Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Ensure Third-Party Compliance With the FTC Data Breach Notification Requirement

3 min read
Featured Image

If you haven’t yet considered how to address data breach notification requirements with your third-party vendors, now might be a good time. On October 27, 2023, the Federal Trade Commission (FTC) became the latest regulator to issue a requirement regarding data breach notifications. Although this amendment to the Safeguards Rule applies to financial institutions, including non-banking organizations such as mortgage brokers and auto dealers, any organization can benefit from understanding these requirements.

The Basics of the FTC Safeguard Rule Breach Notification Amendment

The FTC’s Safeguards Rule has undergone a few updates since it became effective in 2003. This latest amendment requires financial institutions, including non-banking organizations, to report certain security incidents that impact 500 or more consumers. In this case, a security incident is defined as one that involves unencrypted customer information that was acquired without authorization.

The following excerpt is taken directly from the final rule and describes what an organization must include in the notification to the FTC:

The notice to the Commission must include:

(1) the name and contact information of the reporting financial institution;

(2) a description of the types of information that were involved in the notification event;

(3) if the information is possible to determine, the date or date range of the notification event;

(4) the number of consumers affected;

(5) a general description of the notification event; and, if applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.

The rule further states that an organization must notify the FTC “no later than 30 days after discovery of the event,” which can be done by submitting the notice through the FTC’s website.

ensure third-party compliance FTC data breach notification requirement

3 Tips to Ensure Third-Party Compliance With the FTC Data Breach Notification Rule

Although this guidance isn’t focused on third-party data breaches, it’s important to consider how these requirements can affect your third-party relationships. Remember that your organization can face significant reputational, financial, and regulatory impacts from third-party data breaches, so it’s best to take a proactive approach and ensure compliance with this guidance.

Here are some tips to keep in mind:

  • Regularly review your third parties’ cybersecurity documentation. Third-party data breaches aren’t completely avoidable, but it’s still essential to have a thorough understanding of your third parties’ cybersecurity posture so you can identify any gaps or weaknesses in the vendors’ controls that can lead to an incident. This can be achieved by reviewing various documents such as penetration testing results, data retention and destruction policies, and incident detection and response plans.
  • Add breach notification requirements to your third-party contracts. This is where you can align your contractual requirements with regulatory expectations. Breach notification requirements should generally include details about the timing of notification, such as 24-72 hours after the third party discovers the incident. You may also want to require the third-party vendor to provide information about how they will investigate the data breach, remediate the situation, and prevent any future incidents. Your contract should also include any penalties that may be imposed on the third party after a breach, such as a suspension or termination.
  • Consider other laws and regulations. This guidance from the FTC is just one of several that might be relevant to your organization. Various states have also issued their own data breach notification requirements, along with requirements from the NCUA and the SEC, so it’s a good idea to stay updated on current laws and regulations.

The Safeguards Rule is intended to protect customer information. All organizations, regardless of industry, can benefit from the best practices outlined in this guidance. By maintaining an effective information security program that includes data breach notification requirements with your third-party vendors, your organization will be well prepared to respond to any future security incidents.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo