Vendor Risk Management: Protecting Your Business from Third-Party Security Breaches
Your cybersecurity is only as strong as your weakest vendor.
You've invested thousands in firewalls, endpoint protection, employee training, and multi-factor authentication. Your network is locked down tight. Your team follows security protocols religiously. You've passed every compliance audit.
Then you get the email that changes everything: "We regret to inform you that a security incident has occurred affecting our systems..."
It's not your systems that were breached. It's your payroll provider. Or your cloud backup service. Or your CRM platform. Or your email marketing tool. And because they had access to your data, your customer information is now in the hands of cybercriminals.
At Lewis IT, we've helped dozens of Maryland businesses recover from third-party vendor breaches, and the pattern is always the same: companies that invested heavily in their own security but failed to scrutinize their vendors' security practices.
According to the U.S. Government Accountability Office (GAO), federal agencies have been urged to rigorously assess software supply chain risks—a critical lesson that applies to every business, regardless of size or industry.
The uncomfortable reality: You're responsible for protecting customer data even when a vendor you trusted is the one who lost it. And that responsibility includes legal liability, regulatory fines, and reputational damage.
The Hidden Danger: Your Extended Attack Surface
Lewis IT conducts security assessments for Maryland businesses across healthcare, financial services, professional services, and technology sectors. When we map their attack surface, clients are consistently shocked by what we discover.
The Vendor Access Audit That Changes Perspectives
Typical Small Business (50 employees):
- 40-60 SaaS applications with active subscriptions
- 15-25 vendors with direct network or system access
- 8-12 vendors storing customer data
- 3-5 vendors with administrative privileges
Each vendor represents a potential breach pathway.
Lewis IT recently assessed a Maryland healthcare practice that believed they had "maybe 10 vendors." Our comprehensive audit identified 47 third-party services with varying levels of data access—including several the practice owner had completely forgotten about.
Every single one of those vendors represented potential HIPAA liability.
The Cascade Effect: How Vendor Breaches Multiply
When Lewis IT investigates vendor-originated security incidents, we consistently see cascading impacts:
Stage 1: Initial Vendor Compromise
- Cybercriminals breach vendor systems through phishing, vulnerability exploitation, or insider threat
- Attacker gains access to vendor's customer database
- Your company's data is now in attacker's possession
Stage 2: Secondary Target Attacks
- Using data stolen from vendor, attackers research your business
- They craft highly targeted phishing campaigns using legitimate-looking information
- Your employees receive emails that appear to come from trusted vendor
- Credentials are compromised, malware installed, or wire transfer fraud executed
Stage 3: Operational Chaos
- Your IT team discovers the breach (often weeks after it started)
- All systems potentially accessed by compromised vendor must be investigated
- Credentials changed across entire organization
- Customer notification requirements triggered
- Regulatory investigation initiated
Stage 4: Long-Term Consequences
- Legal liability for failing to protect customer data
- Regulatory fines (HIPAA, GDPR, state privacy laws)
- Class action lawsuits from affected customers
- Insurance premium increases or coverage denial
- Reputational damage that persists for years
Lewis IT has seen Maryland businesses face six-figure costs from vendor breaches despite having excellent internal security posture.
The Real Cost of Vendor Security Failures
When discussing vendor risk management, business leaders often focus on immediate breach costs. Lewis IT helps clients understand the comprehensive financial impact.
Direct Financial Costs
Regulatory Penalties:
- HIPAA violations: $100-$50,000 per violation (can reach millions for widespread breaches)
- GDPR fines: Up to 4% of annual global revenue
- State privacy law penalties: Vary by jurisdiction, often $2,500-7,500 per affected individual
- PCI DSS fines: $5,000-100,000 per month for non-compliance
Legal Expenses:
- Breach investigation and forensics: $50,000-500,000+
- Legal defense and settlement: $100,000-millions depending on class action scope
- Customer notification: $2-5 per individual (postal mail, credit monitoring offers)
- Regulatory defense and compliance remediation: $75,000-500,000+
Operational Disruption:
- IT staff diverted to incident response (weeks to months)
- Business operations slowed or halted
- Customer service overwhelmed with breach inquiries
- Sales pipeline disruption from reputational damage
Hidden Costs That Destroy Value
Lewis IT emphasizes costs that don't appear on initial impact assessments:
Strategic Initiative Delays:
Your IT team was implementing new systems, optimizing workflows, or supporting business expansion. Now they're conducting forensic analysis of a vendor breach. Strategic projects stall for months while responding to someone else's security failure.
