A Guide to Risk Criteria in Vendor Risk Assessments

Vendor risk assessments need to be tailored to the unique cyber risk criteria of third-party vendors. This post explains how to determine which risk criteria apply to each vendor and how to measure their severity.

Learn how UpGuard streamlines vendor risk assessments >

Vendor risk assessments for different risk criteria

A vendor risk assessment systematically identifies all potential risks associated with third-party vendors and their likely impact on your organization. These assessments aim to ensure the complete scope of vendor-related risks remains aligned with your organization’s risk tolerance and compliance requirements. Each vendor’s risk profile is unique, so risk assessments must be adjusted to the unique risk criteria that apply to each vendor.

Below is a high-level overview of how a risk criteria lens determines the direction of a vendor risk assessment. For a more comprehensive overview of this lifecycle, refer to this post outlining the implementation of a vendor risk assessment process.

1. Evidence gathering: Superficial vendor security posture evidence is collected as part of due diligence before onboarding. This intelligence offers a window into the vendor’s compliance requirements and security control strategy - information that narrows the scope of each vendor’s risk criteria options
2. Onboarding: During onboarding, the service provider is given a relationship questionnaire to discover which specific risk criteria apply to the vendor and whether they should be classified as a high-risk vendor. The results of this questionnaire will determine the style of risk assessment the vendor will require throughout their business relationship.
3. Risk assessment: The vendor is provided with a risk assessment tailored to their most relevant risk criteria, as identified through the Evidence Gathering process and relationship questionnaire responses. Each risk assessment is tailored to each vendor’s unique risk profile, with security questionnaires mapping to specific risk criteria.

4. Risk Ranking: All threats discovered through the risk assessment are ranked by potential impact on the organization. 
5. Risk Mitigation: Completed risk assessments provide frameworks for third-party risk management plans throughout the duration of each vendor lifecycle.
6. Continuous Monitoring: The impact of each vendor risk management strategy is tracked with continuous monitoring efforts to detect emerging threats across all relevant risk criteria.

Using continuous monioring to track vendor performance in terms of their security posture is a process within the broader cybersecurity discipline of Attack Surface Management. For an overview of ASM, watch this video:

Get a free trial of UpGuard >

The 5 most common risk criteria in vendor risk assessments

A Third-Party Risk Management (TPRM) program tracks inherent risks across a broad spectrum of risk metrics. The most popular categories are listed below. While a TPRM program could also address cybersecurity risks, this critical risk category is usually addressed in a dedicated risk management initiative known as Vendor Risk Management (VRM). To learn more about how these programs differ, refer to this post outlining the differences between TPRM and VRM.

• Cybersecurity risks: This criteria includes all security risks and vulnerabilities stemming from vendor relationships that could facilitate a data breach if exploited. For vendors with access to your personal data and sensitive data, a cyber attack resulting in their compromise also results in your compromise. For the most comprehensive strategy for mitigating data breach impact, fourth-party risks should be addressed with a dedicated Fourth-Party Risk Management program.

• Compliance risks: These risks relate to any issues impacting a vendor’s regulatory compliance efforts with industry standards such as the GDPR, a data security and privacy standard in the European Union and the UK, and HIPAA for healthcare. Compliance risks could also include misalignments with security frameworks deemed critical for your risk management processes, such as ISO 27001 and SOC 2.
• Financial risks: Encompasses all threats to financial stability. This risk criterion tends to overlap with cybersecurity risks since information security threats could have a significant financial impact if exploited in a data breach. Financial risks could also stem from natural disasters impacting data centers, supply chain attacks, and procurement issues causing service disruptions.
• Reputational risks: Any vendor-related events with the potential of causing its business partners reputational damage. Such events could result from a range of reasons, from poor customer reviews to unethical stakeholder business practices to security breaches.‍
• Operational risks: Any risks threatening a vendor’s ability to deliver their promised services due to business disruptions, which could result from inefficient internal business operation workflows or faulty business continuity plans.

Identifying and measuring different risk criteria for vendor risk assessments

All third-party risk assessment processes must be supported by a means of detecting and measuring risk levels across all applicable risk criteria. Below are some common methods of identifying and evaluating all common categories of vendor risks.

Cybersecurity risk

The cybersecurity risk category applies to all types of vendors. Even low-risk - those that don’t require access to your sensitive data - post some degree of cybersecurity risks requiring management.

Cybersecurity risk is the most prominent type of vendor risk.

How to identify cybersecurity risk

There isn’t a single templatized approach for identifying third-party cybersecurity risks. The process is highly complicated and dependent upon each unique third-party cyber risk context. Below is a very high-level approach for discovering vendor-related security risks. For a more detailed overview, refer to this post about how to perform a third-party risk assessment.

