The Focus on Continuous Vendor Risk Monitoring
If you’ve attended any seminars or symposiums on Third-Party Vendor Risk Management (TPVRM) over the last year, the phrase continuous monitoring has been regularly cited mentioned as an emerging requirement.
Continuous monitoring is a step above the ongoing monitoring requirements. In part, regulators are looking to see that your vendor review program has the ability to identify a concern with a vendor that may occur or become known outside a periodic review cycle. The emergence of cybersecurity threats from third-party relationships is fueling the movement from ongoing to continuous monitoring.
Ongoing monitoring has developed as the historic foundation for effective third-party risk management (TPRM) programs. Often starting at the time of onboarding a new vendor or based upon a periodic re-review schedule indexed to relationship risk exposure, ongoing monitoring ensured there was continued visibility into the vendor relationship for the purpose of divining a potential concern.
Ongoing monitoring of a vendor relationship has included familiarity with their business financials, control audits, continuity and resiliency plans and testing, insurance coverages, and their information security posture. Ongoing monitoring also includes following specific performance as relates to your organization’s overall satisfaction with a vendor and their meeting defined service levels for product or service delivery.
The information security challenge
Historically, with ongoing monitoring, the verification of a well-structured information security discipline with a vendor who possesses confidential organization or customer data, which could include questionnaires and even certifications, has been accepted as adequate due diligence that any exposure to risk has been mitigated.
A continuous monitoring strategy as applied to information security, on the other hand, ups the ante, and likely your vendor engagement. Just as news and the inclusive news alerts allow for off-review cycle identification of third-party risk threats, a similar process is needed to monitor and alert your organization to a risk threat to your sensitive data in trust with another third party, or even maintained by your organization’s IT Infrastructure.
It’s our belief that continuous cybersecurity monitoring of your own IT infrastructure and critical vendor relationships is current industry best practice, and will emerge as a de facto requirement, if not a regulation, over the next 24 months.
Along with being best practice, it is just prudent to any risk management framework. That is quite a prediction, but given the breadth of the bad actors and the exposure and costs of an information security breach, it is a logical conclusion, but only if an effective means of monitoring was available and affordable, as we believe is now the case.
The ability to keep pace with the dynamic environment that today’s business demands is defining expanded solutions, requirements, and responsibilities for all. To meet this imminent need, you should contemplate adoption of a powerful vendor risk management (VRM) solution with the continuous monitoring tools you’ll need today and into the future.