularly those based in developed nations. Several countries are in the process of establishing regulations that call for organizations to proactively conduct ESG due diligence throughout their supply chains. Examples of ESG issues impacting supply chains include:
Data privacy is also a significant concern when working with suppliers. Regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the New York SHIELD Act set standards for how consumer data can be acquired, processed and shared. Supplier data privacy concerns can arise from situations like:
Discover Best Practices for Supply Chain Resilience
Expand your knowledge of supplier risks and get prescriptive guidance for maturing your supplier risk management program.
Even suppliers outside of the IT industry may have access to PII, PHI, intellectual property, or other sensitive information that could pose compliance risks for your organization. Here are a few major information security requirements to consider when working with suppliers:
The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to implement information security controls that secure patients’ protected health information (PHI). HIPAA requirements govern several types of organizations including healthcare providers, health plan providers, and healthcare clearinghouses.
Under the HIPAA Business Associate Rule, third-party vendors and suppliers that store or process PHI also fall under HIPAA oversight. While HIPAA business associates tend to be IT vendors, this isn't always the case. Business associates can also include suppliers such as:
HIPAA’s Business Associate Rule applies to any third party that stores or processes PHI. According to the Department of Health and Human Services, a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
HIPAA penalties vary depending on the severity of the violation, and there are four tiers to the financial penalty structure: No Knowledge, Reasonable Cause, Willful Neglect (corrective action taken), and Willful Neglect (no corrective action taken). Fines are adjusted for inflation and currently max out at close to $2 million per violation. In the case of PHI theft, there are also criminal penalties of up to 10 years in jail.
The Cybersecurity Maturity Model Certification (CMMC) is a framework created by the U.S. Department of Defense (DoD) that is designed to improve the security of its supply chain, known as the Defense Industrial Base (DIB).
Under CMMC 2.0, organizations seeking to work with the Department of Defense will be required to meet certain information security standards and be certified against one of three CMMC levels, depending on the type of data they handle and the scope of their access to classified information:
The CMMC will apply to all DoD prime contractors, subcontractors, and any supplier in the DoD supply chain. The DoD anticipates that over 300,000 organization will be impacted by CMMC regulations.
The CMMC is scheduled to be enacted in May 2023, when the DoD is set to release its Interim Rule on the framework. CMMC requirements will then be incorporated into DoD contracts starting in July 2023, or 60 days after the Interim Rule is published.
Organizations that fail to comply with CMMC can lose the ability to bid on contracts with the U.S. Department of Defense.
The National Institute of Standards and Technology (NIST) publishes cybersecurity frameworks containing best practices for building effective information security programs. All U.S. federal agencies, as well as contractors and subcontractors that work with federal agencies, are required to comply with NIST security mandates.
NIST documents are not legally binding requirements, but several regulations are based on NIST controls and standards – and many public and private organizations require third-party certifications based on NIST guidance. Several NIST special publications outline controls that require organizations to establish and implement the processes to identify, assess and manage supply chain risk. These include:
Broadly speaking, NIST requirements related to third-party suppliers include:
NIST is not a regulatory body and there are no direct legal penalties for failing to comply with NIST standards, unless they are incorporated into a regulatory requirement that applies directly to your organization. For instance, HIPAA-regulated organizations use NIST SP 800-66 to enable compliance with the HIPAA Security Rule.
With that said, keep in mind that your organization will need to comply with NIST standards if it does business with U.S. government agencies. Whether or not your company is directly subject to NIST, failing to meet NIST standards regarding third-party suppliers can expose your organization to unnecessary risk and jeopardize your customer relationships.
Navigate the TPRM Compliance Landscape
The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.
Regulations designed to address environmental, social and governance (ESG) concerns are increasingly requiring organizations to proactively identify and address ESG issues in their extended supply chains.
Early ESG regulations such as the UK Modern Slavery Act and the California Transparency in Supply Chains Act (CTSCA) largely required organizations to report on their efforts to mitigate unethical practices in their supply chains. However, newer, more stringent ESG regulations require actions such as conducting routine audits of supplier ESG practices, ending contracts with unethical suppliers, and proactively monitoring supply chains for potential ESG risks.
ESG compliance requirements fall into two main categories:
Existing and upcoming ESG regulations to consider for your supplier risk management program include the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act, the UK Modern Slavery Act, the German Supply Chain Due Diligence Act, and the EU Corporate Sustainability Diligence Directive.
The Fighting Against Forced Labour and Child Labour in Supply Chains Act, also known as S-211, is a law that requires Canadian government institutions and select private sector entities to, “report on the measures taken to prevent and reduce the risk that forced labour or child labour is used by them or in their supply chains.” The Act also provides for an inspection regime to enforce its provisions. As with the UK Modern Slavery Act, Australia Slavery Act, and similar laws, the Act aims to contribute to the global fight against forced labour, child labour and other forms of modern slavery.
All Canadian government organizations that produce, purchase or distribute goods in Canada must comply with the Act. In addition, commercial entities must comply if they are either a) listed on a stock exchange in Canada, or b) do business in and have assets in Canada that are at least $20 million, generate at least $40 million in revenue, and employ an average of at least 250 employees.
If an organization fails to comply with the Act’s provisions, it could be liable for a fine of not more than $250,000.
