How to Assess and Manage Third-Party Data Risk

Learn how to build a vendor risk assessment program that actually catches problems before they become breaches.

Your vendors passed their security assessment two years ago. Do you know what their security looks like today?

Point-in-time assessments miss the risks that develop between reviews. Vendor security is a moving target.

This guide covers how to build a third-party risk assessment program: what to evaluate, how to score it, and how to monitor vendors continuously.

What Is Third-Party Data Risk?

Third-party data risk is the chance that an external vendor will cause a security incident affecting your data. Every vendor you share data with or grant network access to adds risk. The question isn’t whether you have third-party risk. It’s whether you’re measuring it.

The scale of the problem is growing. The Verizon 2025 DBIR found that third-party involvement in breaches doubled year over year to 30%. SecurityScorecard’s 2025 report puts it even higher. For context on how these breaches actually happen, see our guide on third-party data breaches.

What Are the Main Types of Third-Party Risk?

Third-party risk isn’t just cybersecurity. You need to assess five domains.

Cybersecurity risk. Can the vendor protect your data from attackers? This covers access controls, encryption, vulnerability management, incident response, and endpoint security. It’s the domain most people think of, but it’s only one of five.

Data privacy and compliance risk. Does the vendor handle data in line with GDPR, CCPA, HIPAA, or whatever regulations apply to you? Do they have a Data Protection Officer? How do they handle data subject requests? New regulations like DORA (for EU financial entities, enforced January 2025) and NIS2 add vendor-specific requirements.

Operational risk. What happens to your business if the vendor goes down? Assess their uptime track record, disaster recovery plans, and business continuity capabilities. Ask for RTO (Recovery Time Objective) and RPO (Recovery Point Objective) metrics.

Financial stability risk. A vendor that’s financially unstable may cut security budgets, lose key staff, or shut down entirely. Check for signs of distress: layoffs, leadership turnover, or declining revenue.

Legal and contractual risk. Are the right protections in your contract? Breach notification SLAs, audit rights, indemnification, and data deletion requirements. See our prevention guide for what specific clauses to include.

How Do You Assess Third-Party Risk?

A vendor risk assessment has three layers: questionnaires for breadth, document review for depth, and external monitoring for continuity.

Layer 1: Security questionnaires

Questionnaires give you a standardized view across all vendors. Use an established framework rather than building your own.

SIG (Standardized Information Gathering) is the most widely used. It covers 18 risk domains with hundreds of questions. Use the full SIG for critical vendors and the SIG Lite for lower-risk ones.

CAIQ (Consensus Assessments Initiative Questionnaire) is designed for cloud service providers. If your vendor is a SaaS company, CAIQ questions are more relevant than generic frameworks.

Customize the base questionnaire for your industry. Healthcare companies add HIPAA-specific questions. Financial services add questions about regulatory reporting.

Layer 2: Document review

Questionnaires tell you what the vendor says they do. Documents show what they’ve actually proven.

SOC 2 Type II reports cover security, availability, processing integrity, confidentiality, and privacy. Type II is important because it covers a period of time (usually 12 months), not just a point-in-time snapshot.

ISO 27001 certification means the vendor has an information security management system that’s been independently audited. It doesn’t tell you everything, but its absence at a mid-size or larger vendor is a red flag.

Penetration test reports. Ask for a summary of their most recent pen test. You don’t need the full report (they shouldn’t share it), but you should know the scope, findings, and remediation status.

Incident history. Ask whether the vendor has had security incidents in the past 3 years and how they responded. A vendor that’s been breached and improved their security as a result can be less risky than one that’s never been tested. What matters is the response, not the incident itself.

Business continuity plans. For operationally critical vendors, ask for their disaster recovery and business continuity documentation. What’s their RTO (Recovery Time Objective) and RPO (Recovery Point Objective)? If they go down, how long before your operations are affected?

Layer 3: External monitoring

Most companies do Layer 1 and call it done. Layer 3 is where you actually catch the vendor that was secure at signing but fell apart six months later.