Staff Burnout and Turnover:
Incident response is exhausting. Your best IT personnel work 60-80 hour weeks managing breach response. Within 6-12 months, they leave for less stressful roles. Recruitment and training costs compound the breach impact.
Customer Lifetime Value Destruction:
Customers affected by the breach don't just leave—they warn others. Negative reviews, social media complaints, and word-of-mouth damage persist for years. Acquiring new customers becomes more expensive as your reputation suffers.
Competitive Disadvantage:
While you're managing breach response, competitors are innovating. The months spent in crisis mode represent lost market opportunities that may never be recaptured.
Insurance Impact:
Cyber insurance premiums increase 50-200% after a breach. Some insurers refuse renewal entirely. Future coverage includes higher deductibles and more exclusions, particularly for vendor-related incidents.
Lewis IT clients who implement proactive vendor risk management avoid these cascading costs entirely.
The Lewis IT Vendor Security Assessment Framework
After managing vendor security programs for dozens of Maryland businesses, Lewis IT has refined a systematic approach to third-party risk management.
Phase 1: Vendor Inventory and Risk Classification (Week 1-2)
Objective: Complete visibility into vendor ecosystem with risk-based prioritization.
Lewis IT Implementation:
Comprehensive Vendor Discovery:
Most businesses dramatically underestimate their vendor count. Lewis IT uses multiple discovery methods:
- Financial system analysis (all companies receiving payments)
- Network traffic analysis (all external connections)
- Cloud application audit (all SaaS subscriptions)
- Email domain analysis (all regular external senders)
- Employee interviews (shadow IT discovery)
- Contract and procurement review
Risk Classification Matrix:
Lewis IT categorizes vendors across two dimensions:
Data Sensitivity Access:
- Critical: Access to protected health information, payment data, or regulated information
- High: Access to customer PII, financial records, or intellectual property
- Medium: Access to internal business data, employee information
- Low: Minimal data access, public information only
System Access Level:
- Critical: Network admin access, infrastructure management, authentication systems
- High: Direct system integration, API connections, database access
- Medium: Application-level access, file sharing, collaboration tools
- Low: Isolated tools, no integration with critical systems
Priority Matrix Example:
| Data Sensitivity | System Access | Risk Level | Assessment Frequency |
|---|---|---|---|
| Critical | Critical | CRITICAL | Quarterly |
| Critical | High | CRITICAL | Quarterly |
| High | Critical | CRITICAL | Quarterly |
| Critical | Medium | HIGH | Semi-annually |
| High | High | HIGH | Semi-annually |
| Medium | Critical | HIGH | Semi-annually |
| Medium | Medium | MEDIUM | Annually |
| High | Low | MEDIUM | Annually |
| Low | Any | LOW | As needed |
Deliverable: Complete vendor inventory with assigned risk levels and assessment schedules.
Phase 2: Security Questionnaire Development and Distribution (Week 2-4)
Objective: Gather standardized security information from all vendors.
Lewis IT Vendor Security Questionnaire:
For ALL Vendors (Baseline Questions):
Security Certifications and Compliance:
- What security certifications do you hold? (SOC 2, ISO 27001, PCI DSS, HITRUST, etc.)
- Are certifications current? Can you provide recent audit reports?
- What compliance frameworks do you follow? (HIPAA, GDPR, CCPA, etc.)
Data Handling and Encryption:
- What data of ours do you store, process, or transmit?
- How is our data encrypted? (at rest, in transit)
- What encryption standards do you use? (AES-256, TLS 1.3, etc.)
- Where is our data physically located? (data center locations, countries)
- Do you share our data with fourth parties or subprocessors?
Incident Response and Breach Notification:
- What is your breach notification policy and timeline?
- How quickly will you notify us of security incidents affecting our data?
- What is your incident response process?
- Have you experienced security breaches in the past 3 years?
