Third-party service providers present difficult and unique privacy and cybersecurity challenges. Vendor management is important throughout the life of a relationship with your service provider. Vendor diligence starts during the vendor selection process, continues through contract negotiation, and ends when the parties terminate their relationship. The goal is to effectively improve the service your vendors provide and mitigate the risk inherent in the vendor relationship. The following provides a snapshot of information concerning third-party vendors.

$78 billion =>$235 billion

The amount companies spent on cloud services in 2011, compared to the projected amount that companies are estimated to spend by 2017.[1]


The percentage of companies that evaluate the security risks of their third-party vendors.[2]


The percentage of companies that require their partners and vendors to comply with their security practices.[3]


The percentage of breaches attributable to a partner or vendor.[4]

What to consider when evaluating a vendor agreement:

  1. What data and information will you be sharing with your vendor?
  2. Does your vendor agreement require that the vendor use your data only to provide services to your company?
  3. Under what terms is your vendor required to keep your data confidential?
  4. Is your vendor required to comply with government requests to produce your data?
  5. Is your vendor required to keep your data in a logically distinct manner?
  6. What are the laws and industry regulations that apply to your company with which your vendor will be required to comply?
  7. Under what terms is your vendor required to notify you if your vendor is breached?
  8. Is your vendor subject to your privacy, cybersecurity, and data retention policies?
  9. Does your privacy policy allow your company to share your data with a vendor?
  10. After the termination or expiration of the vendor agreement, under what terms is your vendor required to return your data?
  11. What right does your vendor have to withhold access to your data or terminate your service?
  12. What rights do you have to audit your vendor’s operational practices?
  13. Is your vendor required to self-audit?
  14. Have your vendor’s past audits exposed any vulnerabilities, or has your vendor been breached in the past?
  15. Will your vendor be required to maintain certain levels of insurance during the term of the vendor agreement?