How do we handle a critical vendor who refuses to provide a SOC 2 report?

If a mission-critical vendor lacks or refuses to provide a SOC 2 report, you face a risk decision, not a security one. First, understand why. Are they a startup still building their program, or a large entity relying on a different assurance framework? If it is a critical SaaS provider, their refusal is a major red flag about their security maturity. The response should be escalated to executive leadership (CISO, CFO, and potentially the CEO) for a formal risk acceptance. The business unit sponsoring the vendor must understand and acknowledge the risk. You can try to compensate with other controls: a paid, deep-dive penetration test, an extensive on-site audit (if they permit it), and extremely robust contractual language around liability and breach notification. In many cases, the correct decision is to find an alternative vendor who values security transparency.

Isn't continuous monitoring too expensive for a small business?

While enterprise-grade continuous monitoring platforms can be costly, the market has evolved to offer solutions for various company sizes. For smaller businesses, the key is to apply continuous monitoring in a tiered, risk-based manner. You do not need to monitor all 200 of your vendors. Start with the 10-15 Tier 1 vendors that handle your most sensitive data or perform the most critical functions. The cost of monitoring this small cohort is a fraction of the cost of a single third-party breach. Many security ratings services offer tiered pricing, and the investment should be positioned as a cost-avoidance measure, akin to insurance. The price of a subscription is negligible compared to the reputational and financial damage from a supply chain compromise.

What is a realistic breach notification SLA to demand from a major cloud provider like AWS or Microsoft?

Demanding a custom 24-hour notification SLA from a hyperscale cloud provider like AWS, Google Cloud, or Microsoft Azure is generally not feasible. These providers operate on a one-to-many model and will not negotiate their standard terms and DPAs for most customers. Their contracts typically promise notification "without undue delay." However, this is less of a risk than it appears. Major providers have a massive reputational and financial incentive to notify customers quickly and have highly mature incident response processes. The greater risk lies with mid-market SaaS providers built on top of these platforms. It is with those vendors where you have more leverage and must contractually enforce a specific 24, 48, or 72-hour notification window, as their processes are less likely to be as mature.

We have no formal TPRM program today. Where do we start?

Start small and focus on the greatest risks. First, create an inventory of all your vendors. Send a simple survey to department heads to ask what tools and services they use. Second, perform a rapid tiering exercise. Identify the 10-20 vendors that access customer data, PII, or are critical for your operations. These are your new Tier 1 vendors, and this is where you will focus 80% of your effort. Third, for this Tier 1 group, begin requesting security evidence—start with a SIG Lite or CAIQ, and ask for a SOC 2 report. Fourth, partner with your legal/procurement team to create a simple security addendum for all new contracts, focusing on breach notification and confidentiality. Do not try to boil the ocean; a focused program on 10 critical vendors is infinitely better than a shallow program attempting to cover 500.

What is the primary difference between a SIG Lite and a CAIQ?

The primary difference lies in their scope and intended target. The CAIQ (Consensus Assessments Initiative Questionnaire) is created by the Cloud Security Alliance and is specifically tailored for assessing the security of cloud service providers. Its questions map directly to the controls in the CSA's Cloud Controls Matrix (CCM), making it ideal for evaluating IaaS, PaaS, or SaaS vendors. The SIG Lite (Standardized Information Gathering), from Shared Assessments, is a more general-purpose risk assessment tool. It covers a broader set of 19 risk domains, including areas like enterprise risk management, that apply to almost any type of third-party vendor, not just cloud providers. For a quick evaluation, a CAIQ is better for a pure-play cloud vendor, while a SIG Lite is a more versatile starting point for a diverse vendor portfolio.

How does this TPRM model change in a highly regulated industry like healthcare or finance?

