Third Party Risk Management - Consultancy, Assessment & Advisory

Vendor Contract Do’s and Don’ts – BitSight Guest Blog

Third Party risk management, third party risk assessment, third party risk software vendor contractAccording to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or Third Parties — while only 16% claim they effectively mitigate Third-Party risks.


Don’t be a part of these alarming statistics: In order to protect your organisation’s valuable information, it’s critical that you set up the necessary security expectations from the onset of a new vendor relationship. Now, as an increasing percentage of businesses are moving to the remote office model, having these security conversations early on is even more critical — because residential IPs account for more than 90% of all observed malware infections and compromised systems.

Of course, simply telling your new Third-Party partner that you have specific requirements — or asking them to describe the controls they have in place — is not enough. In order to build a strong Third-Party risk management (TPRM) program, you must explicitly define all of your expectations in a legally binding vendor contract.


Common Vendor Contract Mistakes To Avoid

When you first launch a Third-Party risk management program, it can be difficult to know what type of vendor contract language you should establish to protect all the assets in your digital ecosystem. Start off on the right foot by avoiding the don’ts listed out below.


DON’T: Begin a vendor relationship before agreeing to security expectations

Your specific security requirements — and enforceability of those requirements — isn’t something to consider after the fact. Work closely with your legal department to create contract language that guarantees your Third Parties will uphold their end of the bargain when it comes to security performance, monitoring, and remediation. Make sure both sides have agreed to the expectations before you begin your partnership.


DON’T: Use general language

When developing your vendor contract, avoid generalities — like “reasonable security measures” — that offer little to no clarity into the practices you actually expect the vendor to implement. After all, “reasonable” could mean something different to your organisation and the Third-Party in question. Instead of using this type of vague language, refer to specific standards and frameworks you want them to abide by.

DON’T: Forget to consider your vendor’s vendors

Fourth parties, or your vendor’s vendors, have a direct effect on your risk outlook, as well. Don’t go into a new partner relationship without the desired visibility and context into your extended ecosystem. Make sure to add language into your vendor contract that stipulates that all security guidelines that apply to your Third-Pparty vendor also apply to their subcontractors.


Vendor Contract Best Practices To Implement

Now that you understand what not to do, it’s time to go over some contract language you should be sure to include. Here are a few do’s to keep in mind as you begin the process.


DO: Build in specific terms and conditions

Put all your expectations on the table — from how a vendor should handle and protect your data to what they should do if and when they experience a breach that affects your information. Specifically, your contracts should stipulate that vendors must:

As a best practice, you should be as specific as possible when outlining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.


DO: Ensure all your vendors have security obligations

Of course, if you’re in the initial stage of contracting work out to vendors, you can make sure all your new contracts include the necessary cybersecurity requirements. But what if you already onboarded some vendors before you put your Third-Party risk management program in place? In this case, it’s critical that you audit your existing terms and conditions. Gather all your current contracts and work with your legal team to evaluate whether there are any instances where your contractual security obligations are lacking or not specific enough. If you find any language that needs to be revised, reach out to the vendor in question about updating the contract to speak to your current expectations.


DO: Outline your continuous monitoring practices

When you onboard a vendor, let your new partner know how their security posture will be evaluated, monitored, and measured throughout the course of your relationship. Make sure to clearly state what your organisation defines as a threshold of acceptable risk — and what your course of action will be if the vendor’s security posture goes below that level. By defining these expectations from the onset, you can ensure that you and your vendor are on the same page when it comes to protecting your ecosystem.


DO: Start your vendor relationship off on the right foot

Don’t let a vendor breach or other incident be the first time you discuss your security expectations with your Third-Party network. By developing specific, enforceable security vendor contract language at the onset, you can protect your critical data — and save your organisation time and effort down the line.

BitSight Vendor Onboarding TPRM White Paper Banner Vendor ContractReady to learn more about creating a faster, less costly and more scalable vendor onboarding and cybersecurity risk assessment program with ease?

Download the latest BitSight Vendor Onboarding White Paper

Pressed for Time? Then read the Quick Guide

4 Ways to Optimise Your Vendor Onboarding Process With BitSight


You’re Only As Strong As Your Weakest Link

There’s never a more vital time to start thinking seriously about the security posture of your organisation and the cyber supply chain you rely on. DVV Solutions are here to help with a range of services and solutions proven to improve your ability to assess, analyse and manage more Third-Party cyber and data privacy risk domains. For more advice and information on any Third-Party risk challenge you have:

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form, or

Learn more about What We Do


This article was originally published by BitSight Technologies and is shared with their kind permission.