Third-party assessment exchanges and undue risk
A definition of assessment exchanges
It’s often said, “If it sounds too good to be true, it probably is.” That helps explain the attraction and danger encountered with assessment exchanges for third-party risk management. What exactly is an assessment exchange? Why are GRC and third-party risk management providers and their customers fascinated with them? And what’s the risk and danger of relying on assessment exchanges?
A definition of assessment exchanges
An assessment exchange is a shareable repository of vendor completed assessments. Instead of issuing a vendor an assessment, companies pull the vendor’s completed assessment from the repository. The assessment questionnaires are often long and difficult to answer. The assessment exchange streamlines this lengthy, laborious process, enabling companies to bypass issuing and collecting of questionnaires.
The allure and dangers of assessment exchanges
Assessment exchanges are touted as best practice and pitched as a simpler way to manage third-party risk, as well as presented as an improvement of the third-party experience. That’s the allure of assessment exchanges. People love the idea of Staples’ Easy Button, and that’s how assessment exchanges are pitched. Or so assessment exchange providers would lead you to believe.
Using an assessment exchange is a risky proposition. For starters, how do you know you have the right assessment? A small vendor with multiple data centers and many products could have different security assessments for each product and data center. When getting an assessment from a repository, how are you certain you have the right assessment for the right product and data center? What if there is an incident or an audit? During an incident, your third-party processes will be under the microscope. Can you produce an audit trail for how you received an assessment that’s in question? How will a regulator or jury react when you present information gathered from a service and not the vendor in question?
Another danger is assessment escalation. For example, your company has an IT security issue with a vendor. You may question an answer on the assessment and call the vendor to clarify. Your company may well have a great working relationship with the vendor, so the assessment question comes out of left field. The vendor may respond: “What do you mean there’s an issue?” Because the assessment was sourced outside the company/vendor relationship, the escalation could sour the relationship.
Bottom line: the risks of using a third-party assessment exchange outweigh the promised benefits.
A better option to assessment exchanges
It’s tempting to equate easier with advancement. Assessment exchanges tout easier, but it’s neither an advancement or a best practice. Relying on an exchange presents too many risks to your organization.
A better option would be for your company to conduct its own assessments but explore ways to simplify the process and make it more effective. To illustrate, you can prepare your third parties for upcoming assessments, giving them more time to delegate questions to subject matter experts. You can also provide vendors with their answers from previous assessments, so they only make updates.
When your company conducts assessments, you can escalate and resolve issues faster. You have shared history of going through the assessment with the third party. In essence, you’re on the same page. You can also tie assessment questions to controls at issuance for immediate understanding of risk. On the other hand, when using an exchange, control mapping with dozens or 100 assessments after they come in is time-consuming and may invalidate your audit trail.
For more guidance on managing third parties, download our new e-book, The 7 Step Guide to Third-Party Risk Management.
You can expect to hear more about third-party assessment exchanges, and the value they present to your organization. When you get the sales pitch, think about the risks of using incorrect data or facing regulators asking tough questions. The danger is too great to take a shortcut. If it helps, remember: if it sounds too good to be true, it probably is.
Read about some of the highlights from our expert panel discussion.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
Here are five webinar highlights on NERC CIP-013-1’s impact that you can apply to your utility or vendor’s supply chain risk management program.