Access Control and Authentication:
- How do you manage employee access to customer data?
- What authentication methods do you use? (MFA required?)
- How often do you review and revoke access?
- Do you follow principle of least privilege?
Security Testing and Monitoring:
- Do you perform regular penetration testing? How frequently?
- Do you conduct vulnerability scanning? How frequently?
- What security monitoring and logging do you implement?
- How long are security logs retained?
For HIGH/CRITICAL Risk Vendors (Additional Questions):
Vendor Supply Chain:
- What critical subprocessors or vendors do YOU use?
- How do you assess THEIR security?
- What happens if your critical vendor is breached?
Business Continuity and Disaster Recovery:
- What is your RTO (Recovery Time Objective) and RPO (Recovery Point Objective)?
- Do you have tested disaster recovery plans?
- How frequently do you test backups and recovery procedures?
Security Program Maturity:
- Do you have a dedicated security team? How many personnel?
- Who is your Chief Information Security Officer (CISO)?
- What security awareness training do employees receive?
- Do you conduct background checks on employees with data access?
Network and Infrastructure Security:
- What network segmentation do you implement?
- How do you protect against DDoS attacks?
- What endpoint protection do you deploy?
- How do you secure your development and production environments?
Lewis IT Distribution and Tracking:
- Automated questionnaire distribution based on vendor risk level
- Response tracking with follow-up reminders
- Incomplete or inadequate response flagging
- Escalation for non-responsive critical vendors
Deliverable: Completed security questionnaires from all vendors with identified gaps and concerns.
Phase 3: Response Analysis and Risk Scoring (Week 4-6)
Objective: Convert questionnaire responses into actionable risk assessments.
Lewis IT Evaluation Methodology:
Red Flags Requiring Immediate Action:
- No security certifications despite handling sensitive data
- Refusal to answer security questions
- Recent breaches that weren't previously disclosed
- No encryption for data at rest or in transit
- Breach notification timeline exceeds 72 hours
- No MFA for employee access to customer data
- No penetration testing or vulnerability scanning
- Data stored in jurisdictions with weak privacy laws
- Subprocessors not disclosed or assessed
Yellow Flags Requiring Monitoring:
- Certifications expired or outdated
- Limited security team resources
- Infrequent security testing (annually vs. quarterly)
- Weak encryption standards (older protocols)
- Limited logging or short retention periods
- Generic disaster recovery plans without testing
- Inconsistent responses or vague details
Green Flags Indicating Strong Security:
- Current SOC 2 Type II or ISO 27001 certification
- Comprehensive breach notification policy (24-48 hour commitment)
- Regular third-party penetration testing (quarterly)
- Strong encryption standards (AES-256, TLS 1.3)
- MFA required for all employee access
- Dedicated security team with named CISO
- Detailed incident response plans with testing
- Transparent subprocessor disclosure and management
Vendor Security Score:
Lewis IT assigns numerical scores (0-100) based on:
- Certification and compliance (25 points)
- Data protection and encryption (20 points)
- Access control and authentication (15 points)
- Incident response and breach notification (15 points)
- Security testing and monitoring (15 points)
- Business continuity planning (10 points)
Risk-Adjusted Score = Vendor Security Score × Vendor Risk Classification
Deliverable: Risk-scored vendor list identifying critical gaps and action items.
Phase 4: Contract Review and Remediation (Week 6-10)
Objective: Ensure legal protections and security requirements are contractually enforceable.
