The Power of Existing Data for Vendor Risk Assessments

Far too many third-party risk management programs rely upon assessment models that start from scratch with assessing products and vendors as they get processed through standard procurement cycles. The mean time to complete a vendor assessment from scratch takes over 27 days, which includes vendor response cycles, clarifications, and validation of information provided. Read More

SolarWinds Cyberattack Exposes Supply Chain Risks

A groundbreaking cyberattack against the Texas-based IT network solutions provider SolarWinds has resulted in unauthorized access to a wide range of government and private sector organizations. The extent, scale, and impact of the attack are still being assessed; however, initial indications are that the attack will have lasting security impacts for months and possible years to come. Read More

Selecting the Right Technology for Your Third-Party Risk Management Program

Effective third-party risk management (TPRM) begins with maintaining an updated vendor inventory and conducting assessments for a prioritized subset of vendors who pose the greatest risk to your organization. Technology and automation play a critical role in your program’s ability to deliver assessments and high-quality risk intelligence to the business in a timely fashion. Applying the right technology in the right places in your vendor risk workflow can also save valuable time and money that would otherwise be spent on costly manual processes and systems. Read More

Healthcare’s Gamble with Business Associate Breach Risks

Security breaches from third-party Business Associates and related regulatory penalties are piling up for healthcare entities this year. In a joint presentation with CORL in June 2020, the US Office for Civil Rights (OCR) reported that a top source of civil monetary penalties for Covered Entities in 2019 was inadequate management and compliance for third-party Business Associates. Despite the mounting financial penalties and breach costs resulting from third-party breaches, too many healthcare entities continue to gamble with underinvestment in their third-party vendor risk and compliance programs. Read More

Explaining CORL's Processes to Vendors

CORL provides a unique and innovative model for managing third-party risk. However, there are wide range of vendor assessment technologies and solutions on the market including cyber risk scoring tools, GRCs, automated questionnaires, vendor exchanges, and more. This diversity of solutions has generated confusion for some vendors that are trying figure out how and where CORL fits into the picture with supporting your vendor risk program. Read More

NIST SP 800-53 Rev 5: New Supply Chain Control Requirements

The National Institute of Standards and Technology (NIST) has announced an updated version of their flagship security controls framework NIST Special Publication (SP) 800-53. The new version, Revision 5 or “Rev 5”, update is the first overhaul of the NIST SP 800-53 framework in over seven years and represents critical updates that reflect the modern cyber threat landscape. A major addition in this revision includes an entire security controls “family” dedicated to Supply Chain Risk Management (SR). This blog post will help provide some insight into the new controls framework version, its differences from prior iterations and other related standards, and its applicability for third-party risk management programs. Read More

Finding a Cure for Healthcare Vendor Risk | Analysis of the 21st Century Cures Act and ONC’s Cures Act Final Rule

In May 2020, while the healthcare industry grappled with the outbreak of a global pandemic, the US Department of Health and Human Services (HHS) quietly issued a Final Rule that has major implications for the secure electronic delivery of health information to patients via third party platforms and apps. Increased interoperability between systems has many potential benefits for patients, but it also introduces a larger technology footprint for sensitive patient information including Protected Health Information (PHI). Read More

Enterprise Risk Reporting | The Achilles Heel of Vendor Risk Management Programs

Information security leaders and vendor risk management teams have struggled to update their reporting models to keep pace with the increasing variety and complexity of risks introduced by the modern business supply chain. The inability to effectively communicate meaningful vendor risk metrics that drive informed decisions from the business has become the Achilles heel for many third-party risk management programs.  Read More