How to Streamline Vendor Management Requests

If it seems like your team spends more time every week answering client questions about your information security policies, you’re not alone. Vendor management has become an increasing point of emphasis for companies of all sizes. That means you’re probably allocating more and more resources to filling out forms explaining how you handle data. This trend will only grow, so it’s time to review a few best practices that can streamline your responses so that you can efficiently address your clients’ vendor management concerns and get back to your day job.

Can Your Clients Trust You?

Driven by both legal concerns and worries about data breaches putting them out of business, companies are holding their vendors accountable with SIG questionnaires, SOC 2® certificates, proprietary security questionnaires and more. Companies recognize that their vendors’ risks are their risks, so they’re pushing stringent vendor management requirements all the way down their supply chain. When that initiative comes from a Fortune 500 company or government entity, the ripple effect means that even small companies now face the kind of security reviews that were once common only in larger firms.

Managing all the responses has become a major workflow issue. With every client putting their own slant on a set of core questions, you could easily tie up hours of employee time chasing down answers to the latest question about your security posture.

Big Breaches & Big Customers Fuel the Trend

Vendor management was already a growing point of emphasis before two recent major breaches convinced even late-adopters that their supply chain needed a closer look. The headline-grabbing breaches of SolarWinds in December 2020 and Microsoft Exchange Server in March 2021 proved that even if your vendor is a global tech titan that dwarfs your company, you’re putting your operations into potentially uncertain hands. The Exchange breach alone resulted in compromises of an estimated 60,000 networks in early 2021.

The CMMC standard currently rolling out in every Department of Defense contract will require an estimated 300,000 companies to earn a third-party certification. Some major healthcare companies are now working only with vendors who earn a HITRUST CSF certification.

Many companies establish these requirements to avoid issuing data breach notifications, no matter what happens. These notifications can carry high costs both in raw dollars for the notification and potential fines and in damage to the company’s reputation. As a result, we’re seeing some companies require HIPAA compliance from their vendors, even if those vendors don’t typically handle PHI (Protected Health Information) for the larger company. The companies higher in the supply chain want to ensure that if they inadvertently share data with a partner, the partner has controls in place to prevent the need for a costly breach notification.

Infosecurity In Your Contract

Many contracts now mandate security controls related to vendor management. “Right to audit” clauses are also gaining momentum, which means that a company can audit a vendor’s process if they suspect data is not protected. A failed information security audit could put the vendor in breach of contract.

In HBS’s experience, only about 10% of these “right to audit” clauses are ever exercised. But large companies sometimes use the right to audit as a negotiating tactic. When a contract is up for renewal, the client company may call for an audit, reveal security gaps and seek pricing concessions if the vendor wants to retain the contract.

And keep in mind that if 10% of your, say, 80 clients exercised a right to audit in a given year, you would face eight audits. Some companies are successfully pushing back by getting a third-party certification such as those mentioned below and renegotiating contracts to include the right to audit only if a data breach actually occurs.

How to Streamline the Vendor Management Process

HBS offers several recommendations to help you streamline this process:

• Get a SOC 2® audit. This third-party audit represents a significant investment of both time and resources. (Click here to see how the SOC 2® process works.) But it’s a widely recognized standard that can reduce your compliance responses down to simply providing a copy of your SOC 2® attestation. Another popular framework many companies recognize is ISO 27001. In some industries, you can probably expect increasing pressure to earn certifications specific to your category, such as HITRUST CSF in healthcare or CMMC in the defense industry.
• Pre-fill the Standard Information Gathering (SIG) Questionnaire. Many companies use this document in their vendor reviews. This comprehensive set of questions aligns with well-known frameworks such as HIPAA, NIST, GDPR and PCI. Some clients will even accept it in place of their own custom questionnaire, which could save your team from hours of responding to yet another company’s specific questions. Your completed SIG questionnaire can also serve as a database that your team consults for answers when they’re filling out other requests.
• Create a document outlining your security program and controls. This document is designed to reassure your clients that you know what a mature cybersecurity program looks like and that you have one in place. This document should include enough detail to reassure clients. But since you don’t control the document once you send it off, don’t put any confidential information in this. HBS recommends that you save the table of contents from this document as a separate file. You can satisfy many client requests simply by sending that page that shows that you have key policies in place.

Compliance as a Competitive Advantage

Companies that can efficiently report on their security position often separate themselves from competitors. We’ve seen many clients get their big break when a major new customer calls with a rush job. The vendor that can submit their security reports at the same time as their bid typically wins the job, opening a new relationship with a potentially key client.

If you can produce a validated third-party certification (such as SOC 2®, HITRUST CFS or ISO 27001), you’ll instantly stand out from competitors who can present no more than their own statements about how they’re doing things.

Keep in mind that most companies aren’t looking to drop the contractual hammer on their vendors and cancel contracts. Most companies would prefer to keep working with proven vendors. So simply getting your information security house in order can probably secure your relationship and keep clients from considering other vendors.

If you could use help reducing the workload of responding to clients’ security requests, contact us today.