How do you assess the risk associated with your tech vendors and ensure that they have adequate security measures in place?

Assessing vendor risk is challenging because you want to trust that your vendors have good plans in place. However, you need to trust and verify, given our roles today. Reviewing their plans, seeing how they certify them, and how often they test them are always important. They're supposed to have more resources than most organizations, so you have to take them at their word. At the end of the day, all you can do is ask, review what they've tested, when they tested, and trust them. Including this in one of their annual tests is an option, but many companies closely guard these activities and results.

This is an area where it's actually nice to be in highly regulated industries. In healthcare, for instance, we have HIPAA, which comes with many rules. We have a comprehensive questionnaire for vendors offering SaaS services that store our patients' protected health information. We use a vendor whose business model is to ensure compliance with HIPAA and other regulations. We take great care not to sign new contracts unless the vendor passes all these tests.

When selecting vendors, there are ancillary ways to mitigate risks. If a vendor is verified by one of the hyperscalers, they've already undergone a rigorous process to be allowed on that platform and must meet high security standards. Another method is to review their shareholder reports, which should contain relevant information. These are ways to vet a vendor without a lengthy questionnaire while ensuring the company's risk tolerance is met.

We've used external security scanning tools and pulled reports to discuss with vendors. Recently, we did this with an HRIS system. The vendor explained discrepancies in their scores, such as honeypots deliberately set to appear vulnerable. They took the time to address all our questions, making sure we were comfortable. If our cyber insurance brokers use these tools, we should too.