There are an increasing number of complex relationships between companies and third parties to whom they outsource services. These can range from outsourcing entire functions, such as tax, legal or IT operations, to relying on a single third-party to perform multiple activities and working with third parties that engage directly with customers.
Given this increase in complexity, when outsourcing a service your business must ensure that third-parties have appropriate levels of security in place, particularly if they are handling sensitive information about your company. Failure to do this could result in a cyber-attack via a third-party with lower levels of security. This can lead to financial losses and a damaged reputation, as well as possible legal action and regulatory sanctions.
A company’s use of third parties does not diminish the responsibility of its board of directors, senior management or partners to ensure that the outsourced activity is performed in a safe and sound manner and in compliance with applicable laws.
Whether an activity is outsourced or done internally, regulators expect a firm to practice effective risk management. Therefore, you should oversee third-party relationships that are responsible for critical activities in your company. To do this:
- You must show proper due diligence in selecting a third-party by identifying the inherent risks of an activity and detail how you select, assess and oversee the third party. In practising due diligence, you should consider your own strategies, goals and business experience and reputation, and determine whether the potential financial benefits outweigh the estimated costs to control the risks.
- You should also evaluate the third-party’s legal and regulatory compliance program to determine whether it has the necessary licenses to operate and the expertise, processes and controls to enable your company to remain compliant with domestic and international laws and regulations.
- You should also ensure that the third party conducts thorough background checks on its senior management and employees who may have access to critical systems or confidential information.
Having done this, you must develop a plan to manage your relationship with a third-party. This plan can outline the strategic purposes of a relationship and assess the complexity of the arrangement by looking at the volume of activity, potential for subcontractors and required technology.
This should be accompanied by a written contract that outlines the rights and responsibilities of all parties, as well as clear roles and responsibilities for overseeing and managing the relationship and risk management process. Ongoing monitoring of the third party’s activities and performance is suggested, so that vulnerabilities in defences can be detected and reported. Furthermore, your company can organise training sessions for your third-party in protecting data. To ensure that your company’s processes align with its strategy, it is recommended that independent reviews are carried out.
The compliance risks around vendor risk management concern mainly the threat of a cyber-attack via a third-party, which your company can be held responsible for. Compliance risks have become more prevalent since the growing complexity of new third-party relationships. To mitigate this, you must practice due diligence before entering a relationship with a third-party. You should look at their own security practices and provide training where you think it might be appropriate. Once an agreement has been made between your company and a third-party, monitoring and reporting exercises are encouraged, to ensure that new vulnerabilities and risks can be addressed.