The Denver Auditor’s Office has suggested the city invest in better monitoring of third-party information technology vendors to better protect itself from hackers.

A release from the office documents “some incidents” since January 2021 where a vendor-provided product had a service interruption and the vendor did not compensate the city. 

Auditor Timothy M. O’Brien said 31% of the 26 vendors tested had “critical incidents” and the city did not seek compensation. 

“If the city never holds vendors accountable, then more vendors will test the limits of what they can get away with using taxpayer resources,” O’Brien said. 

Only one vendor reimbursed the city, and the process was started by the vendor, not the city. O’Brien said the city is not holding vendors accountable, which puts the city’s data, services and reputation at risk. 

O’Brien recommends the city implement several “critical strategies,” including dedicating staffing to monitoring the city’s contracts with vendors and providing training and reviewing security assessments. The city drafted a vendor management policy in 2021, but did not finalize it until after O’Brien’s audit was completed. 

“We hope that because agency officials already have a draft policy, and because they agreed to all our recommendations, they will make the needed changes quickly and completely,” O’Brien said. 

City officials did not immediately respond to a request for comment.