Third-party risk after the supply-chain attack era

Most third-party risk programs in mid-market financial services are questionnaire factories. The process is recognisable: prospective vendor receives a 200-question security assessment, returns it weeks later mostly auto-completed by their pre-sales team, the responses are filed, the engagement proceeds. The cycle repeats annually. The actual risk reduction is approximately zero.

After several years of supply-chain incidents — SolarWinds, Kaseya, MOVEit, the steady stream of MSP and SaaS compromises, the CrowdStrike kernel update — the realistic position on third-party risk has changed. The traditional questionnaire-based program is no longer credible to a serious internal audit, let alone an external one. APRA CPS 230 explicitly calls out the inadequacy by requiring substantive ongoing oversight, not just point-in-time due diligence.

This post is the version we run for clients moving from questionnaire-factory to a third-party risk program that actually reduces risk.

What questionnaires cannot tell you

The fundamental limitation: the questionnaire records what the vendor says their security posture is, at the moment of completion, as interpreted by the person completing it. The respondents are typically pre-sales engineers, not the security team. The answers are aspirational. The audit trail is the questionnaire itself.

What the questionnaire cannot reveal:

• Whether the controls are operating today.
• Whether the controls have changed since the questionnaire was completed.
• Whether the vendor’s actual security posture matches their documented one.
• Whether the vendor has had incidents they didn’t disclose.
• Whether their fourth-party dependencies have changed.
• Whether their personnel turnover affects their control effectiveness.

The controls the questionnaire can establish — that the vendor has policies, has insurance, is incorporated, has named officers — are useful but not sufficient.

The realistic third-party risk program

A program that produces actual risk reduction has five elements. The questionnaire is a small part of one of them.

1. Tiering by criticality

Vendors are not equal. The program differentiates:

• Tier 1 — material service providers per CPS 230. Critical operations depend on them. Maximum scrutiny.
• Tier 2 — important but not critical. Substantive scrutiny.
• Tier 3 — utility services with limited blast radius. Light-touch scrutiny.
• Tier 4 — minor purchases. Procurement-only.

The work each tier requires differs by an order of magnitude. The same effort applied to all tiers means none of them gets adequate attention.

The tiering criteria are documented. Determination is not at the vendor’s discretion — it’s the customer’s assessment of the operational dependency.

2. Differentiated due diligence by tier

For Tier 1 (material service providers), the due diligence:

• SOC 2 Type II report for the relevant service. Reviewed by a security engineer, not a procurement officer.
• ISO 27001 certificate with the relevant scope (the certificate scope is often narrow — read it).
• Penetration test summary (not just we do them) — the executive summary or a redacted version showing material findings and remediation status.
• Sub-processor list with the locations, functions, and data handling for each.
• Architecture summary for the service, including data flow and integration points.
• Incident history disclosure — material incidents in the last 24 months, with summary of impact and remediation.
• Contractual controls per the contract framework — audit rights, sub-processor controls, material change notification, data handling, termination terms.
• Concentration assessment — is this vendor a sole-source dependency? Is the underlying infrastructure also a sole-source (e.g., everything-on-AWS)?

For Tier 2, a subset of the above. For Tier 3, a documented determination with a brief justification. For Tier 4, the standard procurement record.

3. Continuous monitoring

The single largest gap in most programs. Continuous monitoring covers:

• External attack surface monitoring for the vendor — exposed services, certificate posture, breach disclosures, dark-web mentions. Several services do this for low cost (BitSight, Security Scorecard, RiskRecon, Panorays).
• Threat intelligence for incidents affecting vendors, especially Tier 1. When a vendor is in the news, you find out same day, not when their disclosure email arrives.
• Vendor’s own security disclosures — most material vendors maintain a security/trust page with active incidents and resolutions. The page is monitored.
• Performance and availability against the contract’s SLAs. Trending issues are early indicators of operational stress that may include security stress.

Continuous monitoring catches the problems between annual reviews. The questionnaire-based programs miss everything that happens in those 364 days.

4. Substantive contractual controls

The contract is the regulatory hinge. For Tier 1 vendors specifically, the contract must support what the program needs to do:

• Audit rights that can actually be exercised, not just claimed.
• Sub-processor controls with notification, objection rights, and termination-without-penalty if the vendor adds an unacceptable sub-processor.
• Material change notification with adequate notice (60+ days) and customer right to terminate.
• Incident notification within 24-48 hours of vendor awareness.
• Audit log access in a format that supports customer monitoring.
• Termination and exit with realistic transition support.

We covered the AI-vendor specific clauses in an earlier post; the same framework applies broadly with vendor-category specifics.

For mid-market organisations, the negotiation positions on these clauses are reasonable. Major vendors have negotiated them for other customers; challenger vendors will negotiate to win the deal. The pattern is not do they have these terms in their template but will they sign these terms after a thirty-minute conversation.

5. Periodic re-assessment with operational evidence

The annual re-assessment, when done well, is not another questionnaire. It is:

• Confirmation the contract terms remain enforced.
• Review of the SOC 2 Type II for the new period.
• Review of the incidents disclosed during the year.
• Review of the continuous monitoring evidence.
• Confirmation of any sub-processor changes.
• Confirmation of any material model or architecture changes.
• Operational performance against SLAs.

The output is a refreshed risk position. The vendor stays, the vendor is escalated for closer attention, the vendor is exit-planned, or the vendor is exited.

CPS 230 specifics

For APRA-regulated entities, CPS 230 paragraph 49 onwards governs material service providers. The substantive requirements:

• Identify material service providers (paragraph 49).
• Conduct due diligence before engagement (paragraph 50).
• Have written agreement with required content (paragraph 53).
• Monitor performance and management on an ongoing basis (paragraphs 55–58).
• Maintain orderly transition arrangements (paragraphs 59–61).

These map directly to the program above. CPS 230 is permissive on how the program runs; it is specific on what the program covers. A questionnaire-only program meets none of the substantive requirements.

What to stop doing

The deprecated practices:

• Annual questionnaires as the primary control. Reduce them to annual confirmation of changes since prior year, not the substantive due diligence.
• Questionnaire reciprocity panic. We can’t ask for things our vendors will then ask of us — this fear isn’t operationally relevant; the right answer is consistent expectations across both directions.
• Over-scoping low-tier vendors. The local printer-supplies company doesn’t need a 200-question security questionnaire. Tier them out.
• Vendor risk register that no-one operates. The register is only useful if it informs decisions — vendor onboarding, contract renewal, incident response. If it’s a spreadsheet that nobody reads, it’s not a control.

A practical first move

This quarter, tier your vendor list. Identify the Tier 1 (material service providers) explicitly. For the Tier 1 vendors, audit your current due diligence against the list above. The gaps that emerge are the priority work for the year.

For organisations doing this as part of CPS 230 readiness or broader vendor management uplift, the Security Posture Assessment reviews third-party risk arrangements; substantive remediation is typically delivered through the Fractional Officer engagement over 6–12 months.