When working with a client, vendors are often asked to supply some sort of proof they will protect the client’s sensitive data. While this may seem like a reasonable request, knowing how much information to share and the best way to do that can be tricky.
As a vendor, you may receive multiple requests from clients for compliance reports or third party validated security reports, such as a SOC 2. If you don’t have a third-party compliance report the client may ask you to complete a security questionnaire. (Something we discussed in a recent blog, here.) That process can be very time consuming, especially with multiple questionnaires asking for different information.
We’ve created five guidelines to help vendors meet their clients’ needs, without risking their own security:
1. Analyze your relationship with the client.
Sometimes clients will send out questionnaires to every vendor they use, without really looking at what that vendor has access to. If you are a vendor, but do not deal with the client’s sensitive data, you may not need to fill out tedious questionnaires. That client could be following their own company protocol without considering each request being made.
2. Know which data you should provide your client.
We typically don’t advise vendors to share Policies, Standards, and Procedures with a client. This sort of information could put you, the vendor, at risk. Be cautious and make sure you’re not sharing more information than what is required. It is not necessary to risk your own companies’ security to comply with a client’s wishes.
3. Know when to push back, and how.
If a client asks for more information than you’re comfortable with, you have the right to object. Oftentimes this will be a conversation, rather than a finite “no”. Ask for your client’s reasoning for the information they’re requesting. If it is still too much, explain why you are uncomfortable with the situation.
4. Offer up an alternative.
If you’ve turned down the client’s questionnaire or request for your Policies, Standards, and Procedures, they may still need some proof that you are ready to protect their security interests.
- One way to do that is with a pre-filled questionnaire. A method used in many of these cases is called SIG (Standardized Information Gathering). This questionnaire tool allows vendors to create a standard form, ready to be handed out to any clients who need an explanation of your security procedures. You can also create an inventory of your Policies and Standards with only the Table of Contents visible. This shows the documents are in place but doesn’t give all the details.
- Another option is to set up a meeting with the client. This can be a video call with screen sharing, or a webinar. If you plan to show the client any sensitive data, make sure they do not screen-grab or record the conversation. We suggest having the client sign an NDA beforehand.
- If a client requests a SOC 2 report, but you have another form of compliance report already completed, ask the client if that will work instead. They may be able to accept a different type of third party validated report, even if they did not specifically ask for it.
5. Decide if this client is worth the effort.
Completing compliance reports, filling out dozens of questionnaires, and sharing sensitive data can come at a cost to you. You need to decide if the client in question is worth the time and resources their requests will take. Sometimes it’s more cost-effective to let that client go than to jump through more hoops.
Hopefully this helps you know how to handle the inevitable security requests vendors face! If you need more assistance with preparing a SIG or knowing which information may be too sensitive to share, be sure to reach out to a cybersecurity expert.