When a new vendor (maybe a small business) begins working with an enterprise, you can bet that there will be a vendor risk assessment of some form. Format-wise, it might be an Excel-based security questionnaire, a web portal, or a repurposed survey tool with customized questions. It will almost certainly involve a few clarifying conversations, revisions, evaluations, and (here's hoping) approval.
Let's zoom out one level above the nitty gritty of the questions that are deep in the assessment. What are the key vendor risk assessment topics that both sides should expect to discuss at some point in the process? Here's our view, and we'll take this primarily from the cybersecurity perspective, which is our focus at Havoc Shield.
Presuming the vendor is providing any element of service that is technology-related, it's a pretty sure bet that the topic of cyber insurance is going to come up. What are the vendor's coverage levels? Does the vendor have enough liquidity on their balance sheet to cover any deductibles? What commitments does the vendor need to make in terms of continuity of coverage? These days, it seems foolish to overlook this key discussion in a vendor risk assessment.
Let the alphabet soup begin: PCI, SOC 2 Type II, ISO 27001, HIPAA, FedRAMP, FERPA, etc. Whatever compliance standards exist that are relavent to the industry that the vendor is in, should be a part of the conversation. If the vendor handles payment information, it's hard to imagine PCI not coming up in discussions. If the enterprise sells services to the federal government and the vendor is a component of that service, it's impossible to imagine FedRAMP not entering the conversation. Both sides should expect and be ready for discussion of the relevant compliance standards and the vendor's performance relative to those standards.
The best vendor onboarding teams in enterprises are comfortable working with vendors of all types and sizes. But, they know that they need to bring some order to the chaos. One of the ways that happens, is a discussion of Service Level Agreements (SLAs). When a vendor is asked to articulate an SLA commitment, it shows sophistication and maturity if the vendor has ready-made SLA commitments to offer. If the vendor attempts to steer the conversation to an outcome that avoids SLA commitment, there is a very good chance that the vendor risk assessment is going to red flag this aspect of the vendor's response.
If you've been around the technology world for long, you'll be well aware of the "data lock-in" strategy employed by some companies. Companies that use this strategy attempt to work with the enterprise in a manner that causes the vendor to become the manager of such a vast and intricate dataset that the enterprise has no practical, reasonable way to later migrate to some other competitive solution. You can bet that the smartest vendor management teams are on to this strategy, and that they'll raise a discussion of what data offboarding tools exist, should they ever need to terminate the vendor relationship. The best will also insist on some retention period on the tail of a contract, to provide ample time for migration to occur.
Relative to other economic sectors, technology companies have an extraordinary propensity for entering into mergers and acquisitions (M&A). Smart enterprise compliance teams realize this, and when they evaluate a vendor, they know it's fair game to discuss the risk that the vendor may later be acquired by a company that the enterprise is less satisfied with. Maybe the vendor will get acquired by a company that the enterprise is unable to work with -- a competitor, for example. When a vendor risk assessment neglects to cover this topic, the enterprise is at risk that some future M&A activity leads to an unpleasant sequence of urgently transitioning to a new vendor. Contract assignability limitations typically addressed in Master Service Agreement (MSA); or, if the contract is on the vendor's paper, in redlines negotiated between the parties.
Just about every vendor onboarding process that we've helped clients through this year, include questions about the vendor's infosec policies. Often the requests are more specific, such as asking the vendor to supply copies of a list of particular policies, such as:
The best vendor risk assessment teams also ask for something equally important: evidence that the employees of the organization have reviewed and acknowledged the policy. Enterprises want to avoid a situation where there is a policy that exists only as a matter of formality -- they want to know that the employees of the vendor know about and agree to comply to the policy.
Whether you are on a small business team working to sell your product/service to an enterprise, or an employee of the enterprise's vendor onboarding team, these are discussion topics that you should keep in mind during the evaluation process. These topics are extremely likely to be appropriate discussions when the vendor's business has anything at all to do with technology products or services. By being prepared (on both sides) for the discussion, the process can advance more quickly and with less friction. Want a hand working through the particulars of a vendor risk assessment? Feel free to get in touch; we'd love to help.