In regulated industries like healthcare (HIPAA) or finance (NYDFS, GLBA), this TPRM model does not fundamentally change—it becomes mandatory and its requirements are amplified. The core principles of risk-tiering, evidence-based diligence, and continuous monitoring remain the same, but the stakes are higher. Regulators specifically require robust vendor oversight. For example, under HIPAA, you must have a signed Business Associate Agreement (BAA) with any vendor handling Protected Health Information (PHI), which is a specific contractual requirement. The level of scrutiny is higher, the definition of sensitive data is clearer, and the penalties for failure are severe. Documentation becomes paramount, as you must be able to prove to auditors that you have performed adequate due diligence on every vendor handling regulated data. The 2026 model becomes less of a best practice and more of a baseline for compliance and survival.

Third-Party Vendor Risk Management: A 2026 Operating Model

By Business Indemnity EditorialUpdated May 5, 2026

TL;DR: The era of static, check-the-box vendor questionnaires is over. Supply chain compromises like MOVEit and SolarWinds have proven that point-in-time assessments are insufficient. A modern Third-Party Risk Management (TPRM) program for 2026 must be dynamic, risk-tiered, and contractually robust. This involves segmenting vendors by data access and criticality, exchanging questionnaires for verifiable evidence like SOC 2 reports, embedding strict security clauses in contracts, and implementing continuous monitoring of your vendors' external attack surface. The goal is not to eliminate risk—an impossible task—but to manage it with intelligence, visibility, and legal fortitude, shifting TPRM from a compliance exercise to a strategic security function.

The Obsolescence of the Annual Questionnaire

For years, TPRM operated on a familiar cadence: a business unit needs a new SaaS tool, security sends a lengthy spreadsheet, the vendor's sales team fills it out, and the document is filed away until the next annual review. This model is broken. It was designed for a slower, less interconnected world. Today, a single vulnerability in a widely used software component can trigger a cascade of breaches across thousands of organizations overnight.

The threat landscape has fundamentally shifted from direct assaults on fortified perimeters to lateral movements through trusted third-party connections. High-profile incidents are no longer anomalies; they are indicators of a systemic weakness. The 2020 SolarWinds supply chain attack demonstrated how a compromised software build process could infect governments and Fortune 500 companies. More recently, the widespread exploitation of a zero-day vulnerability in Progress Software's MOVEit Transfer tool showcased the immense blast radius of a single flawed component in the digital supply chain.

These events prove that a vendor's self-attestation is not a reliable security control. A new operating model is required—one that treats the supply chain as a continuous, dynamic attack surface that demands constant vigilance. The 2026 model for TPRM is not about asking more questions; it is about demanding better evidence and maintaining persistent oversight.

A Foundation of Risk: Dynamic Vendor Tiering

Not all vendors are created equal. A TPRM program that treats the provider of office snacks with the same scrutiny as a cloud hosting provider is inefficient and ineffective. The cornerstone of a modern program is risk-based tiering, a process that determines the level of due diligence required for each vendor.

Classification should be based on two primary axes: data access and business criticality.

Data Access and Sensitivity

Vendors must be categorized by the type and volume of data they access, process, or store. A simple framework might include:

Tier 1 (Critical): Access to sensitive, regulated data such as PII, PHI, or financial records. This includes core infrastructure providers (IaaS/PaaS), payment processors, and platforms handling customer data.
Tier 2 (High): Access to confidential business information, intellectual property, or systems integral to production environments. This might include CRM systems, code repositories, or key operational software.
Tier 3 (Medium): Access to non-sensitive operational data or integration with non-critical business systems. Examples include marketing analytics tools or project management software.
Tier 4 (Low): No access to company data or networks. This includes vendors providing purely physical services or off-the-shelf commodity products with no connectivity.

Business Criticality

Independent of data access, a vendor's criticality is determined by the operational impact of its failure. If this vendor experiences an outage, does your business grind to a halt? Does it impact revenue, customer service, or core operations? A Tier 1 vendor from a criticality standpoint is one whose services are indispensable for day-to-day business function, even if they do not handle sensitive data. The recent security incidents at Okta highlight this plainly; as a central identity provider, its operational stability is paramount for thousands of customers. The lessons from the Okta breach underscore that even security-focused vendors can become vectors if their own internal systems, like customer support portals, are compromised.

The combination of these two axes creates a risk matrix that dictates the depth and frequency of due diligence. A Tier 1 vendor requires the most rigorous review, while a Tier 4 vendor may require little more than a basic legal check. This tiered approach focuses resources where the risk is highest, moving TPRM from a bureaucratic hurdle to a focused risk management function.

Due Diligence: Moving from Attestation to Evidence

Once a vendor is tiered, the due diligence process begins. The goal is to verify the vendor's security posture, not simply take their word for it. This means moving away from bespoke questionnaires in favor of standardized assessments and verifiable, third-party audited reports.

Standardized Intake for Efficiency

For initial screening of Tier 2 and Tier 3 vendors, standardized questionnaires remain useful. They establish a baseline and can quickly filter out vendors with immature security programs. The two dominant standards are:

Consensus Assessments Initiative Questionnaire (CAIQ): Published by the Cloud Security Alliance (CSA), the CAIQ is specifically designed for evaluating cloud service providers against the CSA's Cloud Controls Matrix (CCM). It provides a common framework for understanding cloud security practices.
Standardized Information Gathering (SIG) Questionnaire: Developed by Shared Assessments, the SIG is a broader tool that covers a wide range of cybersecurity and privacy domains. The SIG Lite version is an excellent tool for initial, high-level assessments before committing to a deeper review.

These standards save time for both the assessor and the vendor, as many mature vendors have pre-completed responses ready. However, for Tier 1 vendors, these questionnaires are merely a starting point.

Requiring Verifiable Evidence

For any vendor handling sensitive data or performing a critical function (Tiers 1 and 2), self-attestation is insufficient. The program must demand independent, verifiable evidence of security controls. The primary artifacts to request are:

SOC 2 Type II Report: This is the gold standard for validating a service organization's controls over a period of time (typically 6-12 months). A SOC 2 report, based on the AICPA's Trust Services Criteria, provides independent assurance that a vendor's security, availability, confidentiality, processing integrity, and privacy controls are designed correctly and operating effectively. A clean report from a reputable auditor is a powerful indicator of a mature security program. A full review of the report, including any noted exceptions, is non-negotiable. For companies navigating this landscape, a comprehensive /compliance/soc-2-compliance-guide is an essential resource.
ISO 27001 Certification: While SOC 2 focuses on controls, ISO 27001 certifies the vendor's Information Security Management System (ISMS). It confirms that the organization has a formal, risk-based program for managing security. It is particularly common among vendors outside North America.
Penetration Test Summaries: A recent (within the last 12 months) summary of a third-party penetration test shows that the vendor is proactively testing its defenses. The full report is rarely shared, but a summary letter or attestation from the testing firm should detail the scope of the test and confirm that all critical and high-severity findings have been remediated.

Refusal to provide these documents for a Tier 1 relationship should be a significant red flag, warranting either rejection or the formal acceptance of risk at an executive level.

The Legal Framework: Contractual Security Mandates

The Master Services Agreement (MSA) and associated Data Processing Addendum (DPA) are not just legal formalities; they are critical risk management tools. Diligence without contractual enforcement is toothless. Your legal and procurement teams must be aligned with security to embed non-negotiable clauses that protect your organization when—not if—a vendor incident occurs.

Key contractual must-haves for Tier 1 and Tier 2 vendors include:

