Cybersecurity Vendor Due Diligence
Frequently Asked Questions
Answers for GCs, procurement leaders, CISOs, and third-party risk managers about Law & Forensics' cybersecurity vendor due diligence practice — pre-contract diligence, ongoing monitoring, and post-incident vendor investigations. Contact us for a confidential consultation.
Cybersecurity Vendor Due Diligence
What a defensible third-party cybersecurity diligence program looks like — pre-contract, contractual, and ongoing — and how it survives scrutiny from regulators after a vendor-driven breach.
What is cybersecurity vendor due diligence?
A structured evaluation of a vendor's, supplier's, or service provider's cybersecurity posture before, during, and after engagement.
It typically includes a security questionnaire, evidence review (SOC 2, ISO 27001, penetration test results), contract analysis, and where warranted, technical validation. The purpose is to identify the cyber risk the vendor introduces, allocate that risk through contract terms, and monitor it across the engagement lifecycle.
Is cybersecurity vendor due diligence required by law?
It is required, in some form, by virtually every U.S. cybersecurity regime — HIPAA (business associates), NY DFS Part 500.11, FFIEC Interagency Third-Party Guidance, GLBA Safeguards Rule, CCPA service-provider terms, and SEC cybersecurity disclosure rules.
Even where not explicitly required, vendor due diligence is the controlling factor in negligence and shareholder-derivative claims after a third-party breach. We design programs that satisfy each applicable regime simultaneously.
What methodology does Law & Forensics use for vendor cybersecurity diligence?
We align with NIST 800-161 r1 (Cybersecurity Supply Chain Risk Management) and the Shared Assessments SIG / SCA suite, calibrated to the vendor's data access, business criticality, and regulatory footprint.
Tier-1 vendors (high data access, high business impact) get full diligence including evidence review, control testing, and contract review. Tier-3 vendors get a streamlined questionnaire-based approach. We tier vendors by risk, not by spend.
Which cybersecurity contract terms should we require from vendors?
At minimum: a written information security program, mandatory MFA, encryption in transit and at rest, audit and inspection rights, incident notification within 24–72 hours, indemnity for cyber incidents, mandatory cyber insurance, subcontractor flow-down, and end-of-engagement data return/destruction.
For regulated industries we add regulator-specific terms — BAA language for HIPAA, Part 500.11 clauses for NY DFS, FedRAMP language for federal, NIST 800-171 / DFARS 252.204-7012 for defense.
What does ongoing vendor cybersecurity monitoring look like?
Periodic re-assessment, continuous external threat intelligence, breach-notification clause enforcement, and a documented escalation process for material findings.
Tier-1 vendors should be reassessed annually with mid-year touchpoints; Tier-2 every 18–24 months. We also recommend continuous external monitoring — security ratings, dark-web exposure, breach indicators — paired with contractual right-to-audit triggers.
What happens after a vendor-driven breach?
The vendor's breach is your breach for notification, regulatory, and reputational purposes — and your diligence record is the first thing regulators and class-action plaintiffs request.
We perform vendor-driven incident response, scope the impact on your data, manage joint forensics with the vendor, prepare regulator notifications, and where appropriate help pursue contract remedies. See our incident response services.