Get the Weekly Cybersecurity Newsletter
Third-party vendors can open the doors to growth and competitiveness, but they can also introduce operational, cyber, or financial risks.
Whether you’re starting out or an established business, the process of selecting and onboarding a new vendor is a critical juncture that requires careful due diligence. But what information should you collect from your vendors, and how can you verify that it’s accurate?
We’ve compiled a vendor due diligence checklist that includes baseline information that can inform your procurement decision-making. Not every item in this list is a necessity, but the more you complete, the more thoroughly you can mitigate risk in the vendor selection process.
Vendor due diligence checklist
1. Basic company information
Collecting basic information can help you verify that the company is legitimate and licensed to do business in your area. You’ll also want to collect information on key personnel for use in further risk assessments.
- Articles of incorporation (or similar corporate charter)
- Business license
- Company structure overview
- Biographical information of executives and board members
- Location (are they located in a high-risk country?)
- Proof of location, such as photographs or an on-site visit
- References from credible sources
2. Financial information
It’s important to check that a vendor is financially solvent and paying their taxes. There’s no sense in working with a vendor that won’t be in business next month. Conversely, a strong growth pattern could forecast an increase in prices down the line. Be sure to request information on the following:
- Tax documents
- Balance sheets
- Loans and other liabilities
- Major assets
- Compensation structure
3. Political and reputational risk
Vendors with access to important information or systems, such as payroll providers or accountants, must be scrutinized closely. By diligently examining these aspects, you can ensure that vendors are subjected to a thorough evaluation, reducing potential risks to your organization. Check the following:
- Watch lists and sanctions lists: Is the vendor's organization listed on key watch lists, global sanctions lists, or lists published by regulators?
- Lawsuits and regulatory violations: Is the vendor or key individuals subject to any ongoing or past lawsuits related to their services or regulatory violations?
- Politically Exposed Persons (PEP) and law enforcement lists: Determine if key personnel within the vendor's organization are listed on PEP and law enforcement lists.
- Risk-related internal policies and procedures: Review the vendor's internal policies and procedures related to risk management and data security.
- Consumer Financial Protection Bureau (CFPB) reports: Obtain and assess any relevant reports or actions taken by regulatory agencies, like the CFPB, against the vendor.
- Negative news reports: Search for negative news reports or articles about the vendor's organization, especially those related to security breaches or unethical behavior.
- Social media: Monitor the vendor's activity on social media platforms, looking for any red flags or controversial statements/actions.
- Complaints and negative reviews: Check for customer complaints and negative reviews regarding the vendor's services or conduct, both online and offline.
4. Cyber risk
When you onboard new vendors, it’s critical to understand their cybersecurity postures. After all, when you work with a vendor you agree to take on any cyber risk associated with that organization. Unfortunately, these risks are on the rise:
- 62 percent of network intrusions originate with a third-party.
- 72 percent of organizations have experienced at least one significant disruption as the result of a third-party relationship.
Conducting due diligence is essential, but as you add more vendors to your digital supply chain, keeping up with security questionnaires and assessments is tough. A study by Accenture found that 79 percent of companies are adopting new technologies faster than they can address related security concerns.
A risk-based approach can help manage this problem. Not all vendors will require the same level of due diligence. Instead, tier your vendors according to their importance to your business and access to critical data, then perform the appropriate level of due diligence according to risk. Add the following to your cyber risk checklist:
- Cyber risk assessment questionnaire: Customize your questionnaire to the tier, industry, and level of access the vendor will have. Include questions about the vendor’s protocols for risk management and security, incident response plans, history of cyber breaches, and governance practices. Learn more about how you can automate the security questionnaire process so you can confidently onboard new vendors and get them quickly working for your business.
- Security rating assessment: Augment your security questionnaires by incorporating objective data about a vendor’s security performance. A security rating scores your vendor's overall cybersecurity posture with a higher rating equating to better performance. A rating can also shine a light on past security issues, including any cyber incidents.
- Vendor attack surface: Analyze the vendor’s attack surface to discover any security gaps in their digital infrastructure.
- Cybersecurity frameworks: Has the vendor adopted a cybersecurity framework—such as NIST or SOC2? Do they comply with regulations like GDPR, DORA or NIS 2? And how do they ensure continuous compliance?
- On-site visit to assess security controls: This may be necessary for higher-tier vendors such as those that provide mission-critical services or have access to sensitive data.
5. Operational risk
As part of the vendor due diligence process, you’ll want to assess whether the vendor is exposed to operational risks that could negatively affect your company. One example of this type of risk is downtime for a cloud service provider (whether due to a cyberattack or operational issue) that could impact your operations.
To understand operational risk, collect the following:
- Does the vendor have such a plan in place? If they do, does their plan assure you that the vendor can continue to offer services in the event of a disaster, cyberattack, or other disruption? What SLAs can you expect? Also, does the vendor have cybersecurity insurance?
- Employee practices: What are the vendor’s hiring and background check protocols? Do they have protocols for cybersecurity training (74 percent of all cybersecurity breaches are the result of privilege misuse or human error)?
- Vendor due diligence: Does the vendor conduct adequate due diligence on its third parties and subcontractors? How will the vendor notify you in the event of a third-party cyber incident on its network? What recourse do you have?
After data is collected, verify and compare it with best practices and your organization’s risk appetite to determine whether a vendor relationship should be pursued.
Vigilance shouldn’t stop there. Continue to monitor vendor relationships—particularly high-tier vendors—for the life of the relationship. For example, a vendor’s security posture is constantly changing. To mitigate any risks to your organization, develop a process for continuously monitoring your vendor’s changing risk profiles.
Finally, look for ways to automate your vendor due diligence process. Automation can help you speed up vendor risk assessments, security questionnaires, and other pre-contract processes.
Learn more about how Bitsight can help ensure end-to-end risk management across your supply chain.