Breach Notification SLAs: Specify a clear, aggressive timeline for the vendor to notify you of a security incident affecting your data or services. Aim for 24-72 hours from discovery. Vague language like "without undue delay" is insufficient. The clause must define what constitutes a "breach" and include incidents affecting both confidentiality and availability.
Right to Audit: This clause grants your organization the right, typically once per year, to audit the vendor's security controls. While you may not always exercise this right directly (often accepting a SOC 2 or ISO report in lieu), its presence provides critical leverage and a mechanism for deeper investigation if concerns arise.
Sub-processor Approval: The vendor must be contractually obligated to disclose all sub-processors (fourth parties) that will handle your data and must obtain your written consent before engaging new ones. This provides visibility and control over the extended supply chain.
Liability and Indemnification: Work with legal counsel to establish reasonable liability caps that are not dwarfed by the potential cost of a breach. Ensure the indemnification clause clearly covers costs arising from the vendor's negligence or security failures, including regulatory fines, customer notification costs, and credit monitoring services.
Cyber Insurance Minimums: Mandate that the vendor maintain a minimum level of cybersecurity insurance coverage (e.g., $5 million or $10 million, depending on risk). Require them to provide a certificate of insurance as proof. This ensures that in the event of a catastrophic incident, there is a financial backstop to cover damages.

These terms shift the TPRM program from a passive review to an active assertion of your security requirements.

Continuous Monitoring: The Shift to Dynamic Oversight

The most significant evolution in the 2026 TPRM model is the adoption of continuous monitoring. Annual assessments create a dangerous visibility gap. A vendor's security posture can degrade in days due to a misconfiguration, an unpatched vulnerability, or a lapsed certificate.

Continuous monitoring tools supplement point-in-time assessments by providing an "outside-in" view of a vendor's security hygiene. These platforms work by non-intrusively scanning a vendor's public-facing internet assets to identify potential weaknesses. Key capabilities include:

Attack Surface Management: Discovering and cataloging a vendor's external assets, including domains, subdomains, IP addresses, and cloud services.
Vulnerability Scanning: Identifying open ports, outdated software, and known vulnerabilities (CVEs) on external systems.
Configuration Checks: Detecting issues like weak TLS/SSL ciphers, missing security headers (e.g., CSP, HSTS), and exposed management interfaces.
Credential Leak Monitoring: Scanning the dark web and paste sites for employee credentials associated with the vendor's domain, which could be used in credential stuffing attacks.
Security Ratings: Aggregating this data into a digestible security score (e.g., A-F or 0-900), allowing for at-a-glance comparisons and trend analysis.

When a high-risk finding is detected—such as a critical vulnerability on a vendor's VPN concentrator—the system can trigger an alert, enabling your security team to proactively engage the vendor for remediation long before it can be exploited. This transforms TPRM from a reactive, annual process into a proactive, near-real-time security function.

Confronting Fourth-Party and Cascading Risk

Your security is only as strong as your vendors' security, and their security is only as strong as their vendors' security. This is the fourth-party risk problem, and it is one of the most difficult challenges in supply chain security. You do not have a direct contractual relationship with your vendor's vendors, making direct assessment and enforcement nearly impossible.

The MOVEit breach is the canonical example of this cascading risk. A single vulnerability in a file transfer tool used by a payroll provider (a third party) could lead to the exposure of employee data from hundreds of that provider's customers (who become victims of a fourth-party breach). Your direct vendor may have a perfect security record, but if they rely on a vulnerable piece of software from one of their suppliers, you inherit that risk.

Addressing fourth-party risk requires a multi-pronged strategy:

Contractual Flow-Down: Your contracts must require your vendors to enforce equivalent security standards on their own critical sub-processors. This includes rights to audit, security assessment requirements, and breach notification flow-downs.
Scrutiny of Critical Dependencies: During due diligence, ask your most critical vendors about their critical dependencies. Who is their cloud provider? What identity system do they use? What major software components are built into their product? A mature vendor should be able to provide a software bill of materials (SBOM).
Scenario Planning: Assume a breach will occur in a critical fourth party. What is your incident response plan? How will you get information from your direct vendor? Tabletop exercises based on scenarios like the MOVEit breach case study are invaluable for testing these response mechanisms.

Fourth-party risk cannot be eliminated, but by demanding transparency and contractual accountability, you can gain visibility and exert influence over the deeper layers of your digital supply chain.

Frequently asked questions

Written by

Business Indemnity Editorial

Editorial Team

The Business Indemnity editorial team covers AI security, cybersecurity, and cyber insurance for SaaS and modern businesses.

About the editorial team →