Rob Behnke
February 26th, 2024
Vendor risk management (VRM) is a significant challenge in any industry. Any time an organization is entrusting access to its systems or data to a third party or relies on that external partner’s services, then it accepts some level of risk.
A supply chain attack against the company may exploit that trust relationship to move from a compromised vendor to a company’s systems. Alternatively, a vendor going out of business or failing to provide critical services may render the company unable to meet its own service obligations. Managing these security risks is essential to protecting the organization against potential data breaches or interruptions to its operations.
However, while vendor risk management can be risky and challenging for any organization, many of these risks are amplified in the Web3 space. The current state of Web3 and blockchain development — including the relative youth of many Web3 companies, potentially immature security programs, and the complex regulatory environment — introduces several unique risks.
Of these, the following seven vendor management risks should be top-of-mind for any company operating or looking for partners in the Web3 space.
The Web3 space is rapidly evolving, and many startups have been created to offer new products or services. For example, the introduction of Account Abstraction (AA) in Ethereum has launched many startups offering AA as a service.
Companies that are only a year old and have few employees may present security risks for their customers. Often, startups lack the defined processes and security controls required to meet the requirements of enterprise customers. As a result, companies may struggle to find vendors that provide the required capabilities while implementing effective security.
On the other hand, there are some products and services that one or a few vendors are well-qualified to provide. For example, Coinbase is a common choice for custodial services for crypto assets — as discussed in our article on the new Bitcoin ETF.
While choosing a well-qualified vendor is important, it can also create risk if everyone else does the same. A single point of failure might be a greater target for cybercriminals, and, if that organization suffers a breach or goes out of business, it has wide-reaching effects on the industry as a whole.
Web3 is probably the most remote-friendly industry in existence. Many Web3 companies are remote-first, potentially with no physical headquarters. Employees collaborate and communicate online and may occasionally meet up in person at company-sponsored events.
While work from anywhere is great for employees, it does create significant challenges for vendor management. Different jurisdictions have different laws regarding background checks, contracts, etc. As a result, a potential customer may struggle to achieve the level of protection that they need for their risk management programs.
Remote work also introduces BYOD security risks. Home networks and personal devices are generally less secure than corporate ones, increasing the risk of phishing and other cyberattacks. These intrusions could provide an attacker with access to a vendor’s client data, compromising these customers as well.
Blockchains are global systems, and many Web3 companies and startups are scattered around the world. Even if an organization’s employees work mostly or entirely on-site, companies are headquartered in various places as different countries and cities compete to be the most friendly to crypto businesses.
With such a relatively new and evolving industry, laws and regulations often struggle to keep up with the changes in the technology and its applications, resulting in a patchwork of laws. As a result, blockchain products and services that are legal in one country may be illegal in another.
The crypto space is full of startups trying to provide a valuable product or service to their users. Often, the goal of these founders is a swift and profitable exit, freeing them up to pursue their next venture.
The volume of mergers and acquisitions within the crypto space can create significant challenges for vendor management. If a vendor is acquired, then it may no longer be able to provide services, or the terms of service may change. Also, acquisitions of startups and small businesses by larger players contribute to the risk concentration problem mentioned previously.
The traditional financial sector has Standardized Information Gathering (SIG) questionnaires designed to streamline the vendor management process. These SIGs include a set of questions that potential customers will ask their vendors as part of their cybersecurity and compliance due diligence investigations. The answers to these questions provide a high-level understanding of a company’s operations that can help other organizations decide whether they want to become its customers.
While Web3 companies can use SIGs, these traditional questionnaires map poorly to Web3 security risks and requirements. However, no standardized vendor assessment and risk management questionnaires exist for the Web3 space. As a result, companies may struggle to collect the information that they need to perform effective vendor risk management or might not know what questions they need to ask.
The crypto space can be a rollercoaster. As the value of cryptocurrencies rises, money pours into the space, and the number of startups explodes. With bear markets and crypto winters, many of these smaller companies go out of business, and the market contracts until the next bull run.
This up-and-down pattern creates significant concerns regarding the longevity of solution providers in the crypto space. A vendor that provides critical services when the market is good might go bust when crypto values decrease, leaving the organization without the tools and services that it needs.
Third-party vendors create risk for an organization, especially in the Web3 space. The relative youth of many Web3 companies, lack of security controls and frameworks, and complex regulatory environment all create challenges for organizations looking to manage their third-party risk.
When developing a cybersecurity strategy for a Web3 project, it’s important to consider these potential vendor risks. A single point of failure, third-party data breach, or other issue could be expensive for an organization and damage its ability to operate.
Halborn can help your organization with vendor risk management strategy and develop security best practices to help mitigate or eliminate them. To learn more about developing a third-party risk management strategy for your Web3 organization, get in touch with Halborn.