Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Next Steps After Your Vendor Experiences a Ransomware Attack

4 min read
Featured Image

Ransomware has become so prevalent over recent years that the Cybersecurity & Infrastructure Security Agency (CISA) has launched an entire initiative to prevent and respond to this type of malware. The #StopRansomware Guide was jointly published by CISA, the National Security Agency (NSA), and Federal Bureau of Investigation (FBI) to help organizations understand how to prevent ransomware and how to respond if they’re a victim.

Maybe you feel confident that your organization has effective cybersecurity practices and knows how to respond to an incident, but what about your third-party vendors? Do you have a plan in place if your vendor announces it’s suffered a ransomware attack?

According to Black Kite’s Third-Party Breach Report, 27% of third-party data breaches in 2022 were ransomware attacks. So, it’s important to know how to respond if your vendor is a victim.

Immediate Steps to Take After a Vendor Experiences a Ransomware Attack

You’ll need to act quickly if your vendor discloses a ransomware attack. A data breach notification clause in your vendor contract should help ensure that you’re notified within a certain timeframe. It also ensures that the vendor provides a dedicated point of contact for all your questions. 

Although you may not immediately know all the details of the attack, there are still steps you can take to mitigate the risk:

  • Assess the impact: Make sure your vendor provides details on the extent of the attack and who it affected. Find out as many details as you can about which systems were affected, the type of data that was stolen, and to whom it belongs. If the attack involved your customers’ data, you’ll need to notify them according to your own internal processes. Keep in mind that customer notification requirements also vary by industry and state. For example, credit unions have 72 hours to notify, but covered entities under HIPAA have up to 60 days. States such as Arizona, California, and Florida have 10-day notification periods, while states like Oregon, Tennessee, Vermont, and Washington have up to 45-day notification periods. 
  • Verify your vendor’s response: Review your vendor’s incident response plan (IRP) to ensure that it’s followed correctly. This can also help verify that the vendor hasn’t paid the ransom. Both CISA and the FBI recommend against paying ransom and even state that doing so can pose sanctions risk. 
  • Report and notify: Depending on your organization’s IRP and regulatory requirements, you may need to report the incident to authorities such as law enforcement or the state attorney general. Plus, you’ll need to communicate directly with any impacted customers. You may want to consider offering credit monitoring services to further protect your customers. 

vendor experiences ransomware attack

Aftermath Responses to Recover From a Third-Party Ransomware Attack

Ransomware attacks are often complex and won’t be resolved overnight, but it’s possible to begin recovery process soon after they occur. 

Here are some recommended actions that can help your organization recover from a third-party ransomware attack:

  • Re-assess your information security processes: This can help prevent another incident by revealing any weaknesses or flaws that may have been overlooked. 
  • Re-evaluate your IRP: This is typically done during a formal meeting known as a postmortem. During this time, your organization can review any lessons learned and consider areas of improvement. 
  • Make updates as needed: Use the information you learn from your re-assessments and re-evaluations to update any security policies or procedures. This may also include strengthening controls with other vendors who have similar attack surfaces as the one who suffered the attack. For example, if a vendor uses a common software component and is breached due to that, you should ask your other vendors whether they’re also using that same software component. 
  • Consider vendor repercussions: Review your vendor contract to determine whether the ransomware attack should prompt any further action such as additional controls, temporary suspension, or even the end of the relationship. Offboarding the vendor may be necessary if there were significant issues with the vendor’s communication or response. At a minimum, the incident should increase your oversight of that vendor.

It’s understandably a stressful situation when discover your vendor was the victim of ransomware. There’s a lot of unknowns and thoughts of worst-case scenarios, so it’s helpful to implement some of these responses within your third-party risk management program. Third-party ransomware attacks might not be 100% preventable, but there are ways you can reduce the impact on your organization.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo