February Newsletter 2019-Be Aware of Your Third-Party Vendor Exposure!
By Rebecca M. Gomez
Many Nonprofit Organizations rely on third-party vendors to assist in the management of their operations. Depending on the nature of the Third-Party Vendor, this could leave your nonprofit vulnerable to many exposures.
Organizations outsource critical aspects of their operations – Payroll, Accounting, Human Resources, Cyber Security – which can leave them vulnerable due to the exposure of the Third-Party Vendor.
In a 2018 survey, 61% of companies had experienced data breaches caused by their third-party vendors and only 34% organizations surveyed indicated they kept a comprehensive inventory of their third party vendors and the risks they pose.
Understanding the exposure of your third-party vendors and the necessity of the services they provide can help mitigate losses. For example, as services are outsourced and networks expand, sensitive data may be processed outside of an organization’s network. The data can include customer or employee personally identifiable information and other intellectual property. Cloud providers often store an organization’s important data offshore and waive their liability in most contracts with their clients.
Below are a few risk management tips to consider:
- Assign responsibility for managing third-party risks to the CEO, CFO or other top management and give them authority to act and review all agreements.
- Consider the full life cycle of the third-party relationships, from risk planning, and initial evaluation, all the way through contract termination.
- Assess third parties’ continuity, physical security, and disaster-planning controls from year to year.
- Verify the insurance of the third-party Vendor and if possible, require an additional insured endorsement naming the nonprofit under the vendors’ liability policy. Consult with attorney regarding vendor contracts and the potential liability exposure.
Review of the nonprofits insurance policies can also help in determining any added protection or gaps in coverage that need to be addressed. Also, consider purchasing a Cyber Liability policy to protect the organization and the board of directors.
Feel free to call us with any questions. We are here to help.