When it comes to your organization's due diligence requirements, it should come down to two things: risk and risk tolerance. First, using your standardized inherent risk assessment is best to determine the types and amounts of risks in any vendor engagement. Due diligence requirements should be proportionate to the amount of risk present. The higher the risk, the more robust your due diligence must be. Consistency of process is a hallmark of effective vendor risk management programs.
Generally speaking, a security review is recommended when there is information security or privacy risk for your organization or its customers. I do not recommend using the number of records as a deciding factor for two reasons. First, it is hard to determine the actual number of records. Second, from a regulatory standpoint, organizations must protect their customer's data, whether that accounts for a single record or a million.
So here is where risk appetite comes into play. Your organization may determine that the benefits of a vendor engagement outweigh its risk. But that decision shouldn't be made lightly. For example, a study by the Ponemon Institute shows average data breach cost in 2021 was $4.24 million, a 10% rise from 2020. That is considering that the cost per record is approximately $180. So assume you have 10,000 records that are compromised ( a low number by today's standards). That is at least $1,800,00 in expenses. And there are long-tail implications for any data breach, including remediation expenses, reputational damage, lost customers, and even regulatory fines. According to Ponemon, data breach costs accrue over several years. The cost of a data breach study found that, on average, 53% of data breach costs were incurred in the first year, 31% in the second year, and 16% more than two years after the event. Perhaps the potential impacts are acceptable for your organization, and you structure your due diligence accordingly. That is entirely up to your organization.
I know that was a pretty long answer. However, I hope it helps you and your organization frame the conversation for more thought and discussion. I would love to hear from other members.
Original Message:
Sent: 06-02-2022 04:25 PM
From: Anonymous Member
Subject: Opting out of Due Diligence
This message was posted by a user wishing to remain anonymous
Hi all. I'm part of a third-party risk assessment team at a large US firm. I was wondering if anyone that has a similar function and has designed process and procedures has any insight into selecting criteria that would indicate opting out of completing a security review of a supplier. Some of the cases we have discusses would be extremely low volume (if you have something similar and are willing to share criteria that would be appreciated), "retainer" type engagements, etc.
I would also like to know, if in your initial triage, when determining an inherent risk you quantify the "number of records" and what method you use - ranges? Some engagements are very difficult to quantify, such as consulting and implementation partners. Do you see value in quantifying in this manner?