Vendors often have privileged access to internal systems, store large repositories of intellectual property, and process sensitive personally identifiable information (PII). With roughly one in three breaches tracing back to a vendor, third-party risk management (TPRM) is critical.

When a vendor you rely on gets breached, regulators generally treat you—the data controller or customer—as responsible, meaning fines and lawsuits. In 2025, the average cost of a breach in the U.S. rose to $10.22 million (well above the $4.4 million global average). According to IBM, this increase is at least partially driven by higher regulatory fines. While your liability depends on your contract, the jurisdiction, and specific laws, when it comes to public perception, a breach is a breach. You bear the brunt of the reputational damage, regardless of the vendor’s role in the breach.

In the rapidly evolving threat landscape, static compliance checklists are no longer sufficient. Organizations must adopt a new model for third-party cyber risk management.

Assessing third-party risk compliance consists of several key criteria:

Data storage, transmission, and access

Where does the vendor physically store your data? Cross-border data transfers may fall under multiple jurisdictions, complicating compliance, unless the vendor offers data residency options.

What encryption standards are used?

• Data at rest: Vendors must use strong, modern encryption (e.g., AES-256 where appropriate) and clear crypto-agility plans.
• Data in transit: Data moving between the client and the vendor, or between the vendor's internal microservices, must be encrypted using TLS 1.2+ (TLS 1.3 is preferred).

Encryption is only as strong as the key management. Ideally, the vendor should support customer-managed keys (CMK) or use hardware security modules (HSMs) to securely manage encryption keys.

Identity and access management (IAM) & MFA

Credential theft remains a top attack vector, accounting for 22% of breaches. Vendors must enforce identity and access controls, including mandatory MFA (especially phishing-resistant MFA) for all access to client data and for the vendor's own internal admin access. Role-based access control (RBAC) further limits who has admin rights.

Logging, monitoring, and incident response

Does the vendor collect immutable logs? Can they export them to your SIEM? Without logs, forensic analysis is impossible. If a vendor can’t tell you what was accessed during a breach, you have to assume the worst. This inflates notification costs and liability. Confirm log retention meets your regulatory needs (PCI requires one year, HIPAA/NIST guidance often implies longer retention).

Does the vendor have an incident response (IR) plan? Is it tested? Check its notification protocols. Many contracts say “without undue delay," which can mean weeks. Look for a vendor that notifies you within 24–72 hours of discovery (not confirmation). Some regulations require specific windows.

Patching and vulnerability management

Exploitation of vulnerabilities (including unpatched systems) accounted for 20% of breaches in 2025, a 34% increase from the prior year. Ensure vendors have clear patch SLAs in their contract. Public guidance varies (for example, CISA advises 15 days for critical and 30 days for high issues), while organizations often adopt faster timelines for actively exploited zero-days. Agree to timelines that match your risk tolerance and regulatory obligations.

Security certifications and regulatory requirements

Certifications are helpful indications of compliance, but they require nuanced interpretation. For instance, when evaluating SOC 2 certification, look for a vendor with a Type 2 report, which assesses the operating effectiveness of controls over a period (usually 6–12 months), rather than just measuring the design of controls at a point in time, as Type 1 does.

ISO 27001 demonstrates a formal information security management system and can support privacy compliance efforts, but it does not by itself ensure legal compliance with CCPA, HIPAA, etc. You’ll still need vendor attestations or controls specific to those laws.

Confirming these security requirements can be challenging, as vendors may not be completely forthcoming about their weaknesses. Assessment is also not a one-time or even periodic undertaking—it’s an ongoing process.

To begin evaluating TPRM compliance, send questionnaires or security checklists. Standard information gathering (SIG) questionnaires and the consensus assessments initiative questionnaire (CAIQ) are industry standards, but they can cause “response fatigue.” Avoid this by tailoring the questionnaire’s depth to the vendor’s risk tier—based on factors like the sensitivity of the data they handle, the level of system access they have, and how critical their services are to your operations. Don’t just take responses on faith—request documentation, including policies, audit reports, and incident response plans, to back up claims. In some cases, you can use external scanning tools for validation.

Finally, confirm how vendors handle subcontractors and data sharing. Do they contractually enforce your security requirements down to their subcontractors? The 2025 Qantas airline data breach that exposed 5.7 million customer records was due to an exploited public-facing API on the vendor's system. Fourth-party risk management is a crucial component of vendor compliance.

Third-party risk is dynamic. A vendor that’s secure in January may be compromised in June due to a new zero-day vulnerability or a merger that dilutes their security culture. For a primary attack vector, annual reassessments are insufficient. Instead, use continuous monitoring tools. Security rating services like SecurityScorecard or BitSight passively scan vendors' internet-facing assets to provide real-time alerts on expired SSL certificates, open ports, and malware blocklists.

Organizations can also use trigger-based assessments, for example, if the vendor is acquired, a major vulnerability in their tech stack is announced, or they experience a security incident.

Make sure that your contract clearly lays out expectations for security and breach reporting. Mandate notification within 24 to 72 hours of discovery, not confirmation. Other considerations include:

• Right to audit: Include a clause allowing you to conduct an independent audit or scan of the vendor's environment if a credible threat arises.
• Liability and indemnification: Ensure the vendor is financially liable for the costs of a breach they cause, including credit monitoring for affected customers, legal fees, and regulatory fines.
• Cyber insurance: Require the vendor to carry sufficient cyber liability insurance.

Finally, agree on a concrete offboarding process so there are no loose ends after your partnership concludes. Require a certificate of destruction confirming all client data has been purged. Revoke all VPN keys, API tokens, and user accounts immediately.

Even with a strong framework in place, systemic challenges can undermine third-party security compliance. One problem that continues to plague vendors, especially SMBs, is the misconception that they are too small or obscure to be targeted. The truth is just the opposite: attackers target SMB vendors specifically because they’re a gateway to larger enterprises (aka "island hopping").

Another undermining factor involves employees introducing shadow IT, specifically AI, into networks. Unauthorized AI tools played a part in 20% of breaches last year.

Possibly the most nerve-wracking aspect of third-party risk management is the black box problem. Once you share your data with a partner, you have limited visibility into how it’s used. Beyond the frameworks you have in place, you are to some extent taking a leap of faith that your vendors will uphold their end of managing your mutual risk. That’s where tools that detect vendor-related threats come in.

Huntress Managed EDR, SIEM, and ITDR help businesses monitor vendor-related activity, detect identity misuse, and spot threats that slip in through third-party access. Explore how our platform and 24/7 SOC can help guard against third-party risk and shut down one of hackers’ most common attack vectors.