Third-party / vendor risk assessment program
vendor-risk-assessment-programDomain: cybersecurityType: processDescription
Vendor risk assessment is the operational expression of the principle, embedded across modern privacy, security, and financial-regulation frameworks, that an institution's regulatory obligations follow its data and its money out the door to third parties. GDPR Article 28's processor due diligence, NYDFS Part 500's third-party service provider rules, the EU's DORA framework for ICT third-party risk in financial services, and the AICPA's SOC 2 trust criteria all run on the same posture: identify every vendor that handles regulated data, money, or critical infrastructure; classify them by the risk they introduce; apply due diligence proportionate to that risk; and monitor on an ongoing basis. The operational pieces are the vendor inventory (which is harder to keep complete than it looks, because engineering teams add SaaS faster than procurement learns about it), the risk-classification tier, the due-diligence pack itself (security questionnaires, SOC 2 reports, sub-processor disclosures, incident history), and the periodic-review cadence that catches vendor changes (acquisitions, security incidents, control regressions). DORA and recent banking-supervision guidance have surfaced the concentration-risk angle that single-vendor diligence does not catch: a portfolio of well-assessed vendors can still represent unacceptable concentration if too many depend on the same underlying infrastructure.
Required by (2 regulations)
- NIS2
Article 21(2)(d) — supply chain security.
- GDPR
Article 28 — processor due diligence.
Regulation (EU) 2016/679 of the European Parliament and of the Council
Fulfilled by (2)
- onetrust · full · medium effort · $$
- In-house build · medium effort
ClearLaunch does not accept payment from vendors. Methodology.
Evidence formats
- vendor inventory
- risk-tier matrix
- periodic re-assessment log