Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



FFIEC Cybersecurity Assessment Tool

CPE Credit Eligible
HubSpot Video

How to use FFIEC's new Cybersecurity Assessment Tool.

The FFIEC released a Cybersecurity Assessment Tool. This video will go in depth of why your financial institution should use it or your vendor management.  

You may also be interested in:

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at VenminderToday, we’re going to be talking about the FFIEC’s Cybersecurity Assessment Tool’s Frequently Asked Questions document that has been getting a lot of attention.

So let’s get started....

How does a responsible vendor manager keep up with reviewing all of their critical, high and medium risk vendors? What tools can they use? We’ve discussed SOC reports, now let’s bring a tool to the table with the Cybersecurity Assessment Tool (CAT) for short. 

Now you may be saying, WAIT! Hold up…isn’t the FFIEC’s C.A.T. meant for us, the institutions? 

You’re right, it is, but nearly all of you are using vendors for products and services you’ve outsourced, but that doesn’t mean you get to transfer all of the risk as well. The institution’s board is still responsible for all risks taken. 

You may be familiar with a risk management framework where transferring the risk is one of your options, but that is not what is happening when you outsource a product or service, you’re remediating, lessening the risk, by having an outsourced specialist provide that product or service. That risk is still inherent and still the institution board’s responsibility. 

Okay, so now what? As usual with compliance, there’s more work to be done. The great thing is that the FFIEC has provided you with template declarative statements to modify to your needs. That’s right, the FFIEC says that you are welcome to modify the provided declarative statements. 

Now, does that mean you should weaken them to artificially prop up your organization? No! You’ve just lessened the value of all the time and effort you’ve already put into this assessment as it would then not follow the spirit of the tool:  “To help institutions’ management identify their risks and determine their cybersecurity preparedness.”

Let’s break that down – “Identify Risk and Determine Preparedness” 

Why should you identify risk? Why is that the FFIEC’s statement on why they created the tool?

SIMPLE…If you don’t know the threats and vulnerabilities posed to your institution either by being in the industry that we act in, or by those introduced by our locations, our equipment and software vendors we use to support our customers or the internal processes of our institution itself, then you CANNOT protect your institution from any attack, let alone a cyber attacker.

So if the Cybersecurity Assessment Tool is voluntary, why should you or your institutions vendor management function use it? 

If you don’t know what all of your risks really are, then how do you know if you’re spending precious time and money on the right risks. Assuming you know your top risk and throwing time and money at it without doing a proper risk assessment is like throwing a dart at your board and fixing what they then calmly tell you to fix, which I bet your board would not enjoy. So don’t try that approach.

Just do a risk assessment, and why not use the Cybersecurity Assessment Tool to get you started. And remember, when you do your risk assessment, as inherent risk rises, the maturity level, the term the CAT uses, of the controls which address that risk should increase as well. 

Why else should you or your institutions vendor management function use the CAT? 

Wouldn’t it be nice to be able to tell your institution’s board that you’re doing well in your preparedness against cybersecurity attacks? Wouldn’t it be great if there were a standard on which to hold yourself against? Here it is! 

We could go on with the benefits, but this is a short talk and there’s so much more to cover! One of the five domains within the CAT specifically deals with third parties. A highlight of the FFIEC’s comment within the FAQ was, and I quote, “Management is responsible for the assessment of the risk associated with the nature, extent and complexity of its institution’s third-party relationships. Such assessment includes evaluating the extent to which controls put in place by the institution’s third party service providers could be considered in the institutions mitigation of its overall cybersecurity risk, including the cybersecurity risk associated with its use of third party service providers.” 

Alright…I lost many of you on that last statement…so let’s break it down a little bit and give a great example! 

Three Parts 

  1. The first part is reminding you that institution management is responsible for looking at the pros and cons brought in when using third-parties. 
  2. Second – We’re reminding you that third parties that you bring in should have significant checks and processes in place, and these checks and processes could assist in your process to minimize cybersecurity risk. That’s likely one of the reasons you use a third party for that product or service anyways, right?
  3. Third – We’re talking about the added risk though that was brought in when you started using a third party to provide that product or service.  

BUT WAIT! If you’ve been following our Third Party Thursdays you’ve seen at least one of my talks on SOC reports. If not, you should check them out! 

Doesn’t the Second part of that prior statement sound a lot like what a SOC report goes over, the checks and processes, let’s now call them controls, that the third party does to further assure you that they’re providing a reliable and secure product? 

Even more, doesn’t the third part of that prior statement sound a lot like Complementary User Entity Controls, the checks and processes that you are required to have in place in order to ensure that your third party service provider’s product can BE reliable AND secure?  

It’s GREAT! What you’re hopefully already doing is already going to get you further with the FFIEC’s CAT! 

A few additional points to take away are:

  • The Cybersecurity Assessment Tool is VOLUNTARY
  • The Cybersecurity Assessment Tool is a value ADD to your institution!
  • Don’t worry, you’re already doing many of the items in the assessment, tracking them will just show you where you’re at, what you may not have though to have addressed and where you can go from here. 
  • Cybersecurity threats are not going away. They’re getting more and more complex and many institutions have flashing “open” signs on their networks without even knowing it. Don’t think if you’re small attackers won’t come after you, you’re just an easier target as you likely don’t have much of a security budget or dedicated security staff. Would you even know if an attacker was in your systems now? 

You don’t have to use the FFIEC Cybersecurity Assessment Tool, but you should be using a standard to align yourself with. And hey, the FFIEC and NCUA recommend it, so I’m sure it wouldn’t hurt in your regulator's eyes to get started. 

Again, I’m Aaron and thank you for watching! Don’t forget to subscribe to the Third Party Thursday series.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo