Sage Advice - Cybersecurity Blog

Vendor Management - Tips for Creating a Vendor List

making-a-vendor-listYou already know who your critical vendors are, right? But do you know all your vendors? If a regulator were to walk into your office and ask about Vendor Z, are you confident enough in your documentation that you’ll be able to explain Vendor Z to them?

Even though you have a handle on your critical vendors, it’s often the “minor” vendors that get us in trouble. If the regulators hear you say, “I’m sorry, I don’t know who Vendor Z is, but I’ll find out for you,” it makes them wonder if you really have a firm grasp on your Vendor Management program.

Keeping track of all your vendors sounds like an easy task, but it isn’t. Unless all contracts and purchase orders go through one source, it’s a distinct possibility that not all your vendor relationships are being captured. (That speaks to the effectiveness of your Vendor Management program, which is a topic for another day).

So how do you rope in all your vendors? Here are some suggestions.

Start with an existing vendor list. If no such list exists:

  1. Start by listing all known vendors.
  2. Review your contract library.
  3. Review your Accounts Payable list.
  4. Ask your loan departments (mortgage, business and retail) for a list of all their foreclosure attorneys, appraisers, title companies, investors, etc.

Once you have that list, assign a primary business owner. If you’re not sure, make your best guess. Now the fun starts.

Send each business owner their list, and ask them to:

  1. Confirm it’s their vendor and that the vendor is still being used.
  2. Briefly describe the vendor’s service.
  3. Provide vendor contact information.
  4. Rate the vendor’s performance as excellent, satisfactory, poor, or unacceptable.
  5. Ask if the vendor is critical, important, or useful to the institution.
  6. Ask if the vendor has access to protected information.
  7. Ask them to include any vendors not listed.

The first thing you may notice is question #5, the criticality status of the vendor. If you get an unexpected critical ranking, then it’s time for additional questions. Most of the time it’s just a misunderstanding on the business owner’s part on what “criticality” means to the organization, but it’s always good to check. The same goes for #6.

A quick word on vendor risk classifications. Your policy should contain several risk classifications, depending on regulatory requirements and best practices. However, your business owner may not be familiar with the minute details, so you can offer these classifications as a starting point:

  • Critical: If the vendor fails to deliver services as promised, is your organization is deep trouble, even to the point where you may fail?  Do they have significant access to customer data, which, if breached, could cause immeasurable harm?  That’s a critical vendor!
  • Important: If you lost this vendor’s services, it would hurt, but it wouldn’t cause a significant disruption to your firm’s operations.  This also includes vendors that have limited access to customer data.
  • Useful: All vendors used by your firm should be at least “useful”, if not critical or important.  (Indeed, if they’re not useful, why are you using them?)  These are vendors who do not have access to customer data, and who loss of services would not be disruptive to the organization.

Keep in mind that the business owner’s classification is only the start, not the final word.  It’s up to you, as your employer’s vendor risk manager, in conjunction with your organization’s vendor management policy, to make the final call. 

Next: notice question #4, vendor’s performance. Voilà, this gives you an easy to way to assess the vendor, which regulators like to see. Obviously, any vendor that comes back as “Poor” or “Unacceptable” requires further examination, which you should follow-up on. More evidence that you’re on top of your vendor management program!

Question #7: aha, another “unknown’ vendor that becomes known. More power to your vendor management program.

Once you get these lists back, you have a complete vendor listing library. Now not only are you on top of your critical vendors, you are properly managing all your other vendors. Next year, you’ll be able to easily repeat this process when its times to update your vendor inventory. Good work!


Service Provider Cybersecurity Assessment Program from Sage Data Security

Proper oversight of your third-party service providers is an essential element of your cyber resilience strategy. Our specialized approach helps you create the most efficient review process - saving you time while ensuring compliance.

Learn More

Topics: Compliance, Vendor Management


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More