Security rating services. These platforms scan your vendors’ internet-facing infrastructure continuously. They track unpatched systems, certificate issues, and open ports. Your vendor’s score can drop between assessments, and you’ll see it in real time.

Credential monitoring. When your vendor’s employees’ credentials appear in stealer logs or breach data, it means something has gone wrong in their environment. Dark web monitoring catches this before attackers can exploit the access. This is often the earliest signal of a vendor compromise.

Each layer catches what the others miss. Questionnaires tell you what the vendor claims. Documents verify some of it. External monitoring catches what changes after the assessment is done.

How Do You Score and Tier Vendors?

Not every vendor needs the same level of scrutiny. A risk-tiered approach lets you focus resources where they matter.

Inherent risk is based on what the vendor accesses. A vendor with access to customer PII, financial data, or your production network has high inherent risk. A vendor that only handles public marketing materials has low inherent risk.

Residual risk is what’s left after the vendor’s controls are factored in. A high-inherent-risk vendor with strong controls (SOC 2, MFA enforced, encrypted storage) might have medium residual risk.

Tier assignment determines monitoring intensity:

• Critical tier: Quarterly reassessment, continuous external monitoring, annual on-site or detailed review. These are vendors whose breach would shut down your operations.
• High tier: Semi-annual reassessment, continuous external monitoring. Vendors with access to sensitive data but not operationally critical.
• Medium tier: Annual reassessment, periodic external monitoring. Standard vendors with limited data access.
• Low tier: Assessment at onboarding, event-triggered reviews only. Vendors with minimal data access and no network connectivity.

How Do You Assess AI Vendor Risk?

AI vendors are a relatively new risk category, and standard questionnaires don’t cover them well. 97% of AI-related breaches lacked proper access controls according to IBM’s 2025 report. If you’re using AI vendors (and you probably are), add these to your assessment.

Training data. Where does the vendor get their training data? Does your data get used for model training? Can you opt out? This has both privacy and IP implications.

Model access controls. Who can access the model’s outputs? Can the model access your production data? Are there guardrails against prompt injection?

Data retention. How long does the vendor retain your prompts and outputs? Some AI services log everything for training purposes. Check whether that complies with your data handling policies.

Hallucination and accuracy. For AI vendors making decisions that affect your business (risk scoring, fraud detection, content generation), what’s their accuracy monitoring process? How do they handle model drift?

These questions don’t fit neatly into standard SIG or CAIQ frameworks yet. Add them as a supplementary section for any vendor using AI in their service delivery.

The challenge with AI vendors is that the risk profile changes with every model update. A vendor that was safe last quarter may have retrained their model on new data or changed their data retention practices. Traditional annual assessments aren’t frequent enough. For AI vendors, include contractual requirements for notification when models are retrained or data handling practices change.

What Are the Common Pitfalls in Vendor Risk Assessment?

Even companies with formal TPRM programs make these mistakes.

Assessing at onboarding and never again. This is the most common failure. The vendor’s security standing at contract signing says nothing about their security two years later. People leave, systems change, and budgets get cut.

Treating all vendors the same. A tiered approach saves time and focuses resources. The vendor that handles your marketing newsletter doesn’t need the same scrutiny as the one running your payroll.

Relying on self-assessment alone. Vendors will always rate their own security favorably. Without document review and external monitoring to verify their claims, you’re taking their word for it.

Ignoring fourth-party risk. Your vendor may be secure, but what about their vendors? Ask about sub-processors during every assessment. If your vendor outsources data storage or processing to a company you’ve never heard of, that’s a blind spot.

Not connecting assessment results to action. Running assessments without acting on the findings is compliance theater. If a vendor scores poorly, there should be a clear escalation path: remediation plan, deadline, and consequences for non-compliance.

Conclusion

The vendors that were secure when you signed the contract may not be secure today. Tier your vendors, reassess on a schedule, and add AI-specific questions to your templates before that gap catches you off guard.

Check your exposure to see if your vendors’ credentials have already appeared on criminal markets.