How to Vet a Vendor's Security Before You Sign the Contract

Nearly half of all security incidents in 2026 trace back to a third-party vendor. The Verizon Data Breach Investigations Report found that third-party involvement hit 48% of all incidents this year, up from 30% the year before. For a business owner with 50 to 200 employees, that statistic reframes a basic question: your company’s security isn’t just about what you do internally. It’s about who you let in.

Most SMBs treat vendor selection as a procurement decision. You compare pricing, check references, maybe review a capabilities deck. Security gets a passing mention, if it comes up at all. That approach worked when vendors hosted software on your servers and had limited access. It doesn’t work when your payroll provider, your cloud backup service, and your CRM platform all hold sensitive data and connect to your environment around the clock.

The fix isn’t complicated. Ask the right questions before you sign, put specific protections in the contract, and monitor vendors after onboarding. This post covers all three.

Why Vendor Risk Hits SMBs Harder

Large enterprises run formal vendor risk management programs with dedicated staff and automated monitoring tools. Most SMBs don’t have that infrastructure, and the math works against them in two ways.

SMBs typically grant vendors deeper access relative to their environment size. A 75-person company often gives its managed IT provider, its accounting software vendor, and its cloud host broad administrative access across most of its systems. An enterprise with 5,000 employees can segment vendor access more granularly. When a vendor serving an SMB gets breached, the blast radius covers a larger percentage of the company’s data and systems.

SMBs also have less contractual leverage. Enterprise contracts routinely include breach notification SLAs, audit rights, and indemnification clauses. SMB contracts often use the vendor’s standard terms, which may not address breach notification timelines or your rights when a vendor’s security failure exposes your data.

The Black Kite Third-Party Breach Report found that every vendor breach now affects an average of 5.28 downstream companies, and the average time between a breach and disclosure is 117 days. That means your business could be exposed for four months before anyone tells you. We covered the full scope of vendor breach impact earlier this year, including the wave of April 2026 incidents that demonstrated the pattern.

Five Questions to Ask Before You Sign

These aren’t theoretical. They’re the questions that separate vendors who take security seriously from vendors who check a box and move on.

1. Can you share your SOC 2 Type II report?

A SOC 2 Type II report is an independent audit of a vendor’s security controls over a period of time, typically 12 months. It covers how the vendor protects data, manages access, handles incidents, and maintains availability. If a vendor has one, ask for the most recent report and read the “exceptions” section carefully. Exceptions aren’t automatic disqualifiers, but they show you where the auditor found gaps.

If the vendor doesn’t have a SOC 2, ask what third-party security assessments they’ve completed. Smaller vendors may not have the budget for SOC 2 but should be able to provide something: a penetration test report, a completed security questionnaire, or documentation of their security controls. No documentation at all is a red flag.

2. What is your breach notification timeline?

Many vendors will say they “notify customers promptly” in the event of a breach. That’s not specific enough. Ask for a number. The standard you should expect is written notification within 72 hours of confirmed unauthorized access to your data. Some regulations, including CIRCIA, are moving toward mandatory 72-hour reporting for critical infrastructure. Your vendors should meet at least that bar regardless of whether regulation requires it.

Also ask who gets notified. You need a named contact at the vendor’s security team and a process for reaching them outside business hours.

3. Who can access our data, and what controls limit that access?

You want a specific answer, not “our team follows best practices.” Ask how many people have access, whether access is role-based, whether privileged accounts use multi-factor authentication, and whether the vendor logs and reviews access to customer data. A vendor that can’t answer these questions clearly hasn’t thought about them carefully.

Pay particular attention to administrative access. If a vendor has admin credentials to your Microsoft 365 tenant or your network, you need to know exactly how many people hold those credentials and how they’re protected.

4. How do you patch internet-facing systems?

The 2026 Verizon DBIR showed that vulnerability exploitation is now the leading breach vector at 31%. If your vendor runs internet-facing infrastructure like web applications, VPN concentrators, or email gateways, their patching cadence directly affects your risk. Ask for their SLA on critical vulnerabilities. A reasonable answer: critical patches applied within 48 hours of advisory, high-severity patches within a week.

