Picture this: You're looking through your inbox on a busy morning and find an email from your biggest customer with pages of questions for you to answer on your cybersecurity posture – the technology you have in place, how you train your team, how often you test your systems and more. It's a long questionnaire, you're not sure how to answer the questions, and you're at risk of losing the contract if you don't provide the right answers. What do you do?
This request is called a third-party risk assessment, and it's becoming more common for small businesses. Filling them out – and having the security measures in place to answer the questions correctly – is increasingly a part of life for small businesses. In this article, I cover what you need to know about third-party risk assessments, including:
- What a risk assessment is and why they are happening
- Goals and components of a risk assessment
- Results of successful (and unsuccessful) assessments
- How to prepare for and complete an assessment
What is a risk assessment?
At its core, a risk assessment is a thorough review of the functions, policies and processes that an organization has in place, either internally or externally, and what risks they introduce to an organization. In a cybersecurity risk assessment, this typically means evaluating the risk of a cyberattack or data breach, but risk assessments can also cover compliance, operational and competitive risk. Risk assessments are frequently driven by regulatory or compliance needs, but increasingly, even nonregulated industries are beginning to evaluate risk.
A company can run a risk assessment of its own internal processes and procedures, but large businesses are starting to understand how their small business vendors' cybersecurity posture impacts them, and are increasingly running risk assessment of their vendors. This means B2B small businesses are under the gun.
This realization that vendors can be a danger is, unfortunately, an astute one. Small businesses collect a lot of sensitive data about their clients, often without realizing it. The sensitive data goes beyond credit card numbers. Here are a handful of examples of small business vendors and the sensitive data they store about their large clients:
- Lawyer: Confidential legal information, documents, intellectual property (IP)
- Marketing firm: Competitive analysis, marketing strategy, public relations communications
- Accountant: Financial data, tax documents, employee and payroll details, banking information
- Systems integrator: Security system maps and facility floor plans, security and process documentation, access points and configuration details
- Manufacturer: Product designs, engineering schematics, input and output data, process data
Larger organizations and enterprise companies often have a lot of vendors competing for their business, and for security-conscious or highly regulated businesses, cybersecurity can be an important component of the decision. Even as a small business, choosing a more security-minded vendor for your business needs can be a good way to reduce your overall risk.
What's in a risk assessment?
Third-party risk assessments often come in the form of a questionnaire and can be lengthy; some vendors have been asked to answer over 100 pages of questions on their security. Additionally, assessments often come out of the blue – they can be sent before the beginning of a contract or business deal or at any point during the working relationship.
Risk assessments vary, depending on the organization administering the assessment and the scope of the vendor relationship, but the core focus of the questionnaire is to figure out how the vendor is protecting the client's data. Covered areas often include
- Cybersecurity policies and procedures
- Employee awareness and training programs
- Data classification and storage
- Technology protection and configuration
- Penetration testing and other evaluation methods
Due to the volume and nature of the requests, IT teams or other parties are often required participants in the submission process. Depending on the questionnaire, you may be asked to provide supporting documentation of your technology, training, and policies, in addition to sharing the results of your testing.
In addition to a traditional questionnaire-style assessment, some companies are starting to use technology solutions to evaluate their vendors. These solutions run scans and compile publicly accessible information about the company that contributes to risk.
Results of a risk assessment
When you receive a cybersecurity assessment, simply not returning it is out of the question. The companies requesting these assessments often represent a significant book of business, so it's in your best interest to answer the questions promptly and correctly.
If you have proper security measures in place, a completed assessment can bolster your business. It can help differentiate your company from less security-conscious competitors and increase your client's confidence in your abilities. Additionally, it gives you a talking point with future clients during the prospecting and sales process.
On the other hand, if your business isn't prepared for the assessment, you may be in a tight spot. Failing to show adequate cybersecurity can mean losing the business relationship or contract. Additionally, if you submit an incomplete or insufficient questionnaire, the company requesting the assessment may return it to you, which may harm the business relationship and waste additional time.
The risk assessment is high stakes, but if you don't have the appropriate security controls in place, you shouldn't risk reporting false information. Not only is it bad for business and for client relationships, but it can also have significant legal impact and cost. As shown by Delta Airlines' recent lawsuit against their chatbot provider, the vendor could be under liability if there is a cybersecurity incident. In Delta's case, its chatbot company's poor security practices caused a data breach that exposed customer information, even after the vendor signed a contract stating that they complied with standards.
You received a third-party risk assessment. Now what?
Third-party cybersecurity risk assessments are a big deal for small businesses, and they're often due back to the requestor in short order. Scrambling to improve your cybersecurity while also answering the questionnaire is unlikely to be effective, so, ultimately, the best strategy is to prepare ahead of time. Here are some steps to take:
1. Deploy basic cybersecurity measures
Simply understanding the rationale behind cybersecurity assessments and putting in place basic cybersecurity measures goes a long way towards preparing for an assessment. Work to deploy a comprehensive cybersecurity program to protect your organization and to satisfy assessments, and confirm that you're meeting all compliance requirements for your industry.
Prepare an internal team ahead of time to assist with assessments and help you work through the details. If you have questions about a specific piece of the assessment, don't hesitate to reach out to the requestor or to your provider – it's better to understand ahead of time than to submit an incomplete response.
2. Prepare your materials
Keep your cybersecurity information, including any relevant documentation, in a safe place that you can easily access in the case of a third-party assessment. Move methodically through the questionnaire and answer questions thoroughly and honestly. Consult with your cybersecurity provider or IT team as needed.
If your company frequently receives risk assessments, consider preparing a standard response package that details how your company aligns with common frameworks, such as the standardized information gathering (SIG) questionnaire, and provide supporting documentation. This standard response is easy to submit and may be accepted by the requestor as a substitute for their questionnaire as-is or with shorter supplemental pieces.
3. Organize and submit your information
Submit your risk assessment using the method specified. Keep a copy for yourself in a safe place, as well as any notes for next time. In the case that there are any remediations or improvements necessary in the aftermath of the assessment, work to address them thoroughly through your cybersecurity program. Consider forming a company Standard Operating Procedure (SOP) for how to handle third-party assessments, including who takes responsibility for what portions and where the information is stored.
Third-party cybersecurity risk assessments can be complicated, but they're increasingly an important part of doing business in the B2B market. A little bit of preparation and diligence goes a long way toward a successful assessment and protecting your business.