The Modern Slavery Act of 2015 is a UK law that requires organizations to publicly communicate their practices to ensure that forced labor, human trafficking, and other forms of involuntary servitude are not taking place in their businesses or supply chains.
The "Transparency in Supply Chains" section of the Act (Part 6, Section 54) defines what information organizations are required to disclose, including:
The UK Modern Slavery Act applies to organizations operating in the UK that have annual sales of £36 million+.
The current version of the UK Modern Slavery Act does not impose penalties for non-compliance. In fact, you can satisfy the current reporting requirement by simply publishing a statement indicating that your organization has not taken any steps to address human trafficking in its supply chain. Given that, the Queen’s Speech 2022 announced a new Modern Slavery Bill, which would impose civil penalties on organizations for non-compliance.
The German Supply Chain Due Diligence Act requires organizations to proactively detect and eliminate forced labor and modern slavery, employee exposure to hazardous waste, and environmental contamination in supply chains.
Covered companies must update their processes for supply chain due diligence and align their activities with the Act's provisions, which cover the following areas:
Companies that operate in Germany and have more than 3,000 employees will be subject to the German Supply Chain Due Diligence Act starting on January 1, 2023.
Penalties for violating the German Supply Chain Due Diligence Act include fines of up to €8 million for organizations with under €400 million in annual revenue and up to 2% of annual revenue for organizations with over €400 million in revenues.
A proposal for a Directive on corporate sustainability due diligence is currently working its way through the EU parliament. The Directive would enforce a “due diligence duty” whereby organizations would be responsible for “identifying, bringing to an end, preventing, mitigating and accounting for negative human rights and environmental impacts in the company’s own operations, their subsidiaries and their value chains.”
If the law is enacted, organizations will be required to:
If enacted, Corporate Sustainability Due Diligence Directive rules would apply to any company that falls into one of the following categories:
Note that the Directive is still in draft, so the final legislation will likely include changes in application and/or scope.
As currently written, the Directive indicates that EU member states would set their own fines and penalties for non-compliance. It also allows civil lawsuits to be brought against companies that violate the rules of the Directive.
Third-Party Vendors, Suppliers & ESG: You’re Only as Good as the Company You Keep
Join Bob Wilkinson, CEO of Cyber Marathon Solutions and former CEO of the Shared Assessments Program, for a webinar designed to help you get a handle on ESG throughout your supply chain.
Data privacy requirements are another major area of concern for organizations that work with third-party suppliers. Regulations such as GDPR and CCPA place strict limitations on how personal data can be shared, stored and processed between companies and impose significant fines for compliance violations.
The General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR applies to any organization that collects, stores, processes or transfers personal data on individuals in Europe, regardless of the organization’s location.
Because third parties are often responsible for managing personal data on behalf of their customers, organizations must ensure that their suppliers and vendors have data protection controls and governance in place. This involves conducting data privacy controls assessments; analyzing the results for potential risks; and requiring third parties to remediate risks to avoid regulatory, financial and reputational exposures.
In fact, organizations are required by the GDPR to conduct risk assessments to identify privacy risks – both internally and at third parties that handle, process or store personal data on behalf of the organization. Recital 76 – Risk Assessment states that, “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”
The GDPR applies to any organization that stores or processes data belonging to residents of the European Union.
GDPR penalties can reach up to €20 million or 4% of the violating organization’s annual turnover from the previous year, whichever is higher. The top 3 largest GDPR fines to date are Amazon (€746 million), WhatsApp (€225 million) and Google Ireland (€90 million).
The California Consumer Privacy Act regulates business’ collection and sale of consumer data to protect California residents’ sensitive personal information and provide consumers with control over how that information is used.
The CCPA applies to consumer data collected from any resident of California - whether by a company headquartered there or just doing business there. Organizations need to monitor suppliers with access to data belonging to residents of California and implement proactive measures to ensure that data subject to the CCPA is handled properly.
The CCPA applies to any for-profit business that does business in California and meets one of the following criteria:
Currently, companies can be fined up to $2,500 for each unintended violation of CCPA provisions or $7,500 for each willful violation. The CCPA will be updated in 2023 with greater enforcement penalties through the California Privacy Rights Act.
Build a More Proactive Supplier Risk Management Program
Our best practices guide delivers a prescriptive outline for staying on top of supplier risk from onboarding to offboarding.
Measuring key performance indicators (KPIs) and key risk indicators (KRIs) is essential to effective supplier compliance reporting and your broader third-party monitoring approach. Here are four supplier compliance KPIs and KRIs to get you started:
Today’s third-party risk environment is complex and constantly evolving. Your supplier risk management program should therefore be able to not only meet regulatory compliance requirements, but also ensure business resilience throughout your supply chain.
With Prevalent’s supplier risk management solution, you can automate your supplier risk assessment, monitoring, analytics and reporting activities with a single, unified platform. At the same time, you get built-in coverage for dozens of compliance regulations and best-practice frameworks. See if Prevalent is a fit for you by requesting a demo now.
Enhanced cybersecurity supply chain risk management guidance is coming in NIST CSF 2.0. Check out the...
09/12/2023
Leverage this guidance to align your TPRM program with the NIST AI RMF to better govern...
08/30/2023
Prepare for the updated SEC requirements by asking your vendors and suppliers about their cybersecurity risk...
08/01/2023