The Uninvited Guest – Who Has Your Data?

The Uninvited Guest – Who Has Your Data?

Feb 16, 2021 | Supply Chain, Third Party Risk Management

Adjusting Contracts for Vendor Outsourcing

The day of the big event has arrived. Hopefully, all your planning will ensure that everything goes well. And it does, until uninvited guests begin to arrive. It seems that several of your guests decided (without consulting you) to pass your invitation along to a number of folks most of whom you don’t even know.  This has happened to all of us at some point in time.  Not the end of the world, but still embarrassing and frustrating when it occurs.  Unfortunately, there is quite a different impact when you replace “guests” with “vendors” and “uninvited guests” with “vendor subcontractors” (the now infamous fourth party). Now embarrassment turns into an unknown level of risk to your company’s revenue and reputation.

The simple truth is that it is highly likely your vendors will outsource an activity that includes your data and/or access to your systems. Knowing this will occur, how do you identify and manage the risk uninvited service providers present? Well, it starts with your vendor contract and requiring your vendors to have robust TPRM programs.

Among the many provisions being added to vendor contracts are expansive provisions related to vendor outsourcing.  These new provisions go beyond attempts to prevent subcontracting and instead focus on managing it by:

  • Requiring disclosure of all critical subcontractors necessary for the vendor to deliver their services to you
  • Requiring vendors to assess all subcontractors prior to providing them with access to your data and/or systems
  • Requiring vendors to maintain and execute a comprehensive TPRM program
  • Imposing responsibility on the vendor for subcontractors’ protection of your data and systems

Including these provisions in your vendor contract allows you to assess the vendor’s outsourcing activity and ensure that security controls and privacy requirements are pushed down to subcontractors.

After expanding fourth party protection in your vendor contracts, it’s time to enhance what’s included in your assessment process including:

  • Evaluation of a vendor’s TPRM program
  • Testing to determine if subcontractors are assessed prior to onboarding
  • Lists of critical subcontractors with data flow and network diagrams (updated periodically)
  • Evaluation of vendor subcontract agreements for key provisions on data protection and privacy requirements
  • Inclusion of key fourth parties in your continuous monitoring activities

 

Use your assessment of these factors to make any adjustments in the vendor’s risk profile, and make sure that information about vendor subcontracting is included in your vendor inventory/risk register.

Want to make sure that there are no uninvited companies in your supply chain? Enhance your contracting and assessment practices to include fourth parties.

To expand your understanding of Nth Parties, review this post Nth Party Risk – 10 Tips for Managing The Unknown or this post about Ethical Sourcing and Nth Party Providers.

Brad Keller

Brad Keller brings 30 years experience in risk management to Shared Assessments where he has led development of both the Vendor Risk Management Maturity Model (VRMMM) and the Certified Third Party Risk Professional (CTPRP) program. With extensive experience in privacy and regulatory compliance, Keller holds a B.S. degree in Finance and J.D. with honors. When Brad is not here, he might be repairing a musical instrument repair, sipping bourbon or hiking in Breckenridge, CO.

View all posts by Brad Keller


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics

This site uses cookies

Please note that on our website we use cookies necessary for the functioning of our website, cookies that optimize the performance.
To learn more about our cookies, how we use them and their benefits, please read our Cookie Policy and Privacy Policy.