What’s Ahead in Vendor Assessments?

Rapidly changing information security threats and regulatory requirements continue to put pressure on vendor risk management programs and capabilities for all organizations globally.  We anticipate that the number and comprehensiveness of vendor assessments required of, and conducted by, organizations will continue to substantially increase in 2018 and into 2019 before the requests begin to level off. We believe this to be especially acute for organizations that are sharing or processing sensitive data.  It is difficult to provide an estimate of what specific percentage increases to expect as vendors have varying ability to provide clients with acceptable control effectiveness information or to push back on unreasonable client requests.  With that said, we believe we can safely estimate the growth of the number and comprehensiveness of requests to increase 30% to 45% in 2018 with a slightly lower level of growth in 2019 (25% to 40%).  We expect that vendor requests will begin to level off in 2020.

Several key factors drive the increases:

• Regulators have increased scrutiny and critiques of vendor management programs in financial institutions (FI), which are working to make their third-party risk management (TPRM) programs more comprehensive to satisfy regulators, which in turn will impact the level of information they require from their vendors. Regulations including the General Data Protection Regulation (GDPR), as well as local and regional privacy laws, industry initiatives (e.g., FFIEC, SEC, HIPAA) and consumer pressure in reaction to data breaches (e.g. those at Target and Equifax) are all impacting the increased focus on companies’ information security and vendor management programs.  Specific to GDPR, we are seeing many companies still maturing their programs, which may result in a continued vendor impact in 2019.
• Consistent with the previous point, many FIs and other industry entities are redesigning their TPRM programs. The full impact of these redesigns and additional requirements may not be felt until 2019.
• In addition to improving TPRM programs, companies are incorporating strategic sourcing into their planning, looking in particular at tactical reductions in the number of vendors they utilize. As those numbers decrease, our expectation is that requirements for the remaining vendors will increase.
• Vendors are also becoming more efficient. Many vendors struggle with an appropriate client management process and we expect vendors to reduce the level of effort to communicate their security control posture as they drive more standardization in the information they share with customers. This will be complemented by more specificity of contract terms which will clarify expectations of reporting and disclosure. Given more efficient contract cycles and timelines, some of this positive impact should be felt in 2019, and more so will be noticeable in 2020.
• The Association of International Certified Professional Accountants (AICPA) introduced a series of Service Organization Control (SOC) 2 reports, with reporting on governance, operational and information technology general controls. Additionally, the AICPA’s Statement on Standards for Attestation Engagements (SSAE) 18 standard has more specifics about a company’s TPRM control requirements and transparency in risk among fourth parties (e.g., subservice providers).

We have seen that our FI clients request information in a variety of content and formats.  To meet that need, a consortium of leading financial services companies including American Express, Bank of America, JPMorgan Chase and Wells Fargo, founded TruSight. TruSight’s role is to perform standardized vendor assessments and to store that information on a secured platform, which FI partners can then access.  The intent is to drive standardization, increase reliance and reduce the vendor’s level of effort.

A significant amount of work must be done to obtain agreement on the appropriate standardization that would apply across a variety of FIs, however. It could be some time before benefits of the standardization are realized as this effort is identical to the intent of the Santa Fe Group’s Standardized Information Gathering (SIG) and Shared Assessments Agreed Upon Procedures (AUP) – an effort that began with the same supporting firms in the late 1990’s.

Protiviti’s fourth annual Vendor Risk Management Survey, released in late 2017, offers insights into organizations’ vendor risk management maturity levels, including the following:

• Vendor risk management is improving: More organizations are recognizing the importance of vendor risk management during a time when the external risk environment is changing quickly.
• Boards have their sights set on cybersecurity: Board-level engagement with cybersecurity risks improved significantly according to last year’s survey. However, there continues to be an “engagement gap” in that boards remain more engaged with the organization’s internal cybersecurity risks than the cybersecurity risks to vendors. Organizations with less engaged boards report significantly lower levels of third party risk management practice maturity.
• “De-risking” vendors is on the rise –A majority of organizations expect to exit or change relationships with vendors due to heightened risk levels. Insurance companies, including healthcare payers, appear much more likely to make these de-risking moves in the coming year, with fourth party risk, cost concerns and a lack of internal expertise to evaluate vendor controls cited as the primary reasons.

A webinar detailing the 2017 Vendor Risk Management Survey can be accessed here.