Lewis IT Contract Security Provisions:
Mandatory Clauses for All Vendor Contracts:
Security Requirements:
- Specific security standards vendor must maintain (encryption, MFA, monitoring)
- Required certifications and recertification timelines
- Commitment to follow industry best practices and compliance frameworks
Data Protection:
- Definition of what data vendor can access and how it must be protected
- Prohibition on data sharing with third parties without consent
- Data deletion requirements upon contract termination
- Compliance with applicable privacy regulations (HIPAA, GDPR, CCPA)
Breach Notification:
- Maximum notification timeline (Lewis IT recommends 24-72 hours)
- Required information in breach notification
- Vendor responsibility for customer notification costs
- Vendor liability for breach-related damages
Audit Rights:
- Right to audit vendor security practices (annually or upon suspicion)
- Right to review SOC 2 reports or equivalent certifications
- Right to review incident reports and security logs
- Right to terminate immediately if material security deficiencies discovered
Liability and Indemnification:
- Vendor liability for security failures and resulting damages
- Indemnification for regulatory fines resulting from vendor breach
- Insurance requirements (cyber liability coverage minimums)
- Limitation of liability cannot exclude breach-related damages
Subprocessor Management:
- Requirement to disclose all subprocessors
- Right to approve/reject subprocessors
- Vendor responsibility for subprocessor security
- Flow-down of security requirements to subprocessors
Remediation Process:
When existing contracts lack security provisions, Lewis IT:
- Requests contract amendments incorporating security requirements
- Negotiates addendums for vendors unwilling to amend
- Flags vendors refusing security terms for replacement consideration
- Documents accepted risk for vendors where no alternatives exist
Deliverable: Contracts updated with enforceable security requirements and identified vendors requiring replacement.
Phase 5: Continuous Monitoring and Periodic Reassessment (Ongoing)
Objective: Maintain current vendor risk awareness and respond to changes.
Lewis IT Monitoring Strategies:
Automated Vendor Security Rating Services:
Lewis IT implements third-party monitoring platforms:
- SecurityScorecard: Continuously rates vendor security posture
- BitSight: Real-time security ratings based on external observations
- RiskRecon: Detailed cyber risk analytics for vendor portfolio
These services alert when:
- Vendor security rating drops significantly
- Vendor appears in data breach databases
- New vulnerabilities discovered affecting vendor systems
- SSL certificates expire or become compromised
Scheduled Reassessments:
- Critical risk vendors: Quarterly security questionnaire updates
- High risk vendors: Semi-annual reviews
- Medium/low risk vendors: Annual reviews
- All vendors: Ad-hoc review upon contract renewal
Breach Intelligence Monitoring:
Lewis IT tracks:
- Public breach disclosures affecting vendors
- Dark web monitoring for vendor credential leaks
- Security researcher disclosures of vendor vulnerabilities
- News media coverage of vendor security incidents
Deliverable: Real-time vendor risk awareness with proactive remediation of emerging threats.
Industry-Specific Vendor Risk Management Requirements
Different sectors face unique compliance obligations and risk profiles. Lewis IT tailors vendor risk programs to industry-specific needs.
Healthcare (HIPAA Business Associate Requirements)
Unique Compliance Obligations:
Business Associate Agreements (BAAs):
- Required for ANY vendor accessing protected health information (PHI)
- Specific HIPAA safeguard requirements
- Breach notification obligations (60 days for patient notification)
- Right to audit and inspect vendor security controls
Lewis IT Healthcare Vendor Assessment:
- HITRUST certification strongly preferred
- Specific encryption requirements for PHI
- Access logging and audit trail requirements
- Subcontractor BAA flow-down verification
- Regular HIPAA compliance training for vendor staff
High-Risk Healthcare Vendors:
- Electronic Health Record (EHR) systems
- Practice management platforms
- Medical billing services
- Telehealth platforms
- Cloud storage for medical images
- Patient portal providers
- Email and communication platforms handling PHI
Example: Lewis IT helped a Maryland medical practice discover their website chat provider didn't have a BAA despite collecting patient information through the chat widget—a clear HIPAA violation.
