1 (888) 836-6463 CONTACT US

How to Perform a Vendor Cybersecurity Review

Oct 2, 2019 by Gordon Rudd, CISSP

Venminder’s recent State of Third Party Risk Management survey found that fourth party risk management and cybersecurity are expected to be the next biggest hurdles at many organizations. This comes to no surprise as cybersecurity absolutely needs to be a focus. It’s no longer “if” an incident like a data breach occurs but “when” it will happen.

We’re here to help. In order to perform a competent vendor cybersecurity review, I recommend the following steps be taken.

Vendor Cybersecurity Review Steps

Here are seven steps:

1. Focus on the vendor’s cybersecurity testing, sensitive data security, employee, contractor and vendor management and incident detection and response plans.

2. Verify the vendor is performing the following three tests at least annually:

  • Vulnerability Testing: Identifies any vulnerabilities in the infrastructure (e.g., computer, network or communications).
  • Penetration Testing: Identifies any vulnerabilities that could be exploited by an attacker.
  • Social Engineering: Focuses on human error within the organization by testing employee vulnerability to common tactics such as a phishing email. The effectiveness of phishing exercises increases with the frequency of testing. The more an organization performs phishing exercises with its workforce, the less likely the organization is to fall prey to a phishing scam.

Be sure to note any issues you find in your testing review. Mention anything pertaining to critical and high-risk vulnerabilities, notate how vulnerabilities have been addressed, or if they haven’t been, and the vendor’s plan to prevent future vulnerabilities like the ones identified.

3. During the vendor cybersecurity review, ask the vendor how they connect their threat modeling and vulnerability assessments to their patch management program. They should have their threat intelligence and their vulnerability assessments closely coupled with their patch management program.

4. Review the vendor’s sensitive data security as it’s important the information is always protected against unintended disclosure. Their data should always be encrypted while at rest and should be transported via an encrypted channel. The data packet traveling through the encrypted channel should be encrypted, too. Confirm the data is encrypted and being protected from destructive forces and unwanted actions of unauthorized users.

5. Review the vendor's data retention and destruction policies and data classification and privacy policies. These are closely related to sensitive data security and are key to vendor cybersecurity reviews.

6. Make sure the vendor has trained their employees, contractors and vendor management team on how to protect data. Some ways to confirm this include looking for:

  • Confidentiality agreements with individuals
  • Mutual non-disclosure agreements with corporations
  • Employee background checks
  • Annual security training with documented completion
  • Management of vendors
  • Access management policies in place and being followed
  • Documentation to confirm all employees receive annual cybersecurity training

7. Review the vendor’s incident and response plan as part of the cybersecurity review. Make sure it’s tested annually and ask the vendor for the results of their last test. It’s important the vendor has an incident and detection response plan in place to address any issues that come up as this will help reduce the impact on your organization.

As with any of your due diligence reviews, you always want to involve a subject matter expert (SME). In the case of a cybersecurity review, a qualified cybersecurity professional, usually someone with the CISSP certification is your best bet. Once they’ve analyzed the vendor’s cybersecurity program, have them draft up the analysis and then reach out to the vendor to discuss any findings that need addressed.

Conducting a vendor cybersecurity review really isn’t complicated; however, it can be quite time consuming. Although it can seem tedious at times, it’s a critical part of your due diligence process that you don’t want to skimp on. Cybersecurity is a regulatory hot button that isn’t going away anytime soon. Keep your organization as protected as possible from a data breach or cybersecurity vulnerability.  

Protect your organization from third party cyber risk. Found out how and download the infographic.


Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third-Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third-party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third-party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP

Subscribe to the Venminder Blog