Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


How to Perform a Vendor Cybersecurity Review

3 min read
Featured Image

Venminder’s recent State of Third Party Risk Management survey found that fourth party risk management and cybersecurity are expected to be the next biggest hurdles at many organizations. This comes to no surprise as cybersecurity absolutely needs to be a focus. It’s no longer “if” an incident like a data breach occurs but “when” it will happen.

We’re here to help. In order to perform a competent vendor cybersecurity review, I recommend the following steps be taken.

Vendor Cybersecurity Review Steps

Here are seven steps:

1. Focus on the vendor’s cybersecurity testing, sensitive data security, employee, contractor and vendor management and incident detection and response plans.

2. Verify the vendor is performing the following three tests at least annually:

  • Vulnerability Testing: Identifies any vulnerabilities in the infrastructure (e.g., computer, network or communications).
  • Penetration Testing: Identifies any vulnerabilities that could be exploited by an attacker.
  • Social Engineering: Focuses on human error within the organization by testing employee vulnerability to common tactics such as a phishing email. The effectiveness of phishing exercises increases with the frequency of testing. The more an organization performs phishing exercises with its workforce, the less likely the organization is to fall prey to a phishing scam.

Be sure to note any issues you find in your testing review. Mention anything pertaining to critical and high-risk vulnerabilities, notate how vulnerabilities have been addressed, or if they haven’t been, and the vendor’s plan to prevent future vulnerabilities like the ones identified.

3. During the vendor cybersecurity review, ask the vendor how they connect their threat modeling and vulnerability assessments to their patch management program. They should have their threat intelligence and their vulnerability assessments closely coupled with their patch management program.

4. Review the vendor’s sensitive data security as it’s important the information is always protected against unintended disclosure. Their data should always be encrypted while at rest and should be transported via an encrypted channel. The data packet traveling through the encrypted channel should be encrypted, too. Confirm the data is encrypted and being protected from destructive forces and unwanted actions of unauthorized users.

5. Review the vendor's data retention and destruction policies and data classification and privacy policies. These are closely related to sensitive data security and are key to vendor cybersecurity reviews.

6. Make sure the vendor has trained their employees, contractors and vendor management team on how to protect data. Some ways to confirm this include looking for:

  • Confidentiality agreements with individuals
  • Mutual non-disclosure agreements with corporations
  • Employee background checks
  • Annual security training with documented completion
  • Management of vendors
  • Access management policies in place and being followed
  • Documentation to confirm all employees receive annual cybersecurity training

7. Review the vendor’s incident and response plan as part of the cybersecurity review. Make sure it’s tested annually and ask the vendor for the results of their last test. It’s important the vendor has an incident and detection response plan in place to address any issues that come up as this will help reduce the impact on your organization.

As with any of your due diligence reviews, you always want to involve a subject matter expert (SME). In the case of a cybersecurity review, a qualified cybersecurity professional, usually someone with the CISSP certification is your best bet. Once they’ve analyzed the vendor’s cybersecurity program, have them draft up the analysis and then reach out to the vendor to discuss any findings that need addressed.

Conducting a vendor cybersecurity review really isn’t complicated; however, it can be quite time consuming. Although it can seem tedious at times, it’s a critical part of your due diligence process that you don’t want to skimp on. Cybersecurity is a regulatory hot button that isn’t going away anytime soon. Keep your organization as protected as possible from a data breach or cybersecurity vulnerability.  

Protect your organization from third party cyber risk. Found out how and download the infographic.


Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo