Featured Image

Vendor Risk Assessments & Hidden Recurring Commitments

When founding teams find a way to survive their first vendor risk assessment -- usually on the tail end of making their first enterprise sale -- it's a moment that calls for celebration. At Havoc Shield, one of the absolute best moments for us is when a client calls us back and says, "With your help, we made it through that security questionnaire" -- it's a celebration on our end too!

But, is the end of a vendor risk assessment the final chapter in the vetting that the startup will face from their new enterprise customer? In a word, no. We'll go ahead and explore this below.

The Representations You Make

Can we start with the elephant in the room? When your tiny startup gets to land one of your first big enterprise deals, you'll likely bend to the enterprise's requests on many dimensions.

Whose "Paper" is the Deal On?

A recurring story that we hear from startups is that enterprises cut them off at the pass when they present their typical order form and terms of service. Often, the enterprise will respond with a Master Services Agreement (MSA) -- a comprehensive agreement that the enterprise has prepared as a suitable baseline for deals with all types. That immediately puts startups on their heels. They are presently in unfamiliar territory regarding the representations they are being asked to make. One topic likely to be covered somewhere deep in that MSA -- maybe in esoteric language -- is whether/not the representations made in related materials (such as a vendor risk assessment) are incorporated by reference into the broader agreement. Founders need to speak with their counsel to ensure they understand what binding contracts they are making on that front.

What did that Vendor Risk Assessment say, anyway?

Here's where startups get into trouble. Often the person that completed the vendor risk assessment differs from the person negotiating the legal agreement with the enterprise client. For example, perhaps the CTO filled out the vendor risk assessment, but maybe the CEO or head of sales ran point on negotiating the legal agreement. That's okay, but everyone involved must know what obligations the startup took on during the vendor risk assessment.

Let's bring this topic to life with a genuine example. Suppose the vendor risk assessment asked the startup if their employees undergo quarterly security awareness training. Suppose that the startup didn't previously have any such policy but that they adopted that type of policy "just in time" to be able to respond "yes" to the question. This happens all the time -- almost every startup we work with does at least some hurried improvement in their security program when an enterprise questionnaire forces the topic. In this example, we'd want the startup to run its first security awareness training and put some specific mechanism in place to ensure that it recurs quarterly (using Havoc Shield).

But, when the person filling out the vendor risk assessments is different from the person negotiating the legal agreement, it's common for manically busy startup folks to accidentally fail to connect the dots on their precise ongoing commitments that they are obligated to fulfill.

The Representations We See

If you follow this blog, you know that we've been tearing 100+ enterprise security questionnaires to shreds trying to surface functional patterns for all of you. By studying a large set of enterprise security questionnaires, we can help our clients (and you) anticipate the security controls that enterprises will most likely ask you for. And to help you implement them proactively.

Another benefit of our analysis (the one we didn't expect) centers around our learning about recurring commitments. In our analysis of these enterprise security questionnaires, we noticed that terms like "annually" and "quarterly" were popping up everywhere, so we dug deeper to understand precisely what recurring commitments startups were being asked to make in these vendor risk assessments. Here's what we found.

63% of the vendor risk assessments we looked at had at least one question that probed for a recurring process. The questionnaires (on a percentage basis) had periodic requirements of various cadences:

  • 40% had one or more annual requirement
  • 31% had one or more quarterly requirement
  • 32% had one or more monthly requirement
  • 23% had one or more weekly requirement
  • 30% had one or more daily requirement

Yes, you heard that right: 30% of the questionnaires we reviewed had at least one question that probed whether a particular activity was (or wasn't) happening daily. Some of the hot topics on the questionnaires that asked about daily activities included:

  • Backups
  • Audit Log Reviews
  • Anti-virus scans
  • Anti-virus signature updates
  • Review of all security events
  • Access revocations for terminated employees
  • Monitoring of processing capacity
  • Review of intrusion detection system (IDS) logs

In contrast, here are some of the most common topics that these vendor risk assessments asked for on an annual basis:

  • Penetration Tests
  • Internal Network Scans
  • Review, update, and test disaster recovery and business continuity plans
  • Review performance of contract relative to SLAs
  • Review of security policies and plans
  • Completion of independent audits such as SOC 2
  • Completion of security awareness training
  • Completion of incident response exercises
  • Review of firewall configurations
  • Review of privacy policies
  • Completion of developer training
  • Completion of privacy training
  • Risk Assessments
  • Employee acknowledgment of employee handbook
  • Hardware inventory update
  • Software inventory update
  • Network diagram update

In short, your startup will likely accumulate many recurring obligations as you travel the path to selling to (or partnering with) large enterprises with extensive vendor risk assessment processes.

Need a Hand with Vendor Risk Assessments?

Startups need an ally in vendor risk assessment. Staring down a lengthy set of security questions and requirements can be overwhelming without any internal security-focused personnel. At Havoc Shield, we're glad to pinch hit until your startup grows to a stage where you have a team of full-time security professionals to manage your security practices fully. Please drop us a line for help on that vendor risk assessment in your inbox. We're standing by to help.

Other posts