As organizations increasingly outsource services to vendors, the need to effectively manage vendor risks has grown.

Failure to manage vendor risks can result in business interruptions, financial losses, lawsuits, reputational damage, and regulatory investigations and proceedings. This is particularly the case because you are accountable for all personal information you transfer to service providers. You can reduce these risks by performing due diligence, putting appropriate contractual safeguards in place and conducting ongoing monitoring.

Due diligence and risk assessment

Completing appropriate due diligence activities prior to selecting a vendor helps you determine the risk of doing business with a vendor.

Due diligence activities help verify whether the vendor:

is reputable and honest

has the experience, skill and resources to carry out the contract

has reasonable compliance programs and internal controls in place

has conducted external assessments or certifications

has a history of incidents or non-compliance

Due diligence activities help you assess the vendor's privacy and cybersecurity program by determining what information the vendor receives, how it will be stored, who has access to the information, whether the vendor's employees receive appropriate training, and whether appropriate safeguards are in place for the information.

By identifying any "red flags" or gaps as part of this review, you can determine whether and how you would like to proceed with the vendor, and how to best manage these risks going forward.

Put appropriate contractual safeguards in place

Contractual safeguards can further reduce the risks arising from your relationship with the vendor. Examples of such safeguards include, among other things:

Providing a clear requirement that the vendor take steps to comply with applicable laws

Requiring the vendor to maintain policies and procedures acceptable to your organization

Authorizing your organization to monitor and audit the vendor on an ongoing basis

Requiring the vendor to immediately notify and cooperate with you in the event of an incident

Requiring the vendor to have insurance coverage for privacy or cybersecurity incidents

Limiting the vendor's ability to sub-contract and assign its obligations

Indemnifying your organization and limiting its liability for any damages stemming from incidents experienced by or on account of the vendor's action or inaction

Establishing consequences for the vendor's failure to meet its obligations with respect to privacy and cybersecurity

Including clear rights to terminate for convenience where appropriate

Conduct regular monitoring

Conducting due diligence is an ongoing task – the job does not end when a contract is executed. Periodic reviews and audits should be completed to verify that contractual requirements continue to be met. Any incidents or allegations of misconduct should be investigated, with steps taken to ensure compliance with applicable laws. As gaps are identified throughout the life of the contract, they should be addressed.

Takeaways for your organization

The risk associated with storing personal and other confidential information is heightened when the information is transferred to service providers. By properly vetting your vendors and carefully drafting contractual protections, you can reduce these risks significantly. Likewise, by putting procedures in place to monitor the contract following its execution, you can verify that vendors continue to meet their contractual obligations.

