Vendor due diligence (VDD) is a comprehensive security screening of a potential third-party vendor before forming a partnership. The assessment identifies whether a prospect is being honest about their security posture and outlines any potential security risks that could endanger a partnering business.
Vendors usually require access to sensitive company data such as Personally Identifiable Information and even the financial information of customers.
If a vendor is compromised in a cyberattack, the cybercriminals could gain access to this sensitive data and launch a ransomware attack against your organization. Your business could also suffer a regulatory fine for poor vendor management practices.
Vendor due diligence helps organizations establish a confident third-party risk management program and healthy vendor relationships.
Third-Party Vendor Breach Stats
Third-party vendor breaches occur more often than you might think. Here are some eye-opening stats.
February 2019: Cyber attackers penetrated Huddle House's third-party point-of-sale (POS) vendor. The vendor's breached assistance tools were used to install malware on some Huddle House POS systems.
North Country Business Products (NCBP)
February 2019: NCBP, a vendor assisting businesses with credit card transactions, was compromised. The breach may have exposed the credit card details of consumers transacting with NCBP clients between January 3 and January 24 of 2019.
Wolverine Solutions Group (WSG)
March 2019: Wolverine solutions group, a content management solution vendor for the healthcare industry, suffered a ransomware attack exposing the personal information of almost 1.2 million patients. This breach impacted almost 700 healthcare organizations that were partnered with WSG at the time.
Spectrum Health Lakeland was one of the WSG clients impacted by the cyberattack. Approximately 60,000 of its patient records were exposed in the breach.
American Medical Collections Agency (AMCA)
June 2019: American Medical Collections Agency, a patient billing services vendor for the healthcare industry, was compromised exposing the personal records of over 20 million Americans.
California Reimbursement Enterprises
July 2019: California Reimbursement Enterprises, a former billing services vendor for the healthcare industry, fell victim to a cunning cyberattack exposing 14,500 patient records. The data breach occurred after a California Reimbursement Enterprises staff member was tricked by an email phishing attack.
Vendor Due Diligence Cybersecurity Questionnaires
The most efficient method for performing cyber due diligence is through questionnaires. VDD questionnaires are strategically engineered to flesh out all of the security risks of a potential vendor.
Here are some common vendor security red flags that questionnaires help expose:
- Historical instances of data breaches
- Evidence of negligent practices
- The absence of key threat defenses
- Poor threat remediation protocols
- Presence of attack vectors in Vendor's third-party network
- Poor cyber threat resilience grading
Vendor Risk Assessment Questionnaires
Every organization has unique requirements, so you cannot blindly adopt another organization's vendor questionnaire. Standard best practice is to adjust an industry-standard questionnaire to your specific cybersecurity needs.
To speed up the process you can use this vendor risk assessment questionnaire template.
Here are five industry-standard security assessment methodologies you can use as a foundation for your vendor security questionnaires. You could potentially extract thousands of vendor questionnaires from these methodologies and adapt them to your business.
- Center for Internet Security (CIS) control framework
- Consensus Assessments Initiative Questionnaire (CAIQ)
- NIST SP 800-171
- Vendor Security Alliance Questionnaire (VSAQ)
But cybersecurity due diligence does not start and end with an initial risk assessment questionnaire. As the stats above indicate, vendors fall victim to cyber-attacks often, even after passing an initial security screening.
To maintain a strong defense against third-party breaches, you need to continuously send tailored threat questionnaires to vendors at risk of a data breach. Then, once a threat is remediated, follow-up questionnaires should be sent to further scrutinize a vendor's updated security posture.
This rolling vendor due diligence questionnaire process will keep all of your vendors accountable and your business protected from third-party breaches.
Here's an example of a vendor questionnaire for the Information Security and Privacy category:
- Does your organization process personally identifiable information (PII) or protected health information (PHI)?
- Does your organization have a security program?
- If so, what standards and guidelines does it follow?
- Does your information security and privacy program cover all operations, services, and systems that process sensitive data?
- Who is responsible for managing your information security and privacy program?
- What controls do you employ as part of your information security and privacy program?
- Are there any additional details you would like to provide about your information security and privacy program?
Vendor Business Continuity and Disaster Recovery Plans
The results of a vendor risk questionnaire should expose the business continuity and disaster recovery plan (BCDR) of each assessed vendor. Even the most prestigious entities fall victim to cyber-attacks, what sets secure vendors apart is their incident response plans.
A vendor's risk management process should include both a business continuity plan and a disaster recovery plan.
Business continuity plan
A business continuity plan is a vendor's plan for restoring all affected operations after a cyberattack. The restoration plan should include an immediate delivery of critical information to all relevant stakeholders, as well as a clear definition of the amount of data loss that's acceptable to a vendor.
A business continuity plan is a written document that vendors should be willing to share with you at any time. This document will identify each vendor's data security due diligence procedures.
Disaster recovery plan
A disaster recovery plan clearly outlines a vendor's remediation process when a cyber attack takes place.
This document should identify all of the security teams involved in the recovery plan and each individual's set of responsibilities. An efficient incident response plan should list all of the potentially affected inventory and software in order of cybersecurity risk.
A vendor’s due diligence process should involve a yearly update of its business continuity and disaster recovery plans. Cybersecurity practices need to be continuously evolving to remain effective against new cyber threats.
Why a Vendor Risk Questionnaire is Not Enough
Receiving a positive response from a submitted questionnaire is not a guarantee of the superior security posture of a vendor. An additional verification process is required to confirm a vendor's honesty.
Security ratings provide organizations with an up-to-date status of each vendor's cybersecurity posture. The rating is based on multiple attack vectors that make a business vulnerable to cyberattacks. its a cybersecurity equivalent to credit ratings.
Security ratings help organizations identify when a risk questionnaire should be submitted, and they offer a means of tracking each vendor's potential risks over time.
This symbiotic relationship makes the combination of security ratings and vendor risk questionnaires a powerful vendor cybersecurity strategy for third-party breach mitigation.