Managing supply chain and third-party risks.
Vendor due diligence is a crucial aspect of managing supply chain and third-party risks. With the increasing integration of third-party solutions and services into organisational operations, it is vital to conduct thorough vendor due diligence to enhance cybersecurity and minimise supply chain risks. Cybershore has launched an innovative “Free Vendor Reports for SaaS Vendors” initiative, which can assist organisations in initiating and sustaining their vendor due diligence efforts.
The interconnectedness of organisations through various third-party solutions makes it essential to assess the risks associated with these vendors. Failing to do so can expose businesses to potential data breaches, financial repercussions, operational disruptions, and damage to their reputations. Recent statistics highlight the growing concern, with more than a quarter (27%) of New Zealand CEOs identifying ‘supply chain’ as the greatest threat to growth, a significant increase from seven per cent in 2022 (Source: Institute of Directors New Zealand).
Vendor due diligence helps assess a vendor’s operational and financial stability and also aids in identifying potential risks that a new supplier could introduce to an organisation.
Conducting initial due diligence before signing contracts is crucial to ensure that potential partners align with the organisation’s risk appetite and do not introduce new cybersecurity or privacy risk dimensions. Equally important is ongoing vendor management to keep contracts and documentation current, identifying changes in risk and performance over time. While all partners should undergo ongoing vendor due diligence, it may need to be heightened for high-risk and critical vendors and those with sub-contractors (fourth parties).
Despite the evident necessity of vendor due diligence, many organisations struggle to keep up due to resource constraints and tight timelines. Often, these activities are deferred until contracts are already signed, leading to technology debt and unnecessary security and privacy risks—particularly when engaging with smaller (cloud) service providers or vendors with immature security practices.
Conducting proper vendor due diligence, initially and continuously, is fundamental to managing and mitigating supply chain risks. Conducting due diligence upfront aids in selecting vendors that align with organisational requirements, while ongoing assessments ensure they continue to meet evolving needs, such as compliance with updated privacy regulations or security standards. Additionally, ongoing due diligence fosters strong relationships with vendors, establishing a partnership that maximises the benefits of the services acquired.
Vendor Due Diligence can be challenging.
Cybershore recognises the challenges organisations face in conducting comprehensive vendor due diligence assessments. Vendors may hesitate to share third-party assurance reports without signed Non-Disclosure Agreements, and considering the limited resources for project timelines, having to work with the vendor to obtain the information required to do a detailed third-party risk assessment and allow time for follow-up questions can risk the timely delivery of projects, especially when multiple vendors are involved. Smaller vendors often do not have much evidence to demonstrate their security and privacy posture, which may require the organisation to audit the vendor, requiring additional resources.
To provide transparent and accessible vendor reports tailored explicitly for Software as a Service (SaaS) vendors, Cybershore has introduced this initiative. These reports offer valuable insights into SaaS vendors’ cybersecurity posture and privacy practices, and by objectively evaluating vendor risk, Cybershore aims to enhance the cybersecurity resilience of organisations across industries. The report for Canva Inc. is already available for download, and organisations can suggest other vendors for whom they would like to see such reports. To learn more or suggest vendors, please get in touch with Katja at security@cybershore.co.nz or call her on 0800 029 237.
