This message was posted by a user wishing to remain anonymous
Thanks for articulating your question and the criteria.
On your criteria, #2 is the most relevant to criticality. The others are dealing with that impact of a vendor failure and not its criticality: reputation, replacement, and external examination or notification requirements are part of doing business.
Perhaps thinking in terms of business continuity would provide criticality
For BC/DR plans, we asked two questions about the availability of our IT operations:
- Until services are restored, can you operate even if manual?
- If your access to your office is denied (no physical building access) can you continue to operate?
- Are you maintaining processes to have all available resources that are must-have for your business unit (master case lists, court calendars, etc) until services are restored? (designated persons, call chains, secondary command centers, etc.)?
Now shifting to vendors, I also ask the following to determine criticality:
- what forms of governance and external assessments are readily available and conducted at least annually? which are available to us?
- will the vendor modify their contract to provide full cooperation including evidence gathering to fulfill formal requests and/or requirements by regulators, third party assessments and incident-related forensic discovery? Is this standard operating procedures or one-off negotiation?
- what is the vendor's risk rating based on access (in any form or process) to non-public information?
- can the vendor operate with solely on-shore (US) personnel, even in terms of their backup, site failover and monitoring?
- do they have an operating and effective security posture with underlying program, policies, controls and procedures?
- do they have 24x7 monitoring, threat analysis, configuration due diligence, data encryption, access controls, awareness training, and software life cycle security?
- what is their history of vulnerabilities, security incidents, data breaches, external penetration testing, time to remediate, policy reviews?
- Do they guarantee access to our data even if the third party is out of business? Upon termination? During transition to replacement vendor?
Sorry if there are technical concepts mixed in, but with third parties, especially those that deliver services via a Software-as-a-Service (SaaS) model, the ability to be fully transparent to regulators, executives, board of directors requires a new meaning to criticality and vendor management to close the gaps or at least identify them to manage risk.
Original Message:
Sent: 03-01-2024 12:04 PM
From: Anonymous Member
Subject: Critical Vendors
This message was posted by a user wishing to remain anonymous
Can a company have too many critical vendors?
I am new to the company and tasked with building out the vendor and risk management processes. After creating our vendor inventory (274), we have proposed that about 42 should be critical. While presenting on this topic to our Business Analyst group, one of them asked if it was really possible to have 42 critical vendors and if we did, suggested that maybe our criteria and/or responses was wrong. We are a life insurance company and have included vendors for things ranging from our re-insurer(s) to our firewall provider. These determinations were made by answering the following:
- Is there Day 1 impact to company and/or customer?
- would there be a negative impact to the company if it took >24 hours to restore services?
- If we needed to contract with a new vendor or bring the activity in house, would it require significant finances, resources or time?
- Would the company be subject to regulatory scrutiny, enforcement actions or fines if this vendor failed to provide products or services?
- Would this vendors failure cause significant harm to the company's brand or reputation?
Thanks in advance!