Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



What's In The News Matters

CPE Credit Eligible

Vendor management news matters.

Vendor management is covered a lot more in industry news now. It's hard to keep up, and sometimes tempting not to try. This podcast mentions recent examples of important items covered.

Available on
Listen-on-Apple-Podcasts-badge.jpg  google-play-badge 2.jpg

Podcast Transcript

Dana_Bowers_2017_circle.jpgWelcome to this week’s Third Party Thursday. My name is Dana Bowers, and I’m the CEO and Founder of Venminder. Today we’re going to be talking about what's in the news matters.

Let’s face it – every day it seems like there is new news coming out about an enforcement action or a data breach. In fact, a recent article said that the Consumer Financial Protection Bureau was setting policy through enforcement actions rather than through issuing actual guidance. I think that is an interesting perspective on just how requiring the regulatory environment has become.

Cybersecurity has also become an absolute laser focus of late. I’m sure most of you saw the headlines in February when the Obama administration declared that it was requesting additional funding to bolster the nations cybersecurity systems and named the former National Security Advisor Tom Donilon to head up the efforts. Even Congress has gotten in the act – the Committee on Science, Space and Technology sent a very pointed letter to Janet Yellen on June 3 about the recently released information about more than 50 data breaches at the Federal Reserve over the period of 2011 to 2015. I am sure that will only prompt more inspection by the Fed and other regulatory agencies into the practices at their member institutions. Incidentally, if you haven’t read that letter – it’s pretty direct and reads like an examination request letter – you can easily Google it and find it out there if you’re curious – having been on the receiving end of many examination request letters, I found it kind of interesting to see Congress sending their own examination request documents to the chair of the Fed. It certainly hasn’t stopped there.

Just in the past couple of months ,the FFIEC (which stands for the federal financial institutions examination council) has come out with updated guidance – if the newly released enhancements to appendix E on mobile banking are followed as stringently as appendix J was last year, it will be a very prescriptive guide. I glanced through the appendix E items and saw about 18 references to third party products.

A few weeks ago, you may have seen that the FFIEC along with other regulators sent out a warning to all banks, following the disclosure of the Swift breaches, encouraging all financial institutions to review their data protection procedures. In an article in CU Insight earlier this month (June 2016), there was a terrific analysis of all of the ways that a well-managed security program can help counter account takeover fraud…. So it’s not just about data breaches but additional fraud management.

Remember, you have people out there who are making a career out of trying to breach financial institutions and create ways to steal people’s identities, so you’ve really got to work to stay one step ahead of them. I would suggest that effective cybersecurity goes way beyond documented procedures on preventing unlawful access and needs to also consider the appropriate response mechanisms if something happens – ransomware, holding your data hostage for money or denying access to your information is an interesting but really scary new developing threat and it’s not just the financial services industry.

In fact, a couple of weeks ago, I was reading about two hospital systems who had recently been impacted, one in the first quarter and one at the end of May. Hardly a day should go by without talking to our CISO (your chief information security officer) or Business Continuity manager to compare notes, discuss what we’re seeing and how it could impact us. In addition, you need to really drill down to think about your third party’s own data protection and business continuity practices. The old saying of a chain is only as strong as the weakest link really applies – if your third party isn’t securing its doors, you could have a shared vulnerability. 

So, things like understanding their business continuity plan and asking for results of their penetration testing are perfectly appropriate. Looking at their SSAE16 SOC report and determining your credit union’s own role in making absolutely sure your compensating controls are in place are also important.

Certainly the best time to be asking these types of questions is in a proactive manner to prevent problems in the first place rather than the costly and time consuming process of cleaning up mistakes. When mistakes do occur – and they will – it’s tempting to try to sweep them under the rug – you can ever really do that, instead use it as an opportunity to look very closely at what led to the mistake and what you can do to prevent it from happening again. Document it fully, invite input or informed perspective and ask for guidance where you’re not sure what exactly happened or what could be done differently. Those who do not learn the errors of history are bound to repeat them.

Even examiners do not expect perfection – though it seems like they might, but they certainly expect you to have ways of detecting problems, addressing them early, and clear documentation on the scope of the problem, the impact of the problem and what can be done to prevent it from recurring, whether it’s additional testing, new monitoring techniques or additional or more frequent reviews.

I’m Dana Bowers, thanks for watching. And don’t forget to subscribe for next week’s Third Party Thursday podcast.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo