Critical Vendor Risk Management

When organizations outsource critical functions like technology and security solutions, the question on everyone’s mind is: When does our liability for a data breach end, and my vendor’s begin? The answer is not really simple. In most industries, you can contract away a responsibility or task, but not the liability related to compromised data. If your organization was breached today, whose name is going to be in the news? Who are your customers going to call? Who is going to get fined and possibly sued as a result of the breach? The list of questions goes on. At the end of the day, your organization will suffer the negative publicity, the reputation damage, and financial loss of the attack, even if your vendor actually caused your incident. Then there is the other side of the equation – how do you know that your vendor can truly support your organization, perform the tasks you’ve contracted them for, or cover your losses if the breach is their fault?

Vendor risk management and due diligence is something every organization should perform carefully, and there are a number of unique issues when considering the inherent risks associated with outsourced services.