Identifying and mitigating third-party IT risks

Having just started a new job as chief technology officer at a well-run large county, it did not take the new CTO long to realize that one cloud service provider was not performing as expected. Once it became clear the business relationship was deteriorating, it was time for the county to find a new vendor. Identifying a new and more suitable cloud vendor was the easy part, but getting the former vendor to migrate all the county’s data became a monumental hurdle. The vendor said there was no problem returning the data but warned it would be unrecognizable and would cost over $2 million to convert it into a usable format. How could this be?

Years before, the cloud contract was signed under different staff leadership. And for a good deal of time, all seemed fine. But when a far more experienced pair of eyes reviewed all previously signed contracts it became apparent that the previous CTO’s inexperience, lack of oversight and unintended negligence was going to be expensive.      

In another instance of mismanagement, a CIO bragged how he got a great deal from his vendor to store all public safety body-worn camera data for three years at no cost. Everyone in the room was surprised, but they were even more surprised that the CIO lacked an answer as to what might happen in year four. Regardless of the lure of “free,” there is always a cost somewhere. 

IT vendor relations have gone through numerous phases over the years. The recent pandemic brought about the most significant shift in decades, with vendors bending over backward to help state and local governments shift almost overnight to a remote and virtual environment. This profound cooperation continues to this day as hurricanes, flooding and wildfires have wreaked havoc across the nation—and once again, the vendor community has stepped up in heroic and selfless ways. Emergencies and disasters require different sets of skills, expectations, and contractual relationships than day-to-day operations. However, when all returns to “normal,” it is back to working under negotiated contracts and agreements. 

Sound contracts and agreements are good for all sides, and the responsibility for negotiating a sound agreement rests with the governmental entity. Many local governments lack the required negotiating and contract management skills, not to mention advanced tech savvy required for making informed decisions about cloud, networking and artificial intelligence services. Plus, post-contract evaluations become an afterthought. This is where third-party risks come into play. 

In a local government setting, third-party vendor risks refer to the potential dangers or liabilities associated with engaging external entities to provide goods, services, or technology solutions to a government organization.

• Identifying and mitigating third-party risks in government IT operations is crucial for maintaining data security, operational continuity and compliance with legal standards. In today’s dynamic and ever-changing tech and policy environment, third-party risks can be categorized as follows: Data security and privacy: Third-party vendors may have access to sensitive citizen data or government information. If the vendor lacks robust data and network security, it could fall victim to data breaches, unauthorized access or data leaks, violating privacy regulations and losing public trust.

• Compliance and legal risks: Third-party vendors' failure to comply with relevant laws, regulations or contractual obligations—including industry standards, data protection laws and government procurement regulations—can expose the government to legal liabilities, fines or reputational damage. 

• Service disruption: Reliance on third-party vendors for critical services such as IT infrastructure, software applications or utilities can pose a risk of service interruption. If the vendor experiences downtime, technical issues or operational failures, it could disrupt government operations, impacting service delivery and citizen satisfaction.

• Financial risks: Engaging third-party vendors involves financial commitments through contracts, licensing agreements or service subscriptions. Financial risks include cost overruns, unexpected fees, vendor insolvency or contractual disputes, which can strain the government's budget and financial resources.

• Reputational risks: Third-party vendors' actions or performance reflect on the government organization. Negative incidents such as security breaches, service outages or ethical misconduct by vendors can tarnish the government's reputation and erode public confidence in its ability to govern effectively.

• Dependency risks: Overreliance on a single third-party vendor or a limited pool of vendors for critical services can create dependency risks. If the vendor experiences issues or fails to meet expectations, the government may face challenges in finding alternative solutions or transitioning to new vendors, leading to operational disruptions or increased costs.

• Supply chain risks: Third-party vendors often have their own network of suppliers and subcontractors. Risks associated with the vendor's supply chain include issues such as supply chain disruptions, substandard quality of components or services, labor disputes or unethical practices, which can indirectly impact the government organization.

Understanding third-party risks upfront can lead to better overall vendor relations and contracts where there are clearly stated policies and procedures. 

But risk management goes far beyond vendor selection and contract negotiations. Beneath the surface lies vendor management and relations. Here are some effective strategies local government tech leaders can use to keep their agencies’ risk at an acceptable level.

1. Risk assessment and inventory. Many local governments lack a sound and updated asset management and inventory system. They purchase products and services as if they were buying a personal device. But in a municipal setting, having an active risk and inventory database is essential—after all, how can anyone manage what they do not know about or see? Here are some basics of the assessment:

• Identify all third-party providers. This includes direct software and hardware vendors, subcontractors and cloud service providers.

• Identify all hardware and software systems. This includes locations, ownership, configurations, patches and software updates. 

• Assess the risk level. Evaluate how critical each vendor is to agency operations and what potential risks each one presents.

• Collaborate with IT security and risk management teams to assess and categorize third-party risks during the vendor selection process.

• Ensure that risk assessments are updated regularly to reflect changes in the vendor’s service delivery or the threat landscape.

2. Due diligence. Regardless of the rush to implement, due diligence—however time-consuming—is critical.

• Vendor selection. Maintain a pre-approved list of vendors who meet the organization's security and compliance standards. Before engaging a third party check the company’s financial stability, security standards, compliance certifications and references. Also check the vendor’s staff turnover, which may indicate problems with internal management and contract fulfillment. 

• Continuous evaluation. Regularly review the performance and compliance of third-party providers to ensure they meet required standards. Whether quarterly or even annually, this ensures everyone is on the same page and any variances in performance or expectations can be addressed more quickly. 

• Change of vendors. Establish upfront rules and expectations in case vendors need to be changed. 

3. Contract management. Contract management is a continuous process and requires periodic review and auditing. 

• Service level agreements. Ensure SLAs are comprehensive and address security, data handling, compliance and reporting. Clearly define penalties for breaches or failures.

• Right to audit. Incorporate clauses that allow periodic audits of the vendor’s processes and security measures.

4. Security standards and controls: Regular monitoring of data and network security is essential.

• Data security. Ensure that all third parties comply with relevant data protection laws and industry standards (e.g. HIPAA, PCI DSS, CJIS).

• Encryption and access control. Require third parties to implement strong encryption protocols and access controls. This should include two-factor authentication. 

• Training. Provide procurement staff with training on the latest cybersecurity threats, AI, risk management practices and compliance requirements.

Recognizing and managing third-party vendor risks requires thorough due diligence, effective contract management, monitoring and assessing vendor performance, implementing security and compliance measures, and establishing contingency plans to mitigate potential disruptions. It also involves training and fostering transparency, accountability, and collaboration between the government organization and its vendors. IT leaders need to actively address risks and uphold the public interest.  

Dr. Alan R. Shark is the Executive Director of the Public Technology Institute (PTI) and Associate Professor for the Schar School of Policy and Government, George Mason University, where he is also an affiliate faculty member at the Center for Advancing Human-Machine Partnership (CAHMP). Shark is a National Academy of Public Administration Fellow and Co-Chair of the Standing Panel on Technology Leadership. Shark also hosts the bi-monthly podcast Sharkbytes.net. Dr. Shark acknowledges collaboration with generative AI in developing certain materials.