11. How do you identify, prioritize, and remediate vulnerabilities?
Review of IT partner’s patching policies and remediation timelines should never be overlooked, as many cyberattacks exploit known vulnerabilities. “Slow patch cycles lead to supply chain disruptions, business operational issues, and even bankruptcy in some cases,” says Perez-Etchegoyen, who emphasizes SLAs related to critical patches and proof that fixes are validated.
Ventrone gives the example of a company that outsourced firewall management to a vendor. After a vulnerability in the firewall was exploited, the vendor ended up restoring the vulnerable version, resulting in a second compromise. In another example, a client found out that its IT partner, which had experienced a ransomware attack through its VPN, patched just once a month.
“I literally could not believe this was considered sufficient,” Ventrone says.
12. Do you carry enough cyber insurance to cover the impact to all your customers?
“We’re going to see a lot more attacks against SaaS providers,” says SANS Institute’s Wright. “Attackers have lots of motive here since the access obtained when a SaaS provider is compromised is significant, with lots of subsequent opportunity for ransomware, extortion, and direct harassment attacks against customers.”
Ventrone says clients should confirm their provider’s policy covers not only themselves but the full impact of a multi-customer incident.
13. Can we test your processes?
Attestations regarding cybersecurity testing and monitoring — such as regular penetration testing, 24/7/365 security monitoring, threat hunting — are essential, Wright says.
But Alford recommends going a step further. “Lots of firms do questionnaire-based reviews that confirm policies exist but rarely test how provider processes work in practice. They assume a support vendor has strong verification steps. They assume an integration partner follows least privilege. They assume a SaaS platform has adequate logging for delegated access,” says Alford, warning against presumptions.
“Verification through evidence, realistic scenarios, and process testing changes everything,” he says. “It exposes where risk actually lives and gives you the ability to design controls that match how attackers think rather than how documentation reads.”
Ongoing diligence necessary
“Recent incidents underscore that many organizations are not adequately managing third-party risk over the full lifecycle of their IT provider relationships,” notes Clark Hill’s Ventrone, adding that too often due diligence is treated as a one-time exercise, with insufficient ongoing oversight to ensure that security controls and procedures remain appropriate as systems evolve.
Stratascale’s Corcoran also notes that cyber due diligence often falls through the cracks. “Many client organizations still fall short in managing third-party risk because it’s often treated as a collateral duty, split between procurement and general risk functions rather than a dedicated, optimized process,” he says. “As a result, business stakeholders remain unsatisfied and critical risks go unmitigated, even as attackers increasingly exploit weaker links in the supply chain.”
Increasingly, partners in the IT ecosystem are being seen by cybercriminals to be those weaker links.
