Vendor

Every vendor is also a third-party risk: their breach can become your breach (as supply-chain attacks like SolarWinds showed). Vendor risk management tiers suppliers by data sensitivity and business criticality, then applies proportionate due diligence and contractual controls — the highest-risk vendors get the deepest scrutiny. SOC 2 Type II reports, security questionnaires, and right-to-audit clauses are standard due-diligence inputs.