What does the contract say?
Who is responsible? Where does the liability fall? I did not realize that the vendor managed sensitive data! Don't we have insurance for that? Didn’t we transfer the risk by outsourcing? These are some questions and statements that emerge when a third party's actions impact an institution’s reputation, financial health or operational effectiveness. While not all risk aspects can be transferred, effective management of third-party risk through contractual agreements and vendor risk assessments can reduce risk and enhance institutional resilience.
How can you manage third-party risk?
To properly manage third-party risk, colleges and universities should elevate the importance of adopting a vendor risk management policy and framework. This includes both an emphasis on strong contract language and proactive vendor risk assessments. Contract risk assessments can expose ambiguity that can lead to disputes and vendor vulnerabilities that can increase an institution's risk profile. The vendor risk assessment process should be cross-functional and ongoing. It should not cease upon contract execution but be monitored continuously as third-party relationships evolve and risk exposures change.
Why does it matter?
While many contracts can go off without a hitch, when things go wrong, they can greatly impact costs and damage reputation. According to a report from SecurityScorecard and the Cyentia Institute,“98% of the 230,000 organizations they analyzed had a relationship with a third party that had suffered a breach in the past two years.” One notable breach that impacted the education sector is associated with vulnerabilities related to a third-party software, MOVEit.
What is even more disturbing in the SecurityScore Card and Cyentia report is that "third-party vendors are five times more likely to exhibit poor security. " In addition, "Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches." According to Comparitech, in 2023, “60 percent of breaches occurred in colleges and universities (largely due to the significant impact of the MOVEit transfer breach)." The MOVEit breach alone impacted over 800 institutions. From a cost perspective, the average data breach in the higher education and training sector costs $3.7 million, according to a 2023 IBM report.
However, third-party data breaches are not the only concern. Mission-critical vendors, study abroad vendors, transportation vendors, and any vendor that can impact the life safety of students, faculty, and staff should all be part of your third-party risk assessment program.
Where to begin?
Foster a partnership between risk management, IT, procurement, legal, and the business unit to create and adopt a contract risk assessment framework.
Include risk management early in the contract negotiations to facilitate mutual understanding and increase operational efficiency.
Utilize a system to track the progress of a contract; include important supporting documentation on risk mitigations as well as proof of insurance with the contract documents.
Lastly, the cross-functional team should assign a risk level to the vendor based upon the risks, the mitigations, and the organization's risk appetite. The classification can be categorized as low, medium, or high. Share the results with key leaders, especially if the vendor is critical and the risk level is medium to high. It is imperative that all stakeholders have a clear understanding of the risks before contract execution.
What are the key components of a vendor risk assessment?
Understanding the Statement of Work (SOW): The business unit initiating the contract must understand the SOW and articulate it transparently to the cross-functional review team. Any ambiguity as to what service the vendor is performing or the product it is providing must be flushed out.
Risk Identification: What are the risks associated with the vendor's SOW? Think of the things that could go wrong and adversely affect student experience, institutional operations, reputation, and mission. Partner with the Risk Management Department to gain insight into how risks can be measured and potentially mitigated.
Who are the contracting parties? Is your institution partnering with the correct legal entity? If you are working with a corporation, they may have multiple subsidiaries; know which one is party to the agreement. Without this understanding, your organization can be faced with enforcement challenges, liability issues, and potential regulatory non-compliance.
Insurance requirements. Insurance is a financial tool to help mitigate losses. Does your vendor have the appropriate insurance? Insurance is one of several considerations that can impact the risk profile of a third party. The insurance required depends on the SOW. Partner with the Risk Management Department to confirm what types of limits, coverages, and provisions are appropriate for the agreement.
Once insurance requirements are delineated in the agreement, you need proof of coverage. A certificate of insurance (COI) is the industry standard. A COI should be collected, reviewed for contractual compliance, and stored appropriately before contract inception. Having a good document management system can help manage COI’s in the event of an insurance claim.
Indemnification provision: This is another mitigation strategy. Indemnification is the contractual obligation where one party agrees to compensate another party for loss or damage incurred with respect to certain contractual events. Understanding who indemnifies who and for what is paramount. In addition, the financial stability of the vendor impacts the value of the indemnification provision. If a vendor is not financially solvent, the indemnification provision can be negatively compromised.
Limitation of liability (LoL): Watch out for this provision. It can appear in many sections and could impact your organization in the event of a loss by capping damages. For example, you may require $5 million in cyber insurance, but if there is a LoL limited to fees paid (and they are less than insurance limits), then your recovery may be far less, creating an unexpected financial gap. The LoL can also adversely affect indemnification in a similar manner.
Data Classification: Technology is a key component in many contracts, and with technology comes data. Understanding what kind of data is involved in an agreement is essential to determining your third-party risk level and mitigation strategy.
If sensitive data is part of your agreement, you need to ask probing questions. Below are a few to get started:
What security measures and controls will you have in place to protect our data?
Who has access to our data?
What multi-factor authentication practices will be used?
How and where will the data be stored and when is the data purged?
What are the data encryption practices?
Do you use subcontractors?
What is your incident response plan? When are we notified in the event of a breach?
Remember, if your institution owns the data, your organization is responsible for adequate security measures. This means that your organization could still be on the hook for any regulatory or financial consequences related to your third-party's actions.
Final thoughts
With increasing cyberattacks and a challenging regulatory environment combined with colleges and universities facing increased scrutiny, there is no better time than now to get ahead of third-party risk.
Implementing a vendor risk management program can proactively safeguard student sensitive data, facilitate regulatory compliance, and protect an institution's reputation. By incorporating cross-functional collaboration, supporting transparent negotiations, and strong contract language, colleges and universities can reduce risk, avoid costly disruptions and ensure that their mission and goals are not hampered by the acts of others.
