Vendor Risk Management: Your Third-Party is Your Weakest Link

Threat Intelligence

Vendor Risk Management: Your Third-Party is Your Weakest Link

One of the most overlooked sections of the FTC Safeguards Rule is 314.4(f), the requirement to oversee service providers. In the age of cloud-based everything, your security is only as good as the weakest vendor in your stack. The June 2024 CDK Global ransomware attack proved this when approximately 15,000 dealerships were crippled overnight because of a single vendor’s failure.

What the Law Actually Says

The Safeguards Rule defines a “service provider” as any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution (16 CFR 314.2(r)). That definition is broad by design. Your DMS provider, your CRM platform, your F&I software vendor, credit bureaus, inventory management systems, even your IT support company — if they touch customer data, they are a service provider under this rule.

16 CFR 314.4(f) requires you to oversee those providers by:

1. Selection (314.4(f)(1)): Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue.

2. Contractual Requirements (314.4(f)(2)): Requiring your service providers by contract to implement and maintain such safeguards.

3. Ongoing Oversight (314.4(f)(3)): Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

There is no “trust but verify” here. The FTC expects “verify, then trust, then keep verifying.”

The CDK Global Lesson: Concentration Risk

In June 2024, the BlackSuit ransomware group hit CDK Global, the dominant DMS provider for North American dealerships. The impact was staggering: dealers reverted to pen-and-paper processes for weeks, new car sales dropped significantly during the outage, and CDK reportedly paid approximately $25 million in ransom. Dozens of class-action lawsuits followed from both dealerships and consumers whose PII was exposed.

This is the textbook case for vendor concentration risk. When a single provider handles your DMS, CRM, and deal processing, their catastrophe becomes yours. And under the Safeguards Rule, you cannot point at CDK and say “it was their fault.” You are still the entity responsible for your customers’ data.

The FTC Has Enforced This Before

In the Ascension Data & Analytics case (2020), the FTC held Ascension liable for a data exposure caused by its vendor because Ascension failed to vet the vendor’s security practices and did not include required security language in the contract. In the DealerBuilt case (2019), a DMS provider left a backup server exposed for 18 months, compromising data from approximately 130 dealerships. The FTC used the case to reinforce that dealers bear responsibility for selecting capable service providers.

Tiering Your Vendors by Risk

Not every vendor needs the same level of scrutiny. Build a vendor risk matrix with four tiers:

  • Critical: DMS providers, F&I platforms, credit bureau integrations. These have direct access to SSNs, financial records, and deal data. Assess annually with full evidence review.
  • High: CRM systems, email platforms, cloud storage providers handling customer data. Assess annually.
  • Medium: Marketing platforms, website providers, inventory photo services with limited data access. Assess every two years.
  • Low: Office supply vendors, janitorial services, vendors with no data access. Document the classification; no formal assessment required.

What to Demand as Evidence

Do not just ask “are you secure?” Every vendor will say yes. Demand proof:

  • SOC 2 Type II Reports: The AICPA’s SOC 2 framework evaluates vendors against five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security criterion maps directly to the Safeguards Rule’s requirements for access controls, encryption, and monitoring. A Type II report covers a period of time (typically 12 months), not just a point-in-time snapshot.
  • ISO 27001 Certification: This international standard requires a vendor to maintain a documented Information Security Management System (ISMS) with regular audits. It demonstrates organizational commitment to security governance, not just technical controls.
  • Penetration Test Summaries: Proof that the vendor tests its own defenses. You do not need the full report; an executive summary showing scope, methodology, and remediation status is sufficient.
  • Data Processing Agreement (DPA): To satisfy 314.4(f)(2), your contracts must explicitly require the vendor to implement and maintain safeguards. A security addendum or DPA should cover: what data the vendor can access, how it must be encrypted (at rest and in transit), incident notification timelines, the vendor’s obligation to cooperate with your audits, data retention and destruction requirements, and subcontractor oversight obligations.

When a Vendor Will Not Provide SOC 2

Smaller vendors may not have a SOC 2 report. That does not automatically disqualify them, but you must apply equivalent monitoring. This means:

  • A completed vendor security questionnaire covering access controls, encryption, patching, incident response, and employee training
  • Evidence of recent vulnerability scanning or penetration testing
  • Review of their written information security policies
  • Contractual language that grants you the right to audit

Document your rationale for accepting alternative evidence. The FTC wants to see that you made a reasonable, risk-based decision.

Sample Vendor Security Questionnaire Topics

At minimum, your questionnaire should cover:

1. Do you maintain a written information security program?

2. Do you require multi-factor authentication for access to systems containing our data?

3. Do you encrypt customer data at rest and in transit?

4. How frequently do you conduct vulnerability scans and penetration tests?

5. What is your incident response notification timeline?

6. Do you use subcontractors who access our data? If so, how do you oversee them?

7. What is your employee security awareness training frequency?

8. Can you provide a SOC 2 Type II report, ISO 27001 certificate, or equivalent documentation?

If a vendor refuses to answer these questions, they are telling you everything you need to know. It is time to find a new vendor.

Scott Sailors
Scott Sailorshttps://www.hiredhackers.com
Principal Security Consultant with over 20 years of experience in security architecture, engineering, and executive leadership. Holds CISSP, OSCP, CISM, CRISC, Master's and Bachelor's degrees in Cybersecurity with expertise bridging technical teams and senior management to communicate complex security challenges in actionable terms.

Latest articles

Previous article
Wiretapping Lawsuits: Are Your Website Pixels Illegal?
Next article
The ‘Senior Officer’ Requirement: Is Your Board in the Loop?

Related articles