Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


SEC 2022 Exam Priorities: Overseeing Vendor Information Security Practices

3 min read
Featured Image

At the end of March, the Securities and Exchange Commission’s (SEC) Division of Examinations (referred to as EXAMS) released its 10th annual Examination Priorities Report, identifying five significant focus areas that they believe bring heightened risk. Of these focus areas, information security and operational resiliency are perhaps most obviously relevant to third-party risk managers. Let’s review some of the specific activities that the SEC expects of organizations.

6 Information Security Controls

The SEC states that information security controls are critical to ensure business continuity. As third-party cyberattacks continue to grow in volume and complexity, EXAMS will review organizations to ensure they’re performing the following activities, which have been extracted directly from the report:

Specifically, EXAMS will continue to review whether firms have taken appropriate measures to:

  1. Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;
  2. Oversee vendors and service providers;
  3. Address malicious email activities, such as phishing or account intrusions;
  4. Respond to incidents, including those related to ransomware attacks;
  5. Identify and detect red flags related to identity theft; and
  6. Manage operational risk as a result of a dispersed workforce in a work-from-home environment.

Monitoring vendors and service providers is a fairly general requirement. Let's consider how it relates to the information security practices of the vendor. A vendor's cybersecurity posture indicates whether it’s capable of protecting your organization and customer's data by preventing, detecting and responding to incidents.

Here’s a breakdown of those 3 cybersecurity posture components:

  • Prevention – Does the vendor have tools and processes in place to prevent cybersecurity incidents? Firewalls, anti-malware products, patch management practices and training for employees and the vendor’s contractors should be in place to prevent incidents like data breaches and ransomware attacks. Vulnerability and penetration testing are also important tools the vendor should have within their cybersecurity strategy.
  • Detection – What processes does the vendor have related to incident detection and notification? The vendor’s incident response plan should clearly state notification stipulations as well as the role of the information security team during the notification process.
  • Response – How will the vendor respond to an incident? Make sure the vendor has specified how they’ll respond to different types of attacks, as each type will require a different process. The vendor should also provide details around how they’ll contain, eradicate and recover from an incident. You should also investigate the cyber insurance coverage the vendor provides and review the amounts of coverage to ensure they’re sufficient.

information security practices

4 Next Steps to Take After a Data Breach

The importance of monitoring your vendors' cybersecurity practices can’t be overstated; however, it must be accepted that data breaches from third parties are never completely preventable. Therefore, you need to determine how your organization will respond to a third-party data breach that impacts your customers. Keep these next steps in mind:

  • Define the impact. Make sure you understand the scope of the breach and how many customers may have been impacted.
  • Communicate with your customers. Notifying your customers about a third-party data breach is never easy, but it’s critical to remain transparent about the situation and provide timely information.
  • Provide credit monitoring services. A data breach that involves non-public personal information may expose your customers to identity theft. Offering credit monitoring services can help provide your customers peace of mind after a breach.
  • Re-assess your information security processes. Third-party data breaches allow you to learn valuable lessons, so think about whether you need to update any processes or implement training for your employees to help prevent future breaches.

Year after year, the SEC expects organizations to have effective processes in place to manage vendor relationships and the associated risks that come from those partnerships. Information security risk is just one type, but it’s a significant risk that can ultimately impact an organization’s resiliency.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo