Since the onset of the SaaS boom, businesses have become more intertwined – and more interdependent – than ever before. The advent of cloud-based technology means that we now rely on our partners and vendors to keep our data and networks safe.
To mitigate the risks, more organizations are conducting third party risk assessments as a prerequisite to buying new technology and renewing existing partnerships. As a crucial component of a holistic third party risk management (TPRM) program, we break down what you need to know and the best practices for conducting a meaningful third party risk assessment, including:
- The importance of third-party risk management
- Steps to conducting a third party risk assessment
- What to look for in a third party risk assessment
- The role of security questionnaires in a third party risk assessment
- What comes after a third party risk assessment
- Third party risk assessments for technology vendors
The importance of third party risk management
No matter your industry, our businesses are more interconnected than ever. According to Vendr, the average organization has relationships with upward of 180 unique vendors. Each of these partnerships requires a varying degree of access to the company’s staff, networks, and proprietary data, ranging from mere visibility to full-on integration. While some third party vendors require very little access to internal systems, others, like subprocessors, become almost inextricably connected to a company’s network and data.
It’s incumbent on security leaders to not only understand the risks associated with each of these relationships, but to document and continually monitor them to minimize the impact on the business. This is where third party risk management comes into play.
Third party risk management is the holistic process of identifying, monitoring, managing, and mitigating risks associated with service providers, vendors, or other external entities with access to your company’s information assets. With a strong TPRM program, your team will be set up to protect the most critical inputs to your company’s success, even as you grow your vendor list to support the business.
Want to learn more about TPRM? Check out our comprehensive resource: What is Third Party Risk Management?
What is a third party risk assessment?
For technology buyers, a crucial component of any TPRM program is the third party risk assessment. This work is conducted by technology buyers as a vetting and intake exercise prior to the beginning of a business relationship, and is typically a required step in order for a contract to be signed with a vendor. Whether it’s a new marketing tool, a payment processor, or a human resources system, it’s crucial that the security team understands the risks the third party represents to the business.
The third party risk assessment is becoming a non-negotiable for technology buyers, who are increasingly cognizant of the impact of their third party vendors on the company’s data security, operations, compliance, reputation, and even business success.
Steps to a third party risk assessment
A typical third party risk assessment involves vetting the full spectrum of risk posed by the vendor. These risks can include cybersecurity risk, operational risk, regulatory risk, reputational risk, and even financial risk. The process is typically accomplished through a request for documentation and insight on each risk category from the vendor, helping form a complete picture of the vendor’s commitment to security.
For several risk categories, vendors will be expected to provide third party attestations to verify the company’s trustworthiness. For others, the vendor will provide detail into specific policies, processes, and procedures that demonstrate how they safeguard their business assets.
What to look for in a third party risk assessment
In your third party risk assessment, you will be looking to vet the full range of risk categories, including the vendor’s standard documentation, third party certifications, and internal policies, among others. Here is a comprehensive list of the most common third party risk assessment criteria for technology buyers:
Cybersecurity documentation
The most commonly-requested information during a third party risk assessment, this documentation will give you detailed information about the company’s cybersecurity policies. This includes SOC 2 and pentest reports, any completed security questionnaires, and other reports such as a security whitepaper.
Risk Profile
Insight into the vendor’s required level of connectivity. Includes the vendor’s access level requirements for data, customer impact level, third party dependence, and hosting information.
Compliance certifications
These badges demonstrate a verified commitment to meeting compliance thresholds. These certifications will vary by industry and geography, and may include SOC 2 and SOC 3, GDPR, CCPA, ISO 20071, CPRA, CSA Star, FedRamp, among others.
Data Security
Includes backups enabled, data deletion policies, encryption-at-rest and encryption-in-transit policies, physical security information, and more.
Product Security
Includes information about integrations, audit logging, access control, MFA, SSO support, and more.
App Security
Includes responsible disclosure, code analysis, credential management, secure development policies, vulnerability and patch management, among others.
Legal
Includes subprocessors, cyber insurance, data processing agreements, service agreements, privacy policies, SLA information, terms of service, and more.
Access Control
Includes data access, logging, and password security.
Infrastructure
Includes status monitoring, infrastructure hosting, business continuity and disaster recovery plans, infrastructure security, and production environments.
Endpoint and Network Security
Includes disk encryption, DNS filtering, endpoint detection and response, mobile device management, threat detection, data exfiltration monitoring, firewalls, and more.
Corporate Security
Includes email protection, staff training, HR security, incident response, penetration testing policies, internal SSO, and more.
Policies
Includes acceptable use policy, access control policy, code of conduct policy, data management policy, incident response policy, information security policy, operations security policy, risk management policy, and more.
Security Grades
Including security grades obtained from third parties such as SecurityScorecard, Qualys SSL Labs, and others.
Answers to Commonly-Asked Customer Questions
Above and beyond the standard risk categories, particular vendors may require specialized insight into their policies and procedures, such as information on AI security. They may provide responses to these common questions via a pre-completed questionnaire offered proactively as part of the third party risk assessment.
Incident communications
You should also consider exploring the vendor’s communication policies, including how the company communicates with customers and stakeholders in the event of an incident or a breach. If the vendor has a trust center, you may be able to ascertain the company’s commitments to transparency and proactivity through its updates or security log section.
The role of security questionnaires in third party risk assessments
The aforementioned list of documentation and information is both lengthy and of critical importance to conducting a thorough third party risk assessment. In order to ascertain all of these insights in an organized way, many technology buyers resort to sending vendors a security questionnaire. Several standardized questionnaires, including the CAIQ and SIG, among others, have been developed to help buying organizations ingest a vendor’s security controls.
While these questionnaires may provide comprehensive insight into a third party vendor’s security controls, this process is far from perfect. Friction is often experienced by both sides of the questionnaire completion process.
An increasingly common solution to this challenge is the implementation of a trust center – a customer-facing home for a vendor’s security documentation. With a trust center, buyers can conduct a third party risk assessment on their own time, reducing the time and resources required for both their teams and the vendor.
What comes after a third party risk assessment
Once the third party risk assessment is completed and the vendor’s risk has been deemed acceptable, technology buyers must continue to monitor the impact of the relationship as part of its TPRM strategy. This includes gaining real-time insight into emerging threats and vulnerabilities, identifying risks quickly and taking action to protect the business as needed. Additionally, buyers must continue to assess the viability of the partnership on an ongoing basis, including conducting additional third party risk assessments prior to contract renewals.
Third party risk assessments for sellers
If you are a technology buyer, it’s likely your organization is also a third party vendor itself. Your team may also be on the receiving end of buyer third party risk assessments, and should have an approach in place to support buyer risk assessments in a scalable way. This includes aggregating all aforementioned risk information into a single location, documenting and publishing responses to common buyer questions, and creating a plan for proactively sharing this information with customers during the buying process.
In our customer trust-powered world, more organizations are looking at the buyer third party risk assessment process as an opportunity to send strong messages to buyers about their commitments to security. With a transparent and proactive approach to buyer security reviews, these organizations are creating surprising and delightful buyer experiences that reinforce customer trust.
SafeBase is the scalable Trust Center that automates the security review process between buyers and sellers. With a SafeBase Trust Center, companies can seamlessly share sensitive security documentation with buyers and customers, including streamlining the NDA signing process by integrating with your CRM and your data warehouse.
If you’re ready to take back the time your team spends on security questionnaires, create a better buying experience, and position security as the revenue-driver it is, get in touch with us.