Financial Services (PCI DSS and SOX Compliance)
Unique Compliance Obligations:
PCI DSS Requirements:
- Vendors processing, storing, or transmitting payment card data must be PCI DSS compliant
- Quarterly vulnerability scanning
- Annual penetration testing
- Network segmentation and isolation
SOX Compliance (for public companies):
- Vendor controls affecting financial reporting
- Documented change management processes
- Segregation of duties requirements
Lewis IT Financial Services Vendor Assessment:
- PCI DSS certification verification (Level 1-4 based on transaction volume)
- SOC 2 Type II focusing on security and availability
- Specific controls around financial data integrity
- Change management and version control practices
- Disaster recovery with documented RTOs
High-Risk Financial Services Vendors:
- Payment processors and gateways
- Core banking platforms
- Investment management systems
- Accounting and financial reporting software
- Payroll processors
- Trading platforms
Professional Services (Client Confidentiality)
Unique Risk Considerations:
Client Data Protection:
- Vendor access to confidential client information
- Attorney-client privilege concerns (for law firms)
- Work product confidentiality
- Conflict of interest risks
Lewis IT Professional Services Vendor Assessment:
- Data segregation ensuring client data isolation
- Confidentiality agreements and NDAs
- Access control preventing cross-client data exposure
- Document retention and destruction policies
- Client approval requirements for sensitive data sharing
High-Risk Professional Services Vendors:
- Document management systems
- Client portal platforms
- Project management tools
- Time and billing systems
- E-signature platforms
- Cloud storage and collaboration tools
Small Business (Resource-Constrained Risk Management)
Practical Challenges:
Small businesses face vendor risk management challenges Lewis IT helps address:
- Limited IT staff for comprehensive vendor assessments
- Smaller budgets restricting vendor options
- Less negotiating leverage with large vendors
- Lack of in-house security expertise
Lewis IT Small Business Vendor Program:
Simplified Risk Tiers:
- Critical: Vendors storing customer payment/PII data (requires full assessment)
- Important: Vendors with system access (requires basic questionnaire)
- Standard: General business tools (requires certification verification)
Practical Vendor Selection:
- Prioritize vendors with published SOC 2 reports (reduces assessment burden)
- Use industry-standard contracts with security provisions
- Implement free/low-cost monitoring (Google Alerts for vendor breaches)
- Leverage vendor security certifications as assessment proxy
Budget-Friendly Implementation:
- Focus resources on highest-risk vendors
- Use questionnaire templates (Lewis IT provides)
- Annual assessment cycle vs. continuous monitoring
- Group vendor reviews for efficiency
Common Vendor Risk Management Mistakes Lewis IT Helps Clients Avoid
After years of incident response and security consulting, Lewis IT has identified patterns of vendor risk management failures.
Mistake 1: "Too Big to Breach" Assumption
The Problem: Assuming major vendors like Microsoft, Google, or Salesforce don't require security assessment because they're sophisticated companies.
The Reality: While these vendors invest heavily in security, YOUR configuration and usage create risks. Most breaches of cloud platforms result from customer misconfiguration, not vendor security failures.
Lewis IT Solution:
- Assess HOW you're using major platforms, not just who the vendor is
- Review access controls, encryption settings, data sharing permissions
- Audit user privileges and authentication requirements
- Verify backup and recovery configurations
Mistake 2: One-Time Assessment
The Problem: Conducting vendor security assessment during vendor selection, then never reassessing.
The Reality: Vendor security postures change. Companies get acquired, cut security budgets, experience breaches, lose certifications, or change subprocessors.
Lewis IT Solution:
- Scheduled reassessment based on vendor risk level
- Continuous monitoring through security rating services
- Contract renewal triggers comprehensive review
- Breach intelligence monitoring for early warnings
Mistake 3: Accepting Generic Security Claims
The Problem: Vendors claim to be "bank-level security" or "enterprise-grade" without providing evidence.
The Reality: Marketing claims don't equal actual security practices. Without verification, you're trusting unsubstantiated assertions.
Lewis IT Solution:
- Require specific certifications (SOC 2, ISO 27001, not vague claims)
- Request actual audit reports, not just certificates
- Verify certification validity with issuing bodies
- Reject vendors unwilling to provide evidence
Mistake 4: Forgetting About Subprocessors
The Problem: Thoroughly vetting direct vendors while ignoring their subprocessors and third-party dependencies.
The Reality: Many major breaches originate from fourth parties (your vendor's vendor). Your data flows to companies you've never heard of.
Lewis IT Solution:
- Require complete subprocessor disclosure
- Vendors must assess their own vendors' security
- Contract clauses requiring approval of new subprocessors
- Right to audit or review subprocessor certifications
Mistake 5: No Breach Notification Timeline
The Problem: Contracts lacking specific breach notification requirements, leaving timeline to vendor's discretion.
The Reality: Some vendors delay breach notification for weeks or months while investigating, preventing your timely response and potentially violating YOUR regulatory obligations.
