Learn about evaluating third-party cyber risk, from onboarding through regular reviews

By Jeff Copeland

SAFE TPRM dashboard

What Is Vendor Risk Assessment?

Vendor relationships are an increasingly critical part of modern business operations, as organizations outsource ever more functions to software as a service (SaaS) vendors, from HR management to payment processing to data storage. According to Gartner, 60% of organizations work with over 1,000 third-party vendors. 

It’s not just the scale of third-party relationships but the stakes that come with this. One indication of the financial toll of insecure third-party connections: third-party risk, including ransomware and vendor outages, accounted for 31% of all cyber insurance claims in 2024, according to cyber insurance firm Resilience. 

Organizations need a systematic vendor risk management (or third-party risk management – TPRM) process to evaluate third-party risks, including: 

  • strategies to safeguard sensitive data
  • maintain regulatory compliance
  • protect business operations. 

By aligning with industry frameworks such as ISO 27001, NIST 800-53, SOC 2 Type II, and regulations like GDPR and HIPAA, this process offers a structured approach to mitigate third-party risks effectively.

But risk and security managers increasingly recognize that rules-based, compliance-driven vendor risk management, as it is typically practiced, is not keeping pace with the growth of the third-party risk landscape. New risk-based techniques and processes utilizing artificial intelligence (AI) offer a promising way to scale vendor risk management to meet the challenge. 

This guide provides an in-depth look at vendor risk assessment, its importance, key risk categories, detailed implementation steps, real-world examples, best practices, and practical advice to help risk managers and compliance officers strengthen their third-party risk programs.

Vendor Risk Management with SAFE:

Video: See SAFE TPRM in Action

Test Drive our TPRM Solution

Why Is Vendor Risk Assessment Crucial?

As organizations expand their digital footprint and rely increasingly on third-party vendors for IT services, cloud storage, logistics, and customer support, the potential for cyber, compliance, and operational risks grows significantly. Vendor risk can rapidly escalate to enterprise-level risk, as seen in recent incidents: 

  • UnitedHealth Group: The ransomware attack in 2024 disrupted the major US processor of healthcare payments,  pushing many medical offices to the brink of insolvency.
  • CDK Global: Ransomware in 2024 knocked out the principal vendor of software services to the automotive sales business, costing dealerships an estimated $1 billion. 
  • Progress Software: The maker of the popular MOVEit file transfer software suffered a ransomware attack in 2023 that disrupted service for more than 2,700 customers, resulting in 144 lawsuits. 

These examples underscore the reality that third-party vulnerabilities are often organizational vulnerabilities. Here are the key benefits to enterprises of robust vendor risk assessment: 

  • Enhanced Cybersecurity: Identify and mitigate vulnerabilities at the vendor before they are exploited; prioritize attention to vendors based on the loss exposure they introduce
  • Improved Compliance: Verify that vendors comply with GDPR, HIPAA, PCI DSS, and other regulatory requirements.
  • Financial Risk Reduction: Minimize potential fines, lawsuits, or remediation/downtime costs from data breaches or service interruptions.
  • Operational Continuity: Ensure critical services remain uninterrupted during vendor failures.
  • Stronger Vendor Relationships: Build mutual trust through transparency, clear expectations, and shared responsibility for security. 

In short, vendor risk assessments are not just an IT task—they’re a strategic business necessity.

Recognition for vendor risk management at SAFE:

SAFE Recognized in Gartner’s 2025 TPRM Market Guide: Leading the Shift to Autonomous Third-Party Risk Management

SAFE Named a Leader by Liminal for Third-Party Risk Management

When to Perform a Vendor Risk Assessment?

Vendor risk assessment should not be treated as a one-time activity but as a recurring event in your organization’s risk management lifecycle. Here are key moments when assessments are essential:

Onboarding a vendor, SAFE TPRM platform

Onboarding New Vendors

Effective vendor risk management starts with the onboarding process. Steps include:

  1. Intake – especially with the goal of discovering all the domains of the vendor to get a clear view of the attack surface. 
  2. Controls assessment: An outside-in scan of internet-facing security controls and an analysis of a controls questionnaire submitted by the third party that describes the security framework (NIST, ISO, etc.) in use. Ideally, the assessment also includes an inside-out scan of the vendor’s security tools through an integration with the assessment platform. 
  3. Analysis of other evidence available from the vendor, such as pen-test reports, NIST CSF assessments, SOC2 certifications, or policy documents in a trust center 
  4. Fourth-party research: Mapping downstream vendors like AWS, Slack, or Okta and assessing the third party’s dependence
  5. Public records search: Documents from the SEC or other regulatory agencies, news reports, and records of lawsuits could flag legal trouble or reputation issues.  
  6. Threat intel: Are attackers targeting companies similar to the vendor? Using what techniques?
  7. Contract scan: Any red flags in the fine print, for instance, on indemnification or liability limits?

Enterprise risk analysis: Finally, onboarding includes a security review that flips the script, treating this third-party risk as a potential enterprise risk. Key questions to investigate, include: 

  • How deep would this vendor extend into our organization based on network access, data access, or revenue impact? 
  • Could the vendor be a single point of failure for our organization? 
  • What controls do we have in place facing this vendor – are we using a zero-trust approach? 

Result: The TPRM manager can categorize the vendor based on loss exposure to the enterprise. 

Ongoing Review

The conventional annual vendor review is far behind the rapidly evolving reality of the threat landscape today. An advanced vendor management solution provides continuous assessment, for instance: 

  • Scanning the vendor’s digital footprint for new vulnerabilities or security misconfigurations
  • Tracking regulatory filings and breach disclosures  
  • Notifying a TPRM analyst of changes in risk posture, ensuring timely cooperation with the vendor 

A vendor management solution should also continuously monitor the entire third-party attack surface. For instance, it might:

  • Flag fourth-party risk concentration after spotting that many vendors use the same security application. 
  • Notice that a critical vendor, like a payments processor, lacked a backup. 

Regulatory Changes

Reassess vendors when new regulations are enacted or existing ones change. A prime example would be NIS2 and DORA, the evolving EU regulations. 

Security Incidents

After a breach, re-evaluate third-party weaknesses that might have contributed to the incident.

5 Key Types of Vendor Risks

Understanding the different types of risks originating with vendors is foundational to designing an effective assessment strategy. These risks typically fall into the following categories

1. Security Risks

Attackers have figured out that third parties can be an easier target than going directly after better-defended large enterprises. From the enterprise’s point of view, risk scenarios may fall into two categories:

  • Ransomware at the third party: The enterprise’s data or processes are locked up and ransomed by an attack on the vendor’s system. Stolen credentials and exploited vulnerabilities are the most common access points in ransomware, the 2025 Verizon DBIR reported. 
  • Attackers take advantage of the trusted relationship the third party holds with the enterprise and install a compromised software update at the enterprise. The SolarWinds attack that began in 2019 leveraged IT management software to gain access to thousands of companies and government organizations.  

No matter how the attackers gain entry, weak identity and access management practices often contribute to cybersecurity risk. A zero-trust framework defends against attackers making lateral movements once inside a network, but zero trust can be complex to implement and maintain. The bottom line: enterprises contracting with third parties must audit their cybersecurity practices thoroughly. 

2. Compliance Risks

Regulatory agencies often make no distinction between enterprises and vendors in privacy rules. The GDPR holds data owners responsible for breaches at their data storage partners, HIPAA considers a third party as a ‘business associate” of the primary healthcare business ,and enforces the same data protection rules on both. The Securities and Exchange Commission (SEC) holds financial institutions responsible for their data held by third parties. All of which puts the responsibility for compliance at vendors squarely on the enterprise, making a comprehensive security audit at the third party a requirement.  

3. Operational Risks

As part of onboarding a vendor, enterprises should verify that the new partner can continue to deliver services in the event of a cyber-induced disruption. The contracting company should check SLA’s, redundancy, and business interruption plans. 

4. Financial Risks

A vendor’s financial instability could lead to service discontinuity or contract breaches – analyze financial statements, credit ratings, insurance coverage, and litigation history.

5. Reputational Risks

Association with vendors involved in unethical practices, litigation, or data scandals can damage your brand.  Enterprises should use media scans, litigation databases, and whistleblower reports for reputational due diligence.

Additionally, organizations should increasingly assess fourth-party risks—risks introduced by the vendors of your vendors.

SAFE TPRM outside-in scan findings

Outside-in scan of a vendor, SAFE TPRM platform

Step-by-Step Guide to Conducting a Vendor Risk Assessment

Below is a comprehensive 10-step methodology for conducting vendor risk assessments:

1. Identify Critical Vendors and Assets

  • Inventory all vendors and map them to the systems, data, or services they access. 
  • Highlight vendors supporting critical operations or accessing sensitive information.

