Four cyber security questions when considering your vendors

1. Whose job is it to assess vendor risk fundamentals?

Company decision-makers must assess their risks before outsourcing with meticulous review of the providers’ people, policies and technology. Before vendor discussions begin, you should have a clear sense of how and where data flows, regulatory considerations, data protection and recovery plans. 

2. How do you set the terms of service and security?

A thorough service contract details your company’s requirements and risk parameters can provide a protective framework for the vendor relationship. Before signing any agreement, you need to ask questions about risk within the vendor’s environment and make sure that regular reviews and reporting will be a part of the core service.

3. What can help ensure vendor compliance?

Independent reports, conducted by outside parties like the American Institute of Certified Public Accountants, can provide an extra layer of oversight and an assessment of trustworthiness and diligence. Some companies ask their vendors to comply with remote audits. Others may request automated reports or that the vendor adopt controls to enable real-time monitoring.  But as with any other element of digital operations, even automated tools are of limited efficiency if the people deploying them are not responsive. In an emergency, the most reliable quality indicators may be whether or not the vendor immediately picks up a distress call and rolls out an efficient response.

4. How do you gauge trustworthiness?

Some decision-makers look at a vendor’s people-oriented skills as a gut check before narrowing the search for the right third-party service provider. Any vendor that touches a company’s networks and most valuable data will need to demonstrate trustworthiness, a willingness to understand a client’s unique needs and accountability in terms of contracts and reputation.

¹ Deloitte, Third-Party Risk Management (TPRM) Global Survey, 2020.