If the vendor patches on a monthly cycle regardless of severity, that’s a gap the data says matters.

5. Do you carry cyber insurance, and what are the limits?

A vendor with cyber insurance has been through an underwriting process that independently verifies their security controls. It also means that if a breach occurs, the vendor has financial resources to cover response, remediation, and potential liability. Ask for the policy limits and confirm the policy is current. A $1 million policy may be adequate for a small SaaS vendor, but not for a vendor holding large volumes of sensitive data.

What to Put in the Contract

Verbal assurances don’t survive a breach investigation. If the vendor agrees to something, put it in writing. These five terms should be in every vendor contract that involves access to your data or systems.

Breach notification within 72 hours. Written notification with a description of the incident, what data was affected, what remediation steps are underway, and a point of contact for your team.

Right to audit or receive third-party audit reports. You may not need to conduct your own audit, but you should have the contractual right to request updated SOC 2 reports, penetration test results, or security certifications annually. If the vendor resists this, ask why.

Data deletion on termination. When the contract ends, the vendor should delete your data within a specified timeframe (30 days is standard) and provide written confirmation. Without this clause, your data may persist in the vendor’s systems indefinitely.

Subprocessor disclosure. Many vendors use their own vendors to deliver services. Your data may pass through two or three companies before it reaches the system that processes it. The contract should require the vendor to disclose all subprocessors who handle your data and notify you before adding new ones.

Indemnification for breaches caused by vendor negligence. If the vendor’s security failure causes a breach of your data, the vendor should bear the costs of notification, remediation, and regulatory fines attributable to their failure. Standard vendor contracts often try to cap this liability at the contract value, which may not cover a serious incident. Negotiate this cap upward for vendors handling sensitive or regulated data.

Red Flags That Should Pause the Deal

Not every vendor will meet every standard above, especially smaller companies. But certain responses should make you slow down before signing.

A vendor that won’t provide a SOC 2, a penetration test, or even a completed security questionnaire is telling you something about their priorities. Legitimate concerns about sharing audit details can be addressed through NDAs. Outright refusal is different.

Watch for vendors who use “we’ve never been breached” as a selling point. This usually means one of two things: they haven’t detected a breach, or they haven’t been targeted yet. Neither is reassuring. The question isn’t whether they’ve been breached. It’s whether they’re prepared for when it happens.

If a vendor doesn’t have a documented incident response plan, they’ll be improvising during a crisis. Your data will be part of that improvisation. And if a vendor resists committing to a specific breach notification timeline, they may be planning to manage disclosure on their terms, not yours. The 117-day average disclosure delay exists because vendors have financial incentives to delay notification.

Keeping Vendors Accountable After You Sign

Vendor vetting isn’t a one-time event. Security postures change, companies get acquired, and employees turn over. A vendor that passed your assessment two years ago may look different today.

Review SOC 2 reports annually. If the vendor updates their certification, request the new report and check whether any new exceptions appeared. Pay attention to changes in the vendor’s ownership or leadership; acquisitions often lead to cost-cutting that affects security staffing and tooling.

Monitor for public breach disclosures involving your vendors. Services like Have I Been Pwned and vendor-specific security advisories can alert you to incidents that affect your supply chain.

Conduct a periodic access audit with your IT provider. Confirm that vendor access to your systems matches what’s documented in the contract. Revoke access for vendors you no longer use. A cybersecurity risk assessment that includes vendor access review catches stale permissions before they become an exposure.

If managing vendor security across your environment feels like more than your internal team can handle, that’s a normal constraint for a growing business. Your managed security provider can incorporate vendor risk monitoring into your overall security program so that vendor assessments, contract reviews, and ongoing monitoring happen on a schedule instead of whenever someone remembers.

Vendor security used to be an enterprise concern. The data shows it’s now an everyone concern. Start with your top five vendors ranked by data sensitivity, work through the questions and contract terms above, and close the gaps before your next renewal cycle.