Vendor risk management is the process of evaluating and monitoring the security practices of third-party vendors, suppliers, and service providers that have access to the organization's data or systems. A breach at a vendor can directly impact the organization, many of the most significant data breaches in recent years have originated through compromised vendors. Your security is only as strong as the weakest link in your supply chain.
Vendor security assessments should be conducted before onboarding a new vendor (due diligence) and periodically throughout the relationship (ongoing monitoring). The depth of the assessment should be proportional to the vendor's access level and the sensitivity of the data they handle. A cloud provider hosting customer data warrants a thorough assessment, while a vendor supplying office furniture does not.
Assessment methods range from security questionnaires (standardized formats like SIG, CAIQ, or VSAQ) and review of compliance certifications (SOC 2 Type II, ISO 27001, HITRUST) to more rigorous approaches like on-site audits and penetration test result reviews. For small and mid-sized businesses, requesting a SOC 2 Type II report from critical vendors is an efficient way to evaluate their security posture.
Vendor risk management should be formalized in a policy that defines how vendors are categorized by risk level, what assessment is required for each level, how often reassessments occur, and who is responsible for managing vendor relationships. A vendor inventory that tracks all third parties, their access level, and their last assessment date provides the operational foundation for the program.
Insurers increasingly recognize supply chain risk as a driver of claims. Applications may ask whether the organization evaluates the security practices of its vendors and how critical vendors are selected and monitored. Supply chain attacks and vendor breaches have generated significant insurance losses, making this a growing focus in underwriting.
Demonstrating a formal vendor risk management program, with documented assessments, risk categorization, and ongoing monitoring, reduces the perceived risk from third-party relationships. Organizations that simply trust vendors without verification are taking on unmeasured risk that insurers are increasingly unwilling to underwrite without appropriate controls.
HIPAA requires Business Associate Agreements (BAAs) with all vendors that handle ePHI, but a BAA alone does not ensure security. Healthcare organizations should assess business associates' security practices before and during the relationship. OCR has held covered entities accountable for breaches that occurred at business associates.
Law firms must ensure that vendors handling client data, cloud providers, e-discovery platforms, document management services, maintain security commensurate with the sensitivity of the data. The duty of competence under ABA Model Rule 1.1 extends to supervising third-party service providers.
FFIEC and OCC guidance require financial institutions to manage vendor risk through the entire lifecycle: due diligence, contracting, ongoing monitoring, and termination. Bank examiners specifically assess the vendor management program and may request evidence of assessments for critical vendors.
Retail organizations must assess the security of payment processors, e-commerce platforms, and POS system vendors. PCI-DSS Requirement 12.8 requires maintaining a list of service providers, and Requirement 12.9 requires service provider acknowledgment of their PCI responsibilities. Vendor compromise is a leading cause of retail breaches.
NIST 800-171 control SR.L2-3.17.1 requires developing a process for identifying, assessing, and managing supply chain risks. CMMC extends this requirement with additional supply chain security practices. Government contractors must also comply with DFARS clause 252.204-7012, which flows down to subcontractors handling CUI.
Create a vendor inventory listing all third parties, their access level, data they handle, and risk category
Establish vendor risk tiers (critical, high, medium, low) based on data access and system integration
Require SOC 2 Type II reports or equivalent evidence from critical and high-risk vendors
Conduct security questionnaires for medium-risk vendors using standardized formats (SIG or similar)
Schedule annual reassessments for critical vendors and biennial reassessments for high-risk vendors
Want to know how your organization measures up on this control?
Take the free assessment →