Vendors Beware of the Cybersecurity Audit

By Caroline McCaffery, Co-Founder and CEO of ClearOPS

1. Introduction to Vendor Management

Why does every license agreement and data protection addendum, suddenly, include a right for the buyer to perform a security audit on the vendor? Because in recent years, the number of vendors causing a security incident to their customer has increased. This, in turn, led to a number of regulations imposing new vendor management requirements.

Alarmingly, a substantial 54% of businesses fail to adequately diligence their third-party vendors. And yet 98% of businesses have at least one vendor that has suffered a security breach. Source: https://www.resmo.com/blog/third-party-data-breach-statistics

The financial implications of breaches are significant with the average cost of a data breach rising to $4.35 million globally, and even higher in the United States. The cost is so high that 60% of SMBs shut down within six months of a data breach. (Security Intelligence, 2021)

So, monitoring and managing vendor security is no longer a nice to have. It is a need to have. And the regulators have taken notice.  Most privacy laws include a cybersecurity audit or vendor due diligence requirement.

For example, the General Data Protection Regulation (GDPR), the EU data privacy law, mandates due diligence on processors to ensure they comply with data protection and security measures. Review Articles 28, 24, 29 and 46 for their obligations regarding the roles of controllers and processors. Similarly, Article 9 of the California Privacy Protection Act (CPPA) requires cybersecurity audits of service providers and the service provider’s corresponding cooperation. Similarly, the NY Shield Act obliges businesses to have “reasonable safeguards” that includes vendor due diligence.

This evolving regulatory environment, coupled with the substantial risks and costs associated with vendor-related data breaches, underscores the need for a more sophisticated and robust approach to vendor management. Addressing these challenges is critical to safeguarding organizational and customer data in an increasingly interconnected ecosystem.

Generative A.I. has a role to play in advancing an organization’s ability to comply with these regulations and improve the vendor management audit process.

2. Current Vendor Management Practices

Currently, vendor management is a procurement function that faces a headwind of silos and biased perception. When a buyer is in the market for a new vendor, the business owner conducts the search, ultimately choosing the vendor prior to the input from any other business unit. This selection in a silo process costs the organization which in turn puts pressure on procurement, legal, privacy and security teams to “approve” the vendor. While these teams likely are able to withstand such pressure; it is at a cost, which is the cost of their relationship with a colleague.

In addition, each of these teams has their own agenda, priorities and expertise. Typically, the procurement team is incentivized to negotiate the best price, regardless of whether that may require foregoing some of the vendor’s offered security enhancements. Legal and privacy are responsible for vendor compliance with policies and laws, which requires review of contract terms and redlining of unfavorable terms. The security team is similarly tasked with vendor compliance with policies and security regulations, which they satisfy through questionnaires or third-party audit reports.

Therefore, not only must they be prepared with paperwork for the vendor and knowledge of privacy and cybersecurity, but they also have to be ready, at any given moment, to drop what they are doing and review the information that the vendor sends back to them.

All the while, the business unit buyer sees these colleagues as blockers to what he/ she or they want.

Finally, once the vendor is selected, the ongoing monitoring is even worse. Whose job is it to send the annual review? Who conducts that annual review and keeps track of it? How are they going to prove to the regulators that they have complied with the law?

3. Generative AI Could be the Game-Changer 

I am bullish on Generative A.I. technology and how it is revolutionizing vendor management. If we look at the root cause of the vendor management problem, it is because it is filled with tedium. Generative A.I. reduces some of the tedious work.

I believe Generative A.I. will improve vendor management in the following ways:

• Improve systems of record,
• Improve process development and execution, and
• Speed up vendor response.

First, Generative A.I. improves systems of record dramatically by enabling Generative A.I. querying. In other words, once you have a system of record or a knowledge base, being able to ask it questions and receive answers relatively quickly is a much more pleasant experience than skimming through 150-page document.

Second, Generative A.I. improves process development and execution because it can now generate the policy or the questionnaire from other sources in the knowledge base, including new regulations. For example, several U.S. states had their new privacy laws go into effect in 2023. With Generative A.I. you can store those laws in your knowledge base and then write a prompt for the Generative A.I. to develop a new vendor questionnaire based on the regulations. You could even upload the vendor response to the questionnaire and ask it to determine if the vendor had any discrepancies. Note, using Generative A.I. for this last task, at the moment, is not very reliable, but I believe it will get better with time.

Third, Generative A.I. will speed up the vendor response to these reviews and audits because once the vendor has built its own knowledge base of its privacy and security program, responding to questions, no matter how they are worded or phrased, becomes significantly easier and faster.

4. Conclusion

The ultimate goal here is two-fold. Improve the internal relationship between the business teams and the operations teams and improve the process so that risky vendors are identified early and eliminated. With Generative A.I., systems of record become more interactive, allowing for quicker and more efficient querying experiences. This technology can also autonomously develop and refine processes, such as generating updated vendor questionnaires based on the latest regulations, which optimizes compliance efforts. Additionally, it promises to expedite vendor responses to reviews and audits by facilitating faster access to a vendor’s privacy and security information. As the reliability of Generative A.I. advances, it will become an indispensable tool for enhancing the efficiency and effectiveness of vendor management.

About the Author

Caroline McCaffery is the Co-Founder and CEO of ClearOPS. She can be reached at https://www.linkedin.com/in/carolinemccaffery/ and at our company website https://www.clearops.io