Lewis IT Solution:
- Contractual requirement: 24-72 hour breach notification
- Specific information required in initial notification
- Ongoing update requirements as investigation proceeds
- Right to conduct independent investigation
Mistake 6: IT Decisions Without Vendor Security Review
The Problem: Departments selecting and implementing SaaS tools without IT or security team involvement.
The Reality: Shadow IT creates unvetted vendor relationships, often with inadequate security, creating compliance gaps and vulnerabilities.
Lewis IT Solution:
- Mandatory IT approval for any vendor accessing company data
- Simplified approval process for pre-vetted vendors
- Regular shadow IT discovery audits
- Employee education on vendor security importance
Implementing Your Vendor Risk Management Program: Lewis IT's Practical Roadmap
Lewis IT helps Maryland businesses implement comprehensive vendor risk management without overwhelming limited resources.
Month 1: Foundation and Critical Vendor Assessment
Week 1-2: Vendor Discovery and Risk Classification
- Complete vendor inventory across all departments
- Assign risk levels based on data access and system privileges
- Identify 5-10 highest-risk vendors for immediate assessment
Week 3-4: Critical Vendor Questionnaires
- Distribute security questionnaires to critical/high-risk vendors
- Request current SOC 2, ISO 27001, or equivalent certifications
- Review existing contracts for security provisions
- Identify immediate red flags requiring action
Deliverable: Risk-classified vendor inventory with critical vendor security assessments initiated.
Month 2: Broader Assessment and Contract Review
Week 5-6: Medium-Risk Vendor Assessment
- Distribute questionnaires to medium-risk vendors
- Begin contract review for security provision gaps
- Draft standard security addendum template
Week 7-8: Response Analysis and Gap Identification
- Analyze vendor questionnaire responses
- Score vendors using Lewis IT risk framework
- Identify vendors requiring remediation or replacement
- Prioritize contract amendment negotiations
Deliverable: Complete vendor security assessment with identified gaps and action plan.
Month 3: Remediation and Ongoing Process Implementation
Week 9-10: High-Priority Remediation
- Negotiate contract amendments with critical vendors
- Begin replacement vendor evaluation for non-compliant vendors
- Implement monitoring services for continuous visibility
Week 11-12: Process Documentation and Training
- Document vendor risk management policies and procedures
- Train procurement and IT teams on vendor assessment requirements
- Establish ongoing reassessment schedule
- Implement vendor approval workflow for new vendors
Deliverable: Operational vendor risk management program with continuous improvement processes.
The Competitive Advantage of Proactive Vendor Risk Management
While managing vendor risk prevents catastrophic breaches, Lewis IT helps clients understand the strategic benefits.
Client and Partner Confidence
When prospects evaluate your business, vendor risk management demonstrates:
- Mature security program beyond basic requirements
- Serious commitment to data protection
- Professional approach to third-party relationships
- Reduced risk of breaches affecting their data
Lewis IT clients consistently report that documented vendor risk programs accelerate sales cycles and improve close rates.
Regulatory Compliance Demonstration
Auditors and regulators increasingly scrutinize vendor management. Lewis IT's program provides:
- Documented due diligence evidence
- Contractual security requirements
- Ongoing monitoring and reassessment
- Incident response procedures including vendor breaches
Insurance Premium Reduction
Cyber insurance underwriters view vendor risk management favorably:
- Demonstrates risk reduction efforts
- Reduces likelihood of claims
- Can result in 10-20% premium reductions
- Improves policy terms and coverage limits
Operational Resilience
Strong vendor relationships include:
- Clear expectations and accountabilities
- Documented escalation procedures
- Tested incident response coordination
- Business continuity planning including vendor failures
Take Control of Your Third-Party Risk Today
Your cybersecurity perimeter extends far beyond your office walls. Every vendor with access to your data or systems represents potential vulnerability—but also an opportunity to demonstrate security maturity and build resilience.
Lewis IT transforms vendor risk from abstract concern to managed strategic advantage. Our systematic approach ensures comprehensive visibility, risk-based prioritization, and continuous monitoring that protects your business without overwhelming your resources.
Whether you're just beginning vendor risk management or refining existing programs, Lewis IT has the expertise to guide Maryland businesses through every phase of implementation.
