Vendor Risk and Your Reputation

Recent news about Facebook and user data highlights the need to understand how your organization’s confidential data is protected. As if we needed another reminder! Sure, it’s a big, extreme and public example most of us cannot relate to. Splashy news stories are an opportunity for you to think about your own organization’s risk exposure related to data protection, without the splashy headlines.


These days, many businesses outsource services to third party vendors. Those vendors could have access to or be responsible for your organization’s confidential data. How can you make sure that those vendors are protecting your data as well as, if not better, than you would? How do you prevent your organization from being the victim of a data breach and avoid the negative on your reputation and operations?


Organizations should, at minimum, take three simple steps to protect their data and reputation from vendor risk:


  1. Written Agreement

Data protection responsibilities and expectations must be clearly delineated in a written agreement signed by both parties. Sufficient details should be included to clearly describe what controls and precautions are in place, who is responsible, how controls and precautions are validated, and when validations are performed. The agreement should also address the assumptions and performance expectations for your operations and controls.


  1. Vendor Monitoring

Use the data protection responsibilities and expectations in the written agreement to determine the vendor activities for you to monitor. Monitoring can take many forms, such as system or management reports and performance test results. Don’t hesitate to ask the vendor for documented evidence. Taking the vendor’s word without proof can backfire later.


  1. Hold Up your End

Vendors with access to or responsibility for your confidential data are depending on your organization and your workers to fulfill certain responsibilities. If a data breach or other performance issue occurs and you have not held up your end, the vendor could escape taking the appropriate responsibility – or liability. Remember, outsourcing doesn’t mean a total hand-off.


Data breaches, splashy headline or not, can be expensive and damaging to your organization. A vendor you depended on could be the cause. Outsourcing can be great but it comes with risks. Protect your organization’s reputation by managing vendor risk using the three simple steps above.