The 2020 SolarWinds attack changed how the security industry thinks about supply chain risk. Attackers didn't need to breach 18,000 organizations directly — they compromised one software vendor and used that access as a launchpad. The downstream impact was staggering.
But you don't need a nation-state attack to understand the risk. Every vendor you give network access, data access, or API access to is a potential attack vector. Vendor risk management is about systematically understanding and managing that exposure.
Start by Knowing Your Vendors
Most organizations are surprised when they actually inventory their vendors. Between cloud services, SaaS subscriptions, managed service providers, contractors with system access, and integration partners, the list is typically much longer than leadership expects.
Build a vendor inventory. For each vendor, document: what data or access they have, what systems they connect to, what your contractual relationship is (including data processing agreements, BAAs for healthcare data, etc.), and when that relationship was last reviewed.
Tier Your Vendors by Risk
Not all vendors are equal risk. A vendor with access to your production database and customer PII is a fundamentally different risk than a vendor who handles your company swag orders.
Tiering allows you to allocate your review effort appropriately. A common approach:
Tier 1 (Critical): Vendors with access to sensitive data, critical systems, or the ability to affect your operations significantly. These get full security assessments annually.
Tier 2 (High): Vendors with limited data access or non-critical system access. Security questionnaire plus review of their security documentation.
Tier 3 (Standard): Vendors with no data access or system access. Standard contract review, periodic check-ins.
What to Actually Assess
For Tier 1 vendors, a security questionnaire (the SIG, SIG Lite, or CAIQ are common standards) plus review of their compliance certifications (SOC 2 reports, ISO 27001 certificates) is a reasonable baseline.
Focus on:
- Do they have a current SOC 2 Type II report? Have you reviewed the exceptions?
- How do they handle your data? Where is it stored? Who has access?
- What's their incident response and breach notification process?
- Do they have adequate cyber insurance?
- How do they manage their own third parties?
Contractual Protections
Legal contracts are an important layer. Key provisions to include:
- Data processing agreements that define how they can use your data
- Right to audit clauses
- Breach notification timelines (typically 24–72 hours)
- Security requirements they must maintain as a condition of the relationship
- Liability provisions in case of breach caused by the vendor
Many organizations have vendor relationships with no meaningful contractual security protections. That's a risk that's easy to fix.
Ongoing Monitoring
Annual reviews catch problems annually. Continuous monitoring — watching for news of vendor breaches, checking for their infrastructure exposure, reviewing their security advisories — helps you respond faster when something goes wrong.
Services like BitSight, SecurityScorecard, and UpGuard continuously assess vendor security postures from the outside. For your most critical vendors, these tools are worth the investment.
When Things Go Wrong
Have a plan for vendor incidents. If a critical vendor suffers a breach, what do you do? Can you revoke their access quickly? Do you know what data they had? Who internally is responsible for communicating with them and assessing impact?
Vendor incidents that aren't well-managed often become your incidents. The organizations that handle them best have thought through the response ahead of time.