Request Demo

Vendor Offboarding: A Checklist for Reducing Risk and Simplifying the Process

Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
By:
Scott Lang
,
VP, Product Marketing
October 17, 2024
Share:
Blog vendor offboarding 0323

What is Vendor Offboarding?

Vendor offboarding is the practice of removing a vendor's access to systems, data, and corporate infrastructure – and ensuring that other final actions are executed as stipulated in the contract. Vendor offboarding aims to ensure a smooth and secure transition, minimize risk and disruption to business operations, and protect sensitive information.

Many organizations overlook the importance of a secure and programmatic offboarding process, exposing them to future risks. In this article, we'll cover:

  • Examples of common risks associated with offboarding a vendor
  • Challenges in managing vendor offboarding
  • 7 best practices to securely wind down business relationships

Be sure to also download the complete Vendor Offboarding Due Diligence Guide for additional information on this topic, including a 40-step checklist template you can use to improve your offboarding process starting today.

Types of Risks to Consider When Offboarding Vendors

Proper vendor offboarding is critical to managing risk, particularly since security, procurement, and vendor management teams discontinue vendor oversight when the relationship ends. An incomplete or hastily conducted offboarding process can result in financial losses, regulatory penalties, and reputational damage.

Cyber Risk

A breach of data a vendor retains after termination can lead to reputational problems, legal fees, and regulatory findings. There are several examples of how incomplete third-party vendor or supplier offboarding processes have damaged organizations.

  • In 2023, UScellular reported a data breach that exposed the private information of roughly 5 million customers. Rather than directly attacking UScellular, the criminals targeted a "former third-party vendor" to access the records. When a vendor is offboarded, the vendor should return or securely delete all your records.
  • In January 2023, a data breach occurred involving one of AT&T's former cloud vendors, affecting 8.9 million wireless customers. As a result, AT&T agreed to pay $13 million in FCC fines, improve how it manages customer data, and enforce stricter data handling practices with its vendors to prevent future breaches. This breach occurred years after the contract ended, highlighting the importance of continuously monitoring vendors even after termination.
  • In 2021, Lexington Medical Center suffered a breach when an unauthorized individual with a former vendor, Healthgrades Operating Company, gained access to backup files on archived servers that included protected health information (ePHI). Healthgrades had previously provided patient education services for Lexington Medical Center. When it is not possible to securely delete data due to record retention policies, organizations should ensure that the vendor has controls to prevent unauthorized access to the data.

Financial Risk

The end of a vendor relationship can trigger additional costs. For instance, the vendor may have negotiated an early termination fee. Furthermore, your organization may incur costs to identify, select, and onboard a replacement vendor, such as ramp-up and training fees. Without a smooth transition process, there can be delays in receiving parts, products, and services from new vendors – which, in turn, can disrupt your organization's ability to deliver to its customers.

Legal Risk

Disputes over intellectual property (IP) ownership or termination parameters can arise if your legal department does not thoroughly review the contract during negotiation and with each development throughout the relationship. Legal fees can be substantial if a dispute exists about an organization's right to terminate an agreement.

Reputational Risk

Maintaining good relationships with vendors is important, even when terminating business agreements. Other vendors may interpret poor communications or contract fulfillment with a vendor as evidence that your company is difficult to work with. This can also negatively impact your relationships with other existing vendors or potential business partners.

These examples demonstrate that organizations must assess a wide range of business risks when offboarding vendors.

Minimize Risk After the Contract Ends

Download the Vendor Offboarding Due Diligence Guide to gauge your program against 40+ recommended offboarding tasks.

Read Now
Featured resource vendor offboarding guide

Vendor Offboarding Challenges

Procurement, vendor management, and security teams often view third-party risk management (TPRM) as an exercise to be conducted before onboarding a new vendor. So, it’s no wonder vendor offboarding is an afterthought at many organizations. While nearly 90% of companies track risks from the sourcing and selection phases, fewer than 80% track service-level agreements (SLAs) and offboarding risks later in the relationship lifecycle. While due diligence in vendor sourcing and selection is an important activity, measuring and managing risk extends throughout the relationship with a vendor. This includes managing the end of a relationship with thorough vendor offboarding.

Limited Stakeholder Involvement

As with vendor onboarding, knowledge silos can make it difficult to identify all the required tasks to offboard vendors. Procurement may notify a vendor that a contract will not be renewed, but legal must review contract terms and provide details on what steps are required for a clean termination. In some cases, engineering may need to identify intellectual property shared with the vendor. Manufacturing and operations must confirm what steps are required to avoid production stoppages. Finance must identify outstanding invoices or credits owed by the vendor. IT security must ensure that data is destroyed and system access is revoked. Without coordination between these teams, offboarding is a complicated task.

Lax Offboarding Due Diligence

It is easier to focus on activities with new vendors than on those being offboarded. To mitigate the risks referenced above, it is critical to be thorough when offboarding a vendor. This requires all team members interacting with the vendor to identify potential risks, agree to mitigation requirements, and meticulously track progress. Manual methods for performing due diligence will inevitably lead to missed tasks and unresolved risks.

Incomplete Visibility into Risk Mitigation

Tracking tasks in spreadsheets or shared documents can make the offboarding process inconsistent and prone to errors. A task list's completeness and accuracy are subject to everyone's expertise in the offboarding process. For example, a less-experienced employee may overlook critical tasks or incorrectly mark an item complete without full documentation from a vendor. Spreadsheets that multiple employees can access also lack auditing controls.

Vendor Offboarding Best Practices

A centralized process can help teams automate vendor offboarding, ensure completeness, and mitigate risk effectively. Here are seven best practices to follow during offboarding:

Best Practices for Vendor Offboarding, Vendor Offboarding Process


1. Keep Lines of Communications Open

Teams can mitigate risk by keeping the lines of communication open with the vendor throughout the offboarding process. This includes informing vendors of the offboarding timeline, answering questions, and providing clear instructions regarding what is expected during the process. A solution that centralizes interactions with vendors maintains tasks and timelines and requires approval workflows will greatly reduce the manual work required to address these issues.

2. Perform a Final Review of the Contract

Review the contract’s termination provisions to ensure you have the right to terminate the relationship and, if so, the proper timelines for doing so. If you terminate due to a breach of contract terms, be sure notices have been issued and the vendor’s rights to remedy shortcomings have been honored. Teams may have changed contract terms over time. A final review with legal and procurement can identify scope creep and ensure that the vendor provided all the contractually obligated goods and services.

Finally, review KPIs, pending deliverables, and payments. If the vendor supplies parts, ensure warranty and support agreements that survive termination are clear.

3. Settle Any Outstanding Invoices

After thoroughly reviewing the contract terms and identifying remaining obligations for both parties, ensure that you receive final deliverables and schedule final payments. Be sure to include any credits or returns when calculating payments, as these may be difficult to recover after terminating the relationship.

4. Revoke Access to IT Infrastructure, Data and Physical Buildings

Partners and vendors may require access to your systems, such as those used for purchasing, engineering, marketing, and financial data. When offboarding a vendor, it is critical to terminate their access to your intellectual property and other sensitive data. This includes:

  • Ensuring you have a list of all vendor accounts and deleting login credentials.
  • Providing the vendor with a complete list of all company-owned equipment they must return. When repurposing returned equipment, be mindful of data retention requirements.
  • Changing all logins, including shared credentials if a vendor has elevated system privileges.
  • Deauthorizing access to all applications, including VPNs and cloud apps, for file sharing and messaging.
  • Deauthorizing any access the vendor may have had through APIs, as these could be a useful attack vector if a hacker later compromises the vendor.

Some vendor employees may have required physical access to your offices or server rooms. Deactivate any keycards and badges and ensure the vendor returns all physical keys. Sometimes, it may be necessary to change entry codes to server rooms. Work with your physical security teams to ensure that there is a clear process in place for managing physical vendor access.

5. Review Data Privacy and Information Security Compliance

Vendors often have access to sensitive data that may be subject to regulatory requirements such as CCPA, GDPR, PCI DSS, and others. During offboarding, align your vendor termination procedures with your legal obligations. Third-party risk management platforms will have built-in reporting that aligns with these regulatory obligations, simplifying the compliance process.

If the vendor has copies of your sensitive data, it could be exposed in a later breach. Morgan Stanley failed to oversee the decommissioning of servers by a third party properly. A subsequent breach of the third party exposed personal information and resulted in a $60 million fine from the Office of the Comptroller of the Currency (OCC). Ensure that all intellectual property and sensitive data are returned. Also, an affidavit from the vendor is required stating that electronic copies on the vendor’s infrastructure – including on employee devices – are securely deleted. Review with the vendor remaining obligations such as confidentiality, nondisclosure, and non-compete agreements.

6. Update Your Vendor Management Database

Not all terminations are permanent. You will want a clear record of the vendor’s history with your organization, including the vendor’s key performance indicators (KPIs). To reduce legal risk, clearly document the reasons for terminating the relationship and maintain a complete accounting of the termination procedures. Make sure you have records of all communications, contracts, and other documentation between your organization and the vendor so you can quickly resolve any questions or issues moving forward.

7. Continuously Monitor Vendors for Potential Future Risks

Even though the contract has been terminated and all tasks have been successfully completed, risks to your systems and data and compliance or reputational risks can still emerge long after the relationship ends. Continuously monitoring multiple risk vectors will ensure that your team has extended visibility into potential future risks.

100 Essential Onboarding & Offboarding Tasks

Download the Ultimate Third-Party Onboarding & Offboarding Checklist to understand the essential insights and tasks required to securely onboard and offboard vendors and suppliers.

Read Now
Featured resource onboarding offboarding checklist

Next Steps for Improving Your Vendor Offboarding Process

Manually managing vendor offboarding across a large organization can drain even well-staffed risk management teams. While taking steps such as centralizing vendor data and ensuring uniform offboarding processes across the organization can help, most large organizations benefit enormously from utilizing a dedicated third-party risk management platform.

A dedicated TPRM platform can:

  • Provide a single source of the truth for vendor information, encouraging internal stakeholder and vendor collaboration in a central solution.
  • Centralize contract lifecycle management, automating tasks to ensure contractual provisions are met to protect the company.
  • Automate the assessment and continuous monitoring of vendor risks—from onboarding to offboarding—by centralizing results in a single risk register that enables coordinated action.
  • Offer remediation guidance to ensure offboarded vendors meet your company’s compliance and security requirements to an acceptable level of risk.
  • Deliver a prescriptive process to address final tasks and report according to compliance requirements.

Interested in how Prevalent can help reduce risk during offboarding as part of your broader third-party management lifecycle? Request a demo today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

Related Posts
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo