Unlocking resilience: the power of vendor risk management

Australian businesses across all industries rely heavily on third-party vendors, and fintechs are no exception. The agile, scalable business model under which fintechs operate lends itself particularly well to the widespread outsourcing of important business functions.

However, third-party vendors also expose the business to significant risks. When Protecht investigated the risk profile of fintechs, the following risk categories were considered the most important by people in the industry, with cybersecurity risk in the number one position.

1. Cybersecurity risk
2. Vendor and third-party risk management
3. Operational resilience
4. Data governance
5. Regulatory risk
    

Each of these categories has risks in its own right, but the complexity ratchets up a notch when we start considering how they are interconnected and dependent upon your suppliers. When your own organisation is solely responsible for managing its risk profile, you can better control the outcome with appropriate resourcing and leadership applied to the risk management framework. However, once we bring third parties into the equation, we no longer have the same ability to directly drive the risk culture within their organisation. We can, however, definitely influence it.

As a fintech, you have two kinds of sensitive data to worry about — your own and your customers’ — both of which are often shared with vendors. There have been some high-profile breaches of vendor platforms to access sensitive customer data this year including Latitude Financial when hackers stole millions of the Australian lender’s customer ID documents after compromising Latitude’s third-party vendor DXC Technology.

Failure to protect sensitive information from risky vendors can lead to losses arising from:

• theft of money or digital assets
• the cost of investigating and remediating breached systems
• customer compensation
• fines and other settlements to regulators.
   

That’s why it’s essential for all fintechs to build a comprehensive vendor risk management process that covers the full lifecycle of the vendor relationship. Key items to consider are:

1. Onboarding: Conduct appropriate due diligence before committing to a vendor. Go beyond the financials and look at their security posture, governance structure and commitment to sustainability. A thorough risk assessment should be mandatory before the vendor comes on board.
2. Documentation and SLAs: The vendor must communicate their intent to data security and service level agreements (SLAs) clearly, both in proposal documentation and ultimately any contract to be agreed between the parties. Clarity in these items will build a more robust relationship between the two parties based on transparency and trust.
3. Constant monitoring and progress checks: Once onboarded, vendor managers need to consistently monitor the risks from vendors and conduct periodic risk assessments and reviews of security, insurance and governance structures. A good vendor risk management system empowers vendor managers to streamline these activities and connect the dots between incidents, issues, SLA reviews and questionnaire responses and then be able to act on the findings.
4. Offboarding: Since vendors have access to critical and sensitive information, fintechs must ensure that none of this information remains with the vendor at the end of the relationship. Checks and balances must be implemented to ensure appropriate return or destruction of any data used or stored by the vendor.

Managing vendor risk can seem a little challenging at first, but its benefits will outweigh any short-term pain to get the framework up and running. Successful vendor risk management will safeguard fintechs from vendor-related financial losses, unforeseen cyber attacks, operational disruption, reputational damage and litigation.

A modern vendor risk management system replaces time-consuming and error-prone manual processes and includes:

• a centralised workspace for vendor managers to manage data, identify weakness and prioritise and manage risk remediation;
• a simple, secure portal for vendors to provide information, improving third-party collaboration through real-time communication, information access and data collection;
• a user-friendly interface and analytics dashboard to easily access, analyse and report on all vendors throughout the relationship lifecycle;
• customisable and industry-standard automated vendor security and regulatory questionnaires;
• workflow alerts and reminders to optimise productivity.
   

It will not only reduce the risk of human error but ultimately, it gives fintechs greater visibility into their vendors and their associated risks and empowers them to influence risk culture within those vendors through their continual monitoring programs.

Image credit: iStock.com/NicoElNino