The statistics on the number of firms who do not perform adequate third‐party due diligence are astounding. Surveys on this subject by such groups as Ponemon Institute routinely find that fewer than 55 percent of businesses have a vendor risk management program and an even fewer percentage of them perform any cybersecurity risk assessments. These programs are shown to be in desperate need, given the level of security incidents and breaches detailed in the Chapter 1. Those businesses with robust programs that view cybersecurity as a key risk domain have the ability to change the timing of some of their risk reduction.

All the due diligence activities described in the previous chapters have focused on either point‐in‐time assessments or Continuous Monitoring (CM). The steps outlined in those chapters articulate and describe the actions needed to start programs or improve upon existing ones. Engaging vendors in conversations and building relationships with them increase transparency and enable both businesses and their vendors to collectively work on reducing risk Such activities produce a lot of data, which is often just sitting there unused, unless it is needed for another due diligence or due care activity. This valuable information, however, can provide instructions on where risk really is located when a business is able to look at such data in an aggregate and holistic way.

In addition, engagements with the vendors are largely reactive as ...