Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said they have experienced a data breach caused by one of their vendors or third parties (up 12% since 2016).
Can questionnaires keep you adequately informed about your third-party risk?
A vendor risk management questionnaire (also known as a third-party risk assessment questionnaire or vendor risk assessment questionnaire) is designed to help organizations identify potential weaknesses among vendors and partners that could result in a breach.
Unfortunately, questionnaires can only offer a snapshot of a vendor’s cybersecurity stance. Systems change, departments are outsourced, and policies are rewritten, so the risk presented by a single vendor is constantly shifting.
Still, questionnaires have a place in the TPRM ecosystem that’s unlikely to change, particularly during the onboarding process. According to a 2018 EY study, 72% of companies use industry-standard questionnaires (or have built their own by using a standard as a baseline).
In this blog post, we’ll give you a basic third-party risk assessment template, and provide you with some sample questions to work from.
Where to start
No two organizations are exactly alike, and the same applies to vendors. Therefore, questionnaires should ideally be tailored not only to your particular industry, but to each vendor as well. Considering which (and how much) data each vendor has access to, in addition to past performance indicators, can help you customize security questions.
There are standard best practices to use as a starting point for the high-level items in your questionnaires. Here are three industry-standard security assessment methodologies you can start with:
Shared Assessments — an organization that develops assessment questionnaires for use by its members.
You can extract thousands of potential questions from these frameworks, and alter them to align with your organization’s priorities. Make sure that your questionnaire also covers any additional areas of concern for your particular industry, such as compliance with specific federal and state laws and regulations.
Questionnaires have historically been a vital part of cybersecurity, but now the industry has to adapt to even more complex, rapidly evolving cyber risks.
Vendor management questionnaires are just one component of a robust, multifaceted TPRM program. They can’t provide a complete picture of third-party risk, and should be supplemented with other solutions as the cyber risk landscape continues to change.
With a comprehensive and consistent TPRM strategy, organizations can identify potential third-party vulnerabilities and mitigate risk.