Business Partner Vetting Costs

ExpressoRMost organizations have no idea how much they spend on business partner vetting ("BPV") pursuant to cybersecurity.  Although these hidden costs generally go unnoticed, they shouldn’t. BPV, managed manually by sending out questionnaires is an insidiously expensive process. This tedious process works like this: "(1) you email questionnaires to current (because vetting once will never due) or prospective partners; (2) you “bird dog” partners to complete them; (3) you collate responses in some centralized repository (hopefully); (4) you analyze responses; (5) you follow-up with partners whose responses are inadequate; and (6) you do this year in and year out. Why? Because a cybersecurity questionnaire represents a snapshot in time. Best practices dictate that you vet on a yearly basis.

PartnerQuestionnaireQuestionnaires represent a snapshot in practices dictate you perform partner vetting on a yearly is only as good as the weakest link.

Further what happens if the questionnaire does not contain all the information you need? Unless you get “satisfactory assurances” of process results, you have no way of verifying that your partners provided complete and valid responses. So, if you are prudent what do you do? You ask for additional reports such as your partner’s: (1) latest risk assessment; (2) policies and procedures; (3) training spreadsheet; (4) breach notification & response plans; (5) disaster recovery plans; (6) business associate contract if you are a HIPAA covered entity or business associate; etc. All of this represents additional documents to process, collate, analyze and respond to. Further, because this process is generally delegated to an InfoSec staff member, the organization has little visibility into where these artifacts are stored, unless of course you have a centralized repository. Often, that is not the case. Finally, when the InfoSec staff member goes to that next high paying gig, the takeover/turnover process becomes chaotic, if it happens at all.


A conservative estimate for vetting a partner is $1000.00 per year...year in and year out...if you have 20 partners (a small number even for a midsize organization) then you are spending $20K per year on this process...the hidden costs are insidious!


Our solution lies in Expresso’s BPV Portal. We discuss the benefits below. However, for now, let’s do a deeper dive into costs and put conservative numbers on the yearly cost to vet a partner. The following costs are common to almost any BPV process:

  1. Ensuring that the BAA is approved and executed;
  2. Determining what apps/data the partner will access & criticality of same;
  3. Developing the cybersecurity questionnaire, emailing it, ensuring completeness, analyzing responses, and follow-up communications with a partner depending on responses;
  4. Based on the partner’s role (or extended role) assigning the acceptable level of risk pursuant to sharing data (PII or PHI or other);
  5. Reporting to the executive team on results;
  6. Ensuring that partner responses are stored in an organizational repository for visibility; and
  7. Developing action plans to get strategic partners cybersecurity ready (if possible).

This list is representative but not exhaustive. What are the hard dollar costs associated with this process per vendor per year? Let’s assume that your InfoSec staff member makes $100K per year (average). Let’s assume that you have 25 partners to vet (a minimal number for midsize or larger organizations). $100K per year breaks down to an hourly rate of $50 per hour ($50 X 2000 hours/per year = $100K). The burdened hourly rate will be more (benefits). This process conservatively takes, on average, 20 to 25 hours per vendor per year. Let’s go with 20 hours; at $50/hour, the cost per vendor per year is $1000.00 ($50 x 20). Therefore, with 25 vendors your organization will be spending $25K per year; year in and year out.

PartnerQuestionnaire2Using Expresso's BPV portal many tasks can be delegated to admin staff...freeing up professionals to perform the tasks that require their expertise...thereby further reducing costs

There are no “magic solutions” for eliminating all costs; however, Expresso’s BPV Portal streamlines the process by:

  • Eliminating the need to develop a robust cybersecurity questionnaire (that’s in the box);
  • Eliminating manually emailing questionnaires (partners come to the Portal) to fill them out;
  • Eliminating having to remember when to follow up;
  • Allowing for partners to upload additional documents requested (e.g. latest risk assessment);
  • Allowing partners to enter free-form text associated with responses (reducing communications time); and
  • Storing everything in a centralized repository for organizational visibility;

Many of these tasks can be accomplished by admin staff, thereby leaving the professionals to perform the analysis and follow-up. Eliminating manual administrative steps can reduce costs by 50%. In our example, that would reduce costs from $1000 per vendor per year to $500. Reducing costs in this manner adds up to significant savings year on year.

PartnerAdminScreen3If you think cybersecurity education is expensive, try ignorance...the coolest tech on the planet may get you an audience, but it’s not enough to close the deal with the big gotta bring your "A" game in order to survive their cybersecurity due diligence!

If you’re a healthcare startup what value does Expresso’s BPV portal bring you? Well first, it will educate you as to what the big boys will be asking when you are targeted by them. Forewarned is forearmed; especially because the big boys are sophisticated as to the damage that third-party risks can do to their brand. There is no way you can play if you can’t satisfy their cybersecurity requirements. If you think cybersecurity education is expensive, try ignorance. The coolest tech on the planet may get you an audience, but it’s not enough to close the deal.

Further today, even small partners have partners. The big boys are going to want to know who you are sharing their data with, and how what your vetting process is. Remember, if you are dealing with protected health information (PHI) you, as a business associate, must also get “satisfactory assurances” from your partners (e.g. cloud providers such as Microsoft, Amazon, Google, IBM, etc. are partners by definition if you store PHI on their platforms—these are just the usual suspects). Security is only as good as the weakest link. If you are working with outsourced development partners, those are business associates of yours as well.

Contact us: Mature Compliance Programs Made Easier!