Why Vendor Selection Must Start with Security

Breaches no longer just originate inside an organization’s own infrastructure. Increasingly, they begin with vendors via weak access controls, exposed credentials, or vulnerable third-party software.

According to SecurityScorecard’s 2025 Global Third-Party Breach Report:

• 35.5% of breaches stem from third-party access, an increase from the previous year of over 5%.

• File transfer software and cloud platforms are among the most exploited vectors

• 41.4% of ransomware attacks originate with third parties.

The security of your vendors can’t be an afterthought. It must be a core criterion from the moment vendor evaluations begin. This blog will cover 10 crucial criteria to use when evaluating and selecting vendors that will help you and your supply chain become more vigilant against cybersecurity risk and threat actors.

1. Require External Cybersecurity Ratings

Before onboarding, examine what attackers already see. A vendor’s external security information can reveal:

• Patching cadence

• DNS and IP hygiene

• Malware infections and open ports

• Exposure from misconfigurations

One of SecurityScorecard’s suite of tools includes security ratings across 10 risk factors. Many organizations require a minimum grade (such as a “B” or higher) as part of procurement policy.

2. Investigate Breach History and Exposure

In many cases, past breach history can be indicative of future breaches, according to SecurityScorecard research. But don’t rely on self-reporting from vendors alone. Ask vendors several questions about their breach history—and verify their answers using breach intelligence data:

• Have you experienced a breach in the past 24 months?

• What data or systems were involved?

• How were customers notified and protected?

3. Assess Access Scope and Integration Risk

Understand the depth of vendor integration with your organization. Determine:

• Will the vendor access production systems or sensitive environments?

• Does it use APIs to process or transfer critical data?

• Are credentials or tokens stored on their side?

High access should require stronger scrutiny, and possibly segmentation, access controls, or compensating controls.

4. Verify Regulatory Alignment

Ensure the vendor maintains compliance with relevant frameworks that your organization is responsible for, whether meeting compliance standards in the United States or Europe. A non-exhaustive list of frameworks to consider includes:

• HIPAA (healthcare)
• PCI DSS (payments)
• DORA (financial services)
• GDPR (for the European Union’s personal data)
• CIRCIA (for U.S. critical infrastructure)
• CMMC (for the defense industrial base)
• OCPA (for organizations handling Oregonians’ data)

There are a whole host of other frameworks that may affect your organization’s sector, or that of your vendors’. Consider requesting evidence such as SOC 2 Type II audits or ISO 27001 certification.

5. Include Security Clauses in Contracts

Contracts should include enforceable security terms. Consider requiring:

• Timely breach notification (typically within 24–72 hours, which you can align with frameworks to ensure compliance)
• Maintaining a minimum cybersecurity rating
• Participation in remediation if the vendors’ security posture declines
• Certain encryption standards for data both at rest and in transit
• Mandatory controls like encryption, mutli-factor authentication (MFA), or access reviews

6. Account for Fourth-Party Risk

Ask vendors to disclose their own vendor dependencies. Over one-third of breaches stem from third parties—with nearly 5% of breaches extending to fourth parties, according to SecurityScorecard’s 2025 Global Third-Party Breach Report. For example:

• A SaaS vendor may rely on third-party storage or authentication providers that are not currently meeting your minimum cybersecurity standards

• A payment processor may route data through multiple infrastructure providers, each of which could lack certain MFA processes

7. Review Threat Detection and Incident Response Maturity

A tested incident response (IR) plan that includes customer notifications is a must-have. Ask how the vendor:

• Detects anomalies or attacker behavior

• Shares intelligence with customers

• Retains logs for forensic analysis

• Engages in incident response collaboration

8. Evaluate Credential Hygiene and Identity Practices

Credential abuse is still the leading factor in breaches, according to Verizon’s 2025 Data Breach Investigations Report. It’s therefore crucial to probe how the vendor handles access controls:

• Is MFA enforced across all user accounts?

• Are admin roles tightly scoped and reviewed?

• Are account audits and password rotations routine?

9. Examine Data Storage and Encryption Practices

Regulations and cybersecurity-related laws are increasingly requiring or strongly recommending encryption to protect data from prying eyes. Require clarity on:

• Where your data is stored—geographically and logically

• Who can access it, and under what conditions

• Whether data is encrypted at rest and in transit

Look for providers that use certified infrastructure and maintain logs of all data access.

10. Assess Transparency and Security Culture

A vendor’s security culture—not just its written procedures—can lead to future issues. Trustworthy vendors treat security as a shared responsibility, not just a box to check. To understand vendors’ security cultures better, ask:

• Do they have a named security lead or CISO?

• Will they disclose posture changes, even outside formal assessments?

• How do they communicate during incidents?

Managing Vendor Cybersecurity Risk

One of SecurityScorecard’s suite of tools includes security ratings across several risk factors. Many organizations require a minimum grade (such as a “B” or higher) as part of procurement policy to shore up vendor security before it can impact the organization or other partners.

SecurityScorecard also created Supply Chain Detection and Response (SCDR), transforming how organizations defend against the fastest-growing threat vector—supply chain attacks. Our industry-leading security ratings serve as the foundation and core strength, while SCDR continuously monitors third-party risks using our factor-based ratings, automated assessments and proprietary threat intelligence, to resolve threats before they become breaches. 

Transform Third-Party Risk into a Supply Chain Resilience
With SecurityScorecard’s Supply Chain Detection and Response (SCDR), gain actionable insights into your vendors’ security postures. Our platform empowers you to make informed decisions, ensuring compliance and strengthening your supply chain’s cybersecurity.

🔗 Explore SCDR