• Determine if the vendor exhibits any signs of historical data breaches. Assess the security and trust pages of potential vendors to determine if their risk profile fits within your risk appetite - a process that should be completed before officially onboarding a vendor into a Vendor Risk Management program.
• Assess the vendor’s cybersecurity policies, incident response plans, and data protection measures.
• Conduct regular cybersecurity audits and penetration tests.
• Review the vendor’s alignment against trusted cybersecurity standards, such as ISO 27001.

To learn how UpGuard streamlines the process of discoevring cybersecurity risks for new vendors, watch this video about its Trust Exchange platform, freely available for everyone.

Sign up to Trust Exchange for free >

How to measure cybersecurity risk

• Use a vendor risk assessment questionnaire solution leveraging automation technology to measure security risk levels based on questionnaire responses, such as UpGuard.
• Utilize security questionnaire templates mapping to risk categories overlapping with cybersecurity risks, such as regulatory compliance risk.
• Use a security rating solution to streamline the tracking of risk exposure changes over time for all vendors.

Related: How UpGuard calculates its security ratings.

Compliance Risk

How to identify compliance risk

• Check the vendor’s Trust and Security pages for any information about their regulatory compliance efforts, either manually or through automated processes with a tool like UpGuard Trust Exchange.
• Review the vendor’s regulatory compliance audit reports.
• Evaluate the vendor’s knowledge of new developments across all applicable industry standards, such as updates to security frameworks (e.g., NIST CSF 2.0).
• Review any previous compliance issues or regulatory fines imposed on the vendor.

How to measure compliance risk

• Send the vendor security questionnaires mapping to each compliance standard being evaluated.
• Implement a scoring system to determine the severity of compliance violations.
• Assign vendors to risk levels based on their compliance track records and potential impact on your organization in case of a violation.

Operational Risk

How to identify operational risk

• Evaluate the vendor’s strategy for maintaining resilience against external operational threat factors. This could involve reviewing their business continuity plans, service performance history, and operation policies.
• Determine whether the vendor has a backup system for replacing operational processes that have been irreversibly compromised, either due to critical operation faults or ransomware attacks.
• Review the vendor’s historical performance data to determine whether service disruptions had occurred.

How to measure operational risk

• Use performance metrics such as operational downtime, recovery time objectives (RTO), and key performance indicators (KPIs) to track the vendor’s operational stability.
• Implement third-party service disruption triggers into your internal workflows.
• Create an operational risk scorecard that includes RTO, service level agreement (SLA) adherence, and incident response times.
• Conduct regular penetration tests targeting specific operational processes, noting the vendor’s recovery rating.

Financial Risk

How to identify financial risk

• Review the vendor’s credit rating and financial statement against their market position.
• Perform an analysis of the vendor’s financial trends, comparing revenue profitability and debt levels over time.
• Review the vendor’s financial reports and any financial audit findings
• Analyze the vendor’s financial statements, credit ratings, and market position.
• Evaluate the vendor’s revenue trends, profitability, and debt levels.
• Review any financial reports, including annual reports and audit findings.

How to measure financial risk

• Perform a Cyber Risk Quantification analysis to determine the financial impacts of the cyber threats to which the vendor is most vulnerable.
• Track the vendor’s financial stability over time with credit scoring tools.
• Design an internal financial risk scorecard considering metrics such as liquidity ratios, debt-to-equity ratios, and profitability margins.
• Use financial ratios, credit scores, and trend analysis to determine the vendor’s financial stability.
• Develop a financial risk scorecard that includes metrics such as liquidity ratios, debt-to-equity ratios, and profitability margins.

Reputational Risk

How to identify reputational risk

• Review historical news mentions of the vendor for any negative publicity.
• Monitor news feeds and threat intelligence reports for any emerging negative publicity of security events that could lead to negative press.
• Compare any discovered negative publicity events against major changes to the vendor’s public messaging by reviewing the vendor’s website archives in Wayback Machine.
• Review the vendor’s customer and user history from trusted review sources.
• Assess the vendor’s brand image and market perception.

How to measure reputational risk

• Implement media monitoring software capable of detecting any mentions of the vendor to assess potential reputational risk levels.
• Score vendors based on the frequency and severity of negative incidents and public sentiment.
• Develop a reputational risk index reflecting each vendor’s overall market reputation.
• For evaulating the potential reputational impacts of vendor-related security issues, use a Vendor Risk Management platform with an integrated news feed tracking publically disclosed security events for all monitored vendors. To support reputational impact measurement, such a tool should ideally rank discovered events by severity levels, a feature available on the UpGuard platform.