Don't wait for a vendor breach to expose gaps in your third-party risk management. Build defenses today.
Secure Your Vendor Ecosystem: Contact Lewis IT
Ready to assess and manage your vendor security risks? Lewis IT offers complimentary vendor risk assessments identifying your highest-priority third parties and immediate action items.
We'll review your vendor ecosystem, evaluate your current contracts and security provisions, and provide a detailed roadmap for comprehensive vendor risk management implementation.
Email: info@lewisit.io
Phone: 240-784-1221
Website: www.lewisit.io/contact-us
Your vendors shouldn't be your weakest link. Contact Lewis IT today and transform third-party relationships from vulnerability to strategic advantage.
Frequently Asked Questions About Vendor Risk Management
Which vendors should I prioritize when assessing security risk?
Lewis IT recommends prioritizing vendor assessment in this order: First, any vendor with direct network or infrastructure access (MSPs, cloud providers, SaaS platforms with API integrations). Second, vendors storing or processing sensitive customer data—particularly payment information (payment processors), protected health information (EHR systems, patient portals), or personally identifiable information (CRM platforms, marketing automation). Third, vendors managing critical business functions where breaches could halt operations: payroll processors, financial systems, email and communication platforms. Finally, vendors with admin-level access to your systems, as compromised administrative credentials provide attackers complete control. Lewis IT's risk classification framework assigns quantitative scores ensuring resources focus on highest-impact vendor relationships.
What if a vital vendor refuses to answer our security questions?
This is a critical red flag requiring immediate attention. Lewis IT treats vendor refusal to provide security information as evidence of either inadequate security practices they're hiding, or fundamental disrespect for your legitimate risk management requirements. Reputable vendors expect security questionnaires and willingly provide certifications, audit reports, and detailed security information—it's standard practice for professional organizations. When facing vendor refusal, Lewis IT recommends this escalation: First, explain regulatory and contractual requirements making vendor assessment mandatory. Second, offer to accept SOC 2 Type II report as alternative to full questionnaire. Third, elevate conversation to vendor's senior leadership or compliance officer. If vendor maintains refusal, this justifies seeking alternative providers—inadequate security will eventually result in breaches affecting your business and customers.
Are cloud providers like Amazon and Microsoft considered a vendor risk?
Yes, but the risk profile differs significantly from typical vendors. Lewis IT explains the "shared responsibility model" governing major cloud platforms: Cloud providers (AWS, Azure, Google Cloud) are responsible for security OF the cloud—the physical infrastructure, network, storage systems, and foundational platform security. They invest billions in security capabilities exceeding what most businesses could achieve independently. However, YOU remain responsible for security IN the cloud—your data, access controls, encryption settings, identity management, and application configurations. Most cloud security breaches result from customer misconfiguration (leaving S3 buckets public, weak access controls, missing encryption) rather than provider security failures. Lewis IT's cloud provider assessments focus on verifying YOUR configuration security, not evaluating Microsoft or Amazon's security programs, while ensuring contractual protections for the rare cases where provider failures occur.
Can we be held legally liable for a breach that starts with a vendor?
Absolutely, and this liability is increasingly common under modern privacy regulations. Lewis IT emphasizes that regulatory frameworks including GDPR, CCPA, HIPAA, and various state privacy laws hold businesses responsible for protecting customer data regardless of whether the breach occurred in their own systems or a vendor's infrastructure. Courts and regulators evaluate whether you exercised "reasonable due diligence" in vendor selection and oversight. If you failed to assess vendor security, lacked contractual protections, or ignored obvious red flags, you can be held liable for resulting breaches. Your contract with the vendor determines financial liability between the two companies (which is why Lewis IT emphasizes strong indemnification clauses), but customer-facing liability remains yours—you'll face regulatory investigations, fines, class action lawsuits, and reputational damage regardless of whose systems were actually breached. This is precisely why proactive vendor risk management isn't optional.
Lewis IT provides comprehensive cybersecurity and risk management services for businesses throughout Maryland and the Mid-Atlantic region. From vendor risk assessment and third-party security management to compliance consulting, contract review, and incident response, we help organizations build resilient security programs that protect against evolving threats—including those originating beyond your direct control.
