EVIDENCE TEMPLATE UC-15

Vendor Risk Assessment

Identify critical vendors, classify by risk tier, conduct security assessments, and document remediation. Cyber carriers expect vendor assessments for any vendor with system or data access.

📋 What this cyber insurance requirement is

A vendor risk assessment for cyber insurance should classify vendors by tier (critical, important, standard) based on data or system access, include tier-appropriate security questionnaires, request evidence (SOC 2, ISO 27001, Data Processing Agreements), assign risk scores, and establish assessment frequency. Carriers require this documentation to verify your organization has visibility into third-party risks and can manage vendor breaches — a major source of cyber incidents.

Create your vendor risk assessment below

What you'll get
  • Vendor inventory with tier classification (critical, important, standard)
  • Tier-appropriate security questionnaires
  • Risk scoring matrix and assessment methodology
  • Evidence requirements by tier (SOC 2, ISO 27001, DPA)
  • Assessment frequency and remediation tracking
  • Carrier alignment (Travelers, Hartford, Coalition)

What carriers are looking for

Each carrier asks slightly different questions. Here are some named artifacts by carrier.

Travelers

  • Service provider security controls documentation
  • Vendor assessment process and frequency
  • Evidence of documented vendor assessments

Hartford

  • Third-party vendor security policies
  • Critical vendor assessment for controls
  • Data Processing Agreements with vendors

Coalition

  • Vendor management processes and procedures
  • Vendor security screening and questionnaires
  • Security posture reviews and documentation

What to collect

Evidence artifacts your broker will need during the renewal process.

📋

Vendor inventory with tier classification

List of all vendors with system or data access, categorized by tier based on criticality and access scope.

📝

Completed questionnaires

Responses from vendors to security questionnaires appropriate for their tier.

Risk scoring results

Assessment results with risk scores and remediation actions documented.

🔗

Data Processing Agreements

Executed DPAs with vendors handling personal data, referencing GDPR/CCPA compliance obligations.

SOC 2 & ISO 27001 certifications

Evidence collected from critical and important vendors (if applicable to their services).

🛠

Remediation tracking

Documentation of findings, corrective actions, and resolution timelines for identified gaps.

Important: What this doesn't prove

Be upfront about these gaps. Carriers appreciate honesty over overstatement.

Assessments are conducted:Documentation doesn't prove assessments are actually performed on schedule.

All vendors identified: You may not have discovered all third parties with data access.

Controls are genuine: Vendor responses may not reflect actual security practices.

High-risk vendors managed:Risk scores don't prove you terminated or remediated high-risk vendors.

Compliance with regulations:Vendor agreements don't guarantee GDPR/CCPA compliance enforcement.

Vendor breach prevention:Assessment doesn't prevent third-party breaches or insider threats.

Who owns what

🏢Broker

Interprets carrier requirements, aligns submission timing, verifies policy compliance before renewal.

🔧MSP/IT Security/Procurement

Creates vendor inventory, administers questionnaires, conducts scoring, tracks remediation, manages DPAs.

🤝Business Owner/Vendor Manager

Makes risk decisions, approves contracts, owns remediation authority, makes termination decisions for high-risk vendors.

Frequently Asked Questions

Why are third-party vendor breaches a big deal for cyber insurance?

Third-party breaches are increasingly common. A single vendor breach can expose multiple customers' data. Carriers require vendor assessment evidence to verify you understand your supply chain risks and actively manage them.

Which vendors require assessment?

Any vendor with system access (cloud SaaS, MSP, RMM, backup providers) or data access (accounting firms, HR platforms, payment processors). Assess based on data sensitivity and access scope, not vendor size.

Do critical vendors need SOC 2 or ISO 27001?

Recommended for critical vendors. Important vendors should have SOC 2 Type II. Standard vendors may provide questionnaire responses only. If a vendor handles PII or financial data, SOC 2 Type II is expected by carriers.

What if a critical vendor refuses to complete a questionnaire?

That's a red flag. Carriers will expect documentation of your attempt to get compliance and any compensating controls (e.g., network segmentation, data encryption). Consider escalating or finding an alternative vendor if the refusal persists.

How often should we reassess vendors?

Critical vendors: annually. Important vendors: every 2-3 years. Standard vendors: as-needed (at least every 3-5 years or on significant role change).

What is a Data Processing Agreement?

A DPA obligates the vendor to comply with data protection regulations (GDPR, CCPA) when processing personal data on your behalf. Required for any vendor handling customer or employee PII. Most SaaS platforms have standard DPAs available.

Sources (March 2026)

  • Travelers – Service provider security controls and vendor assessment requirements
  • Hartford – Third-party vendor security policies and critical vendor assessment expectations
  • Coalition – Vendor management process and security screening requirements
  • NIST Cybersecurity Framework – Supply chain risk management (ID.SC-1, ID.SC-2)

Ready to assess your vendors?

← Browse all templatesStart a renewal readiness check →Decode a carrier form