Every organization is focused on Cybersecurity to protect their organization. However, Cybersecurity alone is not enough to manage tribal business’ vendors. While a vendor may have strong cybersecurity, they may still fail due to financial instability, operational, or legal issues that disrupt your business.
Vendor Risk Management (also known as Third-Party Risk Management – TPRM) is a crucial component of risk management to ensure that you are able to continue to operate your business and ensure that there is no impediment to providing services to tribal members.
Key suppliers can include vendors who provide:
- Infrastructure & Technology Services: Suppliers for broadband, renewable energy, and construction materials are critical for developing tribal communities.
- Specialized Professional Services: Firms providing legal, financial, accounting, and consulting services, particularly those specializing in Indian law and economic development, are crucial for managing tribal enterprises and government operations.
- Operational Supplies: Suppliers for gaming enterprises (hospitality, gaming equipment), convenience stores, and healthcare services are high-volume, regular suppliers.
Some examples of when vendor failure impacted Tribal nations include:
- Blaze Construction Company became entangled in state tax disputes regarding projects on reservation land, causing disruptions to construction projects meant to improve infrastructure.
- In the early 2000s, the Viejas Band of Kumeyaay Indians dealt with reputation risk and negative publicity from contentious partnerships.
- During the 2020 disruptions, the Osage Nation realized that they had no “meat” to feed their elders or schools because commercial meatpacking plants—dominated by four major corporations—had shut down.
- In 2014, a physician employed by a private staffing agency violated HIPAA standards by improperly accessing protected health information at three facilities: Fort Yates, Cass Lake, and Crow Service Units.
- In 2023, there was a shortage of a cancer drug, Cisplatin, was triggered by a quality failure at a private plant run by Intas Pharmaceuticals. As this one vendor supplied 50% of the U.S. market, tribal hospitals faced severe difficulties in treating oncology patients.
- In the last few years, nearly 90% of healthcare organizations in the US reported at least one cyberattack. Over 35% of breaches stemmed from problems at third-party vendors.
Typically, TPRM programs will focus on the following for their important vendors in addition to assessing their security:
- Operational Risk: A vendor might have perfect security but fail to deliver services, go out of business, or experience natural disasters, causing massive supply chain disruptions.
- Financial Risk: A vendor in financial distress may cut corners on security or become unable to fulfill contracts.
- Compliance/Legal Risk: Vendors may not adhere to data privacy regulations leading to fines and legal liability for you, even if no technical breach occurred.
- Reputational Risk: A vendor involved in unethical practices or poor customer service can tarnish your brand by association.
What can be done to address this:
- Rigorous Due Diligence: Assessing and periodically reassessing security, financial, and operational stability.
- Continuous Monitoring: Using tools to track vendor security in real-time rather than annually.
- Clear Contracts & SLAs: Defining strict security, data handling, and reporting requirements in all contracts.
How can CastleHill Help?
CastleHill provides cost-effective vendor risk management services to multiple tribes and many other organizations including:
- Vendor Onboarding support
- Vendor Assessment lifecycle management
- Findings management
- Issues management
- Ongoing monitoring and management
- SOC 2 Refresh program management
- Performance and Exit Strategy management
- Certificate of Insurance management
Don’t wait for a vendor failure to disrupt your community’s essential services. Request a CastleHill TPRM Briefing and ensure your partners are as resilient as your organization.