2. Define Risk Tolerance Levels

  • Establish acceptable risk thresholds based on industry, regulations, and internal policies.
  • Categorize vendors into tiers (high, medium, low) based on criticality – compare across vendors with a risk scoring solution that takes into account the probable likelihood and impact of risk scenarios related to the vendor 

3. Collect Vendor Information

  • Use questionnaires, outside-in and inside-out scans of controls, and available documentation: SOC reports, pentest summaries, and public financial reports. 
  • Include information on data flows, subcontractors, and geographic jurisdictions.

4. Assess Vendor Controls

  • Evaluate technical and procedural controls (e.g., MFA, data encryption, vulnerability management, data backup).
  • Benchmark against standards like NIST CSF or ISO 27001.
  • Continuously monitor control status with telemetry and automated workflows 

5. Prioritize Vendor Controls

  • Assess risk with quantitative analysis with a standard model like FAIR 
  • Apply a risk scoring system to prioritize focus on high-risk vendors

6. Conduct Formal Assessments

  • Perform audits, review documentation, interview vendor personnel, and request attestations.
  • Automate assessments using a risk management platform to ensure consistency and efficiency, and continuous monitoring for changes in risk posture or threat levels. 

7. Develop Risk Treatment Plans

  • Identify gaps and vulnerabilities and recommend controls for remediation
  • Prioritize controls based on return on investment (ROI) – dollars spent for dollars saved in risk reduction 

8. Implement Ongoing Monitoring

  • Continuously assesses risk across internal and external attack surfaces, covering enterprises, third-party vendors, and SaaS environments
  • An ideal solution would integrate data, AI, and automated risk models into a single platform for real-time, comprehensive cyber risk management.

9. Report Findings and Communicate Risk

  • Summarize results in dashboards or reports for executives and stakeholders.
  • Include business impact in financial terms, residual risk, and remediation status.

10. Review and Improve Process

  • Conduct post-mortems after incidents and update assessment criteria regularly.
  • Align with new threats, technologies, and compliance landscapes.

6 Best Practices for Vendor Risk Assessment 

To mature your third-party risk program, consider these key best practices:

  • Integrate with Procurement and Legal: Involve risk teams early during vendor selection and contract negotiations.
  • Standardize Risk Questionnaires: Use consistent, scalable templates such as CAIQ (Cloud Security Alliance) or SIG (Standardized Information Gathering). ADAPTABLE BY AI
  • Implement Tiered Assessments: High-risk vendors undergo more rigorous scrutiny than low-risk vendors.
  • Maintain a Vendor Inventory: Track all vendors, services provided, data accessed, and risk ratings in a centralized platform.
  • Use Risk Scoring Models: Create quantifiable risk scores to facilitate comparisons and prioritize efforts.
  • Leverage Automation: Reduce manual efforts by using integrated GRC or VRM tools.

Important Frameworks and Regulations Supporting Risk Assessments

Vendor risk assessments are strengthened by aligning with trusted standards and regulatory guidance:

  • ISO 27001: Information security management systems (ISMS)
  • NIST 800-53 & NIST CSF: Security and privacy controls for federal and commercial systems
  • SOC 2: Trust service principles for data handling and operational controls
  • HIPAA: Requirements for handling PHI with healthcare vendors
  • GDPR/CCPA: Data protection laws applicable to vendors processing personal data

Adhering to these frameworks enhances credibility and ensures audit readiness.

Common Pitfalls to Avoid

  1. Skipping Risk Assessments for Low-Tier Vendors: Even vendors with limited access can be exploited as attack vectors.
  2. One-Time Assessments: Risks evolve, and assessments must be continuous.
  3. Overlooking Fourth Parties: Subcontractors may pose hidden risks without your knowledge.
  4. Failure to Enforce SLAs or Contracts: Legal obligations must include clear security expectations and right-to-audit clauses.
  5. Lack of Executive Oversight: Risk findings must be communicated at the board level for proper governance.

Final Thoughts

Vendor risk assessments are more than a compliance checkbox—they’re a strategic lever for resilience. Risk and compliance managers must move beyond periodic reviews and embed risk intelligence throughout the vendor lifecycle. With the right frameworks, tools, and processes, organizations can better anticipate, mitigate, and respond to third-party risks.

Test drive the SAFE vendor risk management solution now!

RELATED POSTS

Events

May 29, 2025

Forrester: Security & Risk Summit

Blog

May 28, 2025

SAFE Launches First 100% Autonomous Third-Party Risk Management Platform 

Events

May 28, 2025

GRF: Virtual Summit Resilience and Security