Third-party risk management extends your system vulnerability testing through to the providers of services, hardware, software, and applications that are used in your infrastructure. That assessment also extends through to associate companies other than suppliers.
The concept of risk management in IT systems specifically refers to the protection of sensitive data. Specifically, Personally Identifiable Information (PII). So, not all of the data that your business processes will qualify for these extra measures of scrutiny.
Here is our list of the five best third-party risk management software:
- OneTrust Vendorpedia Third-Party Risk Exchange EDITOR’S CHOICE A risk management platform with completed assessments supplied by other clients. This system is constantly updated and includes assessments of more than 70,000 companies.
- CyberGRX AIR Insights An AI-based assessor that identifies third parties that should be prioritized for risk analysis and provides community-sourced intel on businesses.
- SpyCloud Third Party Insight This service assesses account takeover risk and has a special module for third-party ATO risk.
- SureCloud A third-party risk management platform that is questionnaire-driven and is part of a compliance management package.
- Riskonnect Third-Party Risk Management A supplier vetting portal that imposes a risk management framework on third-party assessments.
You can read more about each of these options in the following sections.
The need for risk management in IT systems
The legal landscape faced by businesses has evolved rapidly in recent years. The General Data Protection Regulation (GDPR) and the ePrivacy Directive of the EU have been implemented as laws in every EU nation. These govern the use of PII and also specify the rights of individuals. Individuals have the right to request information on what data organizations hold on to. They also have the right to demand that mistakes are corrected or that data related to them be removed. GDPR also specifies that permission needs to be sought to send the PII of EU citizens outside of the EU.
GDPR enables individuals to seek compensation for the abuse of PII, which includes accidental disclosure of information. Governments can also fine businesses for such accidental disclosure. The Directive specifies a maximum fine of €20 million (about £17 million or $24.5 million) or 4% of annual global turnover. Those limits can be lower in the national legislation that implements GDPR.
Note that the fine can be up to 4 percent of turnover, not profit, and there is no free pass for businesses that have already been fined once in a financial year. Consumer compensation can be sought on top of those fines. Therefore, a data loss event can be ruinous. This gives businesses that want to trade within the EU a big incentive to take every measure possible to prevent data disclosure or inappropriate use of PII.
Since GDPR, other areas of the world have implemented their data protection legislation. These include the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and South Africa’s Protection of Personal Information Act (POPIA). In the USA, there are additional data protection rules for payment card details (PCI DSS) and protected health information (HIPAA).
The difference between third party risk management and vendor risk management
Vendor risk management is a type of third-party risk management. For many businesses, third-party assessment only needs to go as far as vendor risk management. For example, service providers need to assess risk in their systems and those of their suppliers but they don’t need to audit the systems of their clients.
Probably the biggest incidence of a third party that isn’t a supplier would be a franchisee. However, the franchisor can be seen as a supplier. In both cases, the franchisee and the franchisor are third parties to each other. Another example of companies that are associated without a traditional supplier-client relationship is a joint development partnership. Another mutual relationship between companies is formed during a takeover or a merger.
Implementing third-party risk assessment
The typical risk assessment process centers around a questionnaire. This form provides a standard assessment format, ensuring that all vendors are treated equally. The most common format for the assessment form is called the Standardized Information Gathering questionnaire, or SIG.
A proper assessment will require information from a third party, so it is better to get someone at that company to fill out the SIG for you. The sales team or contract department will be happy to do this because companies that are involved in providing IT systems are aware of the requirement for risk assessment in most data protection standards. They wouldn’t get much business if they didn’t already have all of the relevant information in hand for the SIG.
The third-party risk assessment platform provides an index for documents related to each company being audited. Each profile will also include slots for certification copes and audit assessment results. Some risk assessment systems include a method for SIG pooling, which allows many clients to benefit from the same effort to compile one SIG.
If you subscribe to a SIG sharing service, you need to ensure that the assessment is recent or recently updated. Some providers perform that assessment process for you and will keep an eye out for developments with each registered third party.
The best third-party risk management software
There are many choices in the risk assessment market for third-party risk management because this is becoming an essential service for a large number of companies.
What should you look for in a third-party risk management system?
We reviewed the market for third-party risk management software and analyzed the options based on the following criteria:
- A system that collects all necessary documentation for each assessed company in one profile
- A framework that is supported by a legal team
- An assessment format that can be adapted to specific standards
- An assessment system that is part of a wider governance and compliance platform
- Risk assessment that is constantly updated
- A free trial or another method for a risk-free assessment
- A service that is priced appropriately given the value of the modules it provides
As well as following the above selection criteria, we made sure to identify services that cater to all budgets.
OneTrust Vendorpedia Third-Party Risk Exchange is a member-driven SIG database that gives access to assessments carried out by other companies and by OneTrust consultants.
OneTrust is a leader in governance, risk management, and compliance. The company runs a consultancy that performs risk assessments for companies both to check their internal risks and their third-party risks. The innovation of storing these risk assessments in a database and making them available to subscribers creates very cost-effective re-use of OneTrust expertise.
The vendor assessments don’t stop at first-tier suppliers. Risk analysis reveals which providers rely on other companies to create their products, so it builds up a hierarchy of suppliers. Each supplier will have a SIG in the database, so subscribers get to see through the supply chain to fully understand dependencies and build up a full risk landscape.
SIGs that assess more than 70.000 vendors are registered in the Vendorpedia Third-Party Risk Exchange database. The service is cloud-based and the dashboard is accessed through any standard browser. The console includes data querying tools to help you locate records and you are then able to store collections of documents that create a profile for each of your suppliers and their suppliers. This package of analytical tools is called OneTrust DataGuidance and it provides the expertise you need to fully benefit from the Vendorpedia database.
The risk assessment document base that you create in the system will help you with proof of compliance to NIST, HIPAA, PCI DSS, GDPR, EBA, CCPA. Creating a profile for a company in your user account doesn’t copy over information and store it separately, Instead, you get a view on a shared document, so when a SIG gets updated, you instantly get the latest version.
OneTrust consultants moderate and check through the data held in the Vendorpedia database; it isn’t a complete free-for-all. So, you get verified and valid data on all suppliers, not just someone else’s opinion. The risk assessments in Vendorpedia relate to each product of a company, not just the company. This accounts for the fact that different products will be based on a different supply chain and so have different risk profiles.
You can request a demo to get a full understanding of the Risk Exchange system.
OneTrust Vendorpedia Third-Party Risk Exchange is our top pick for third-party risk management because it leverages the expertise of OneTrust’s expertise and the assessments already performed for other companies. This is an excellent way to get risk assessments on your suppliers and their products without having to go through the time-consuming process of creating SIGs yourself. Guidance within the cloud-based console ensures that you get a full risk assessment without having to have years of experience in the field.
Request a demo: vendorpedia.com/request-demo
Operating system: Cloud-based
CyberGRX AIR Insights is a data management tool that is available for locating and curating third-party risk information. This system is part of a cloud-based assessment SIG database that allows businesses to pool their third-part risk assessment information.
CyberGRX is the world’s largest SIG pool with assessments on more than 100,000 companies. The service not only distributes compliance information and data loss event reports on companies but also includes shared remediation risk strategies, which could include joint legal action. It also helps in the creation of contracts with recommendations on SLA clauses.
The CyberGRX AIR Insights module is a triage support tool that enables you to focus on products and suppliers that are of systemic importance to your data processing infrastructure and then mine all available information to verify whether the risk of dealing with those products is acceptable and within the boundaries of your data protection standards compliance. The AIR Insights tool automates many of your risk management tasks.
Access to the CyberGRX database and the AIR Insights system is part of the CyberGRX Third-Party Cyber Risk Management bundle. This platform also includes the Framework Mapper, which tailors your risk management efforts towards specific data protection standards. The assessment system is multi-layered, so you will discover the supply chain behind the products that you use or want to buy and implement risk assessments on all contributing providers.
You can get risk assessments carried out for you for free by the CyberGRX team as a trial of the system. The feedback from this offer isn’t instant. To access this offer, you need to sign up for the service and send in a list of the third parties that you need to investigate. After three weeks, you will receive back an assessment report on two of those companies.
The SpyCloud risk assessor is a little different from the others on this list. The SpyCloud service focuses on Account Takeover Risk (ATO). The ATO problem damages your company’s data protection standing through the malicious actions of insiders or user carelessness with login credentials. Just as this service can assess the risks within your own company, it can assess those risks within the providers of your essential software and services.
Many executives are reluctant to work with outsourcing and cloud services because they worry about losing control over system security while still having to bear the responsibility for data loss events. SpyCloud solves that problem. You can at least assure the board that the companies that your IT department deals with are protected against account takeover.
SpyCloud Third Party Insight scans information sources for reports of data breaches at your list of associated businesses and suppliers. Essentially, this is a data breach news feed that is collated into a presentable format through the SpyCloud dashboard. This entire system is hosted in the cloud.
You can get a demo of SpyCloud Third Party Insight to scope the service for yourself.
SureCloud is a cloud platform that offers a package of governance, risk management, and compliance functions. These services include a third-party risk management module.
The Third-Party Risk Management software system in SureCloud creates a central interface to your vendor assessment and risk management documentation. The dashboard includes questionnaire templates that guide how to collect relevant data on suppliers and their products, plus the other businesses that contribute to the production of those products.
The SureCloud system is available in three plans. The lower edition, called Standard, is better suited to businesses that have in-house risk assessment expertise. Although this plan provides a structure that helps you organize your risk assessments, it doesn’t have much process automation in it. The guided workflows for risk assessment and third-party risk management are only available in the two higher plans, which are Business and Premium.
Like most third-party risk management systems, the SureCloud system is based around SIG questionnaires. These give you a strategy to work to, making sure that you research and check all of the relevant data that you will need to verify your suppliers and ensure that you minimize risk.
SureCloud Third-Party Risk Management system also offers the option of an add-on service, called BitSight for an additional fee. BitSight is a database of risk assessment data on many companies and cuts short the research process that you have to go through by providing all of the necessary data.
You can request a demo to see the SureCloud Third-Party Risk Management system for yourself.
Riskonnect Third-Party Risk Management is a cloud system that gives you a console for managing all risk-related issues when dealing with suppliers and other third parties. This can be seen as a mediation platform because it lets you communicate with potential suppliers in a standardized format that imposes a framework and a workflow for completing assessments.
The Riskonnect system doesn’t stop as supplier assessments. It also manages the formulation of contracts and SLAs so that your business can be reassured that the risks of taking on a product or service have been minimized.
Fortunately, most suppliers in the field of data processing are well aware of standards requirements and have certification gained through regular compliance auditing. The documentary evidence of this status goes a long way to removing risk. However, assessments have to be reimplemented periodically and the Riskonnect service includes a calendar that will alert you when it is time to recontact suppliers for confirmation of their ongoing compliance status.
Riskconnect calculates a risk ranking for each of the companies that you enter into the system. Analytical tools in the system let you categorize the products that you use and their providers so you can focus scrutiny on those businesses that would impact your standard compliance.
You can request a demo of the Riskonnect system to assess it for yourself.