Vendor Risk Assessments & Hidden Recurring Commitments

When founding teams find a way to survive their first vendor risk assessment -- usually on the tail end of making their first enterprise sale -- it's a moment that calls for celebration. At Havoc Shield, one of the absolute best moments for us is when a client calls us back and says "with your help, we made it through that security questionnaire" -- it's a celebration on our end too!

But, is the end of a vendor risk assessment the final chapter in the vetting that the startup will face from their new enterprise customer? In a word, no. We'll explore below.

The Representations You Make

Can we start with the elephant in the room? When your tiny startup gets the chance to land one of your first big enterprise deals, it's very probable that you'll end up bending to the requests of the enterprise on many dimensions.

Whose "Paper" is the Deal On?

A recurring story that we hear from startups is that enterprises cut them off at the pass when they present their typical order form and/or terms of service. Often, the enterprise will respond with a Master Services Agreement (MSA) -- a comprehensive agreement that the enterprise has prepared as a suitable baseline for deals with all types. That immediately puts startups on their heels. They are immediately in unfamiliar territory in terms of the representations they are being asked to make.  One topic that is likely to be covered somewhere deep in that MSA -- maybe in esoteric language -- is the question of whether/not the representations made in related materials (such as a vendor risk assessment) are incorporated by reference into the broader agreement. Founders absolutely need to speak with their counsel to ensure that they understand what binding agreements they are making on that front.

What did that Vendor Risk Assessment say, anyway?

Here's where startups get into trouble. Often the person that completed the vendor risk assessment is different than the person negotiating the legal agreement with the enterprise client. For example, perhaps the CTO filled out the vendor risk assessment, but maybe the CEO or head of sales ran point on negotiating the legal agreement. That's not necessarily bad, but it's crucial that everyone involved know what obligations the startup took on during the vendor risk assessment.

Let's bring this topic to life in a very real example. Suppose the vendor risk assessment asked the startup if their employees go through quarterly security awareness training. Suppose that the startup didn't previously have any such policy, but that they adopted that type of policy "just in time" to be able to respond "yes" to the question. This happens all the time -- almost every startup we work with does at least some hurried improvement in their security program when an enterprise questionnaire forces the topic. In this particular example, we'd want the startup to at least run their very first security awareness training, and put some specific mechanism in place to ensure that it recurs on a quarterly basis (using Havoc Shield, perhaps).

But, when the person that fills out the vendor risk assessments is different than the person negotiating the legal agreement, it's not unusual for manically busy startup folks to accidentally fail to connect the dots on their precise ongoing commitments that they are now obligated to fulfill.

The Representations We See

If you follow this blog, you know that we've been tearing 100+ enterprise security questionnaires to shreds trying to surface useful patterns for all of you.  By studying a large set of enterprise security questionnaires, we're able to help our clients (and you) anticipate the security controls that enterprises are most likely to ask you for. And, to help you implement them proactively.

Another benefit of our analysis (one we didn't expect) centers around our learnings about recurring commitments. In our analysis of these enterprise security questionnaires, we noticed that terms like "annually" and "quarterly" were popping up all over the place -- so we dug deeper to understand precisely what recurring commitments startups were being asked to make in these vendor risk assessments.  Here's what we found.

63% of the vendor risk assessments we looked at, had at least one question that probed for a recurring process.  The questionnaires (on a percentage basis) had recurring requirements of various cadences:

  • 40% had one or more annual requirement
  • 31% had one or more quarterly requirement
  • 32% had one or more monthly requirement
  • 23% had one or more weekly requirement
  • 30% had one or more daily requirement

Yes, you heard that right: 30% of the questionnaires we reviewed had at least one question that probed whether a particular activity was (or wasn't) happening daily. Some of the hot topics on the questionnaires that asked about daily activities, included:

  • Backups
  • Audit Log Reviews
  • Anti-virus scans
  • Anti-virus signature updates
  • Review of all security events
  • Access revocations for terminated employees
  • Monitoring of processing capacity
  • Review of intrusion detection system (IDS) logs

In contrast, here are some of the most common topics that these vendor risk assessments asked for on an annual basis:

  • Penetration Tests
  • Internal Network Scans
  • Review, update, and test of disaster recovery and business continuity plans
  • Review performance of contract relative to SLAs
  • Review of security policies and plans
  • Completion of independent audits such as SOC 2
  • Completion of security awareness training
  • Completion of incident response exercises
  • Review of firewall configurations
  • Review of privacy policies
  • Completion of developer training
  • Completion of privacy training
  • Risk Assessments
  • Employee acknowledgment of employee handbook
  • Hardware inventory update
  • Software inventory update
  • Network diagram update

In short, it's extremely likely that your startup will accumulate many recurring obligations as you travel the path of selling to (or partnering with) large enterprises that have extensive vendor risk assessment processes.

Need a Hand with Vendor Risk Assessments?

Startups need an ally in vendor risk assessment. It can be overwhelming to stare down a lengthy set of security questions and requirements without any internal security-focused personnel. At Havoc Shield, we're glad to pinch hit until your startup grows to a stage where you have a team of full-time security professionals to fully manage your security practices. Drop us a line for help on that difficult vendor risk assessment that is sitting in your inbox? We're standing by to help.