Your worst breach may not be yours. It may be a vendor’s — with your data in it, and your name on the notification.
Recommended ModuleCarriers ask whether you manage third-party risk because so many claims start with a vendor: a payroll provider gets popped, a SaaS tool is misconfigured, an IT contractor’s laptop is stolen — and your data goes with it. They want to know you have a list of who touches your data, that you have vetted the risky ones, and that your contracts actually require them to protect it.
The three things they are really asking: Do you have an inventory of your vendors and what data each one holds? Have you risk-ranked them and done due diligence on the critical ones? And do your contracts — including BAAs where you share health data — require security and breach notification? If your answer is "we’d have to go dig through emails," this kit closes that gap.
List your top 10 vendors by data.
Open a document and write down the vendors that hold or touch your most sensitive data — payroll, email, cloud storage, your EHR or billing system, anything with customer records. That list, with what data each one holds, is the start of a vendor inventory. You cannot manage risk you have not written down.
Find your BAAs (if you handle health data).
If any vendor touches PHI, you are legally required to have a signed Business Associate Agreement with them. Spend 20 minutes confirming which of your PHI vendors have one on file. A missing BAA is one of the most common — and most citable — gaps.
Pick your one riskiest vendor and ask for their SOC 2.
Choose the single vendor that would hurt you most if breached and email them: do you have a current SOC 2 Type II or ISO 27001, and will you notify us of a security incident? Their answer (or silence) tells you a lot, and it starts the due-diligence habit.
If the quick wins showed you the gap but not the path, the kit gives you a complete vendor-risk program — inventory, risk-tiering, a security questionnaire, and contract/BAA checklists — without buying a six-figure TPRM platform.
Vendor & Third-Party Management Policy
The policy that sets your program: what you require of vendors and how you manage them. Pre-structured; adapt and adopt.
Vendor Inventory & Risk Register
A living record of every vendor, the data they touch, their access, and their risk tier — the backbone of the program.
Vendor Risk Tiering Matrix
A simple method to tier vendors so your due diligence is proportional to the risk — deepest scrutiny where it matters.
Vendor Security Assessment Questionnaire
The due-diligence questionnaire you send to critical vendors, covering their security program, data handling, access, incident response, and compliance.
Contract & BAA Terms Checklist
The security, breach-notification, and BAA protections to look for in your agreements — organized so your conversation with counsel is fast and focused.
Onboarding & Offboarding Checklist
Step-by-step so every new vendor is assessed and contracted, and every departing vendor’s access and data are cleaned up.
Ongoing Vendor Review Log
A schedule and record for re-reviewing vendors by tier — your evidence of an active, ongoing program.
Some vendor portfolios need a program run around them, not a template.
If your Whitestance score flagged Third-Party Risk as a critical gap — or if you have dozens of vendors touching regulated data — a kit gets you a program but a full engagement gets it operated. Whitestance’s fractional CISO engagements build and run your vendor-risk program across your whole environment, chase down the assessments and BAAs, and produce documented evidence your board, auditors, and carriers can see. Engagements start at $40,000 for smaller organizations and scale from there.
Talk to us about a full engagement →