In May 2025, athletic apparel giant Adidas fell victim to a vendor data breach, exposing a harsh reality of modern cybersecurity: a company’s security is only as strong as its weakest third-party link.
Fortunately, cybersecurity due diligence can help companies mitigate risks not only within their own organizations but across their supply chains.
What Is Cybersecurity Due Diligence?
The Meaning of Cyber Due Diligence
Cybersecurity due diligence involves identifying, evaluating, and addressing cyber risks across an organization’s entire digital ecosystem, including internal systems and third-party relationships.
It involves a comprehensive assessment of security controls, policies, and practices to ensure all parties handling your data maintain appropriate protection measures. The process goes beyond surface-level reviews, calling for deep investigations into how organizations manage, store, and protect sensitive information.
Why Cyber Due Diligence Is Critical Today
As any cybersecurity professional will tell you, digital threats have grown dramatically in the last few years. As just one example, third-party breaches accounted for 30% of all security incidents in 2024 and late 2023. That’s double the rate from the previous 12 months, according to Verizon’s 2025 Data Breach Investigations Report. Organizations face mounting pressure from sophisticated attackers who increasingly target supply chains and vendor relationships as entry points into larger networks.
Adding to the expanding list of threats is the rapid adoption of artificial intelligence across businesses. Along with their advantages, AI systems present unique vulnerabilities, from data leakage risks to the potential for manipulation of machine learning models. Yet, only 27% of respondents to a recent survey by McKinsey & Company check all AI-generated content before distribution, potentially letting reputation-damaging errors or leaks of sensitive data slip past review.
Due Diligence in M&A vs. Ongoing Vendor Risk Management
While cybersecurity due diligence shares common elements across contexts, its application differs significantly between mergers and acquisitions (M&A) and ongoing vendor management.
M&A due diligence represents a one-time, intensive evaluation designed to uncover deal-breaking risks or aid negotiations. This transactional approach often involves deeper access to systems and more comprehensive testing, as the acquiring company will inherit all existing vulnerabilities.
In contrast, vendor risk management requires continuous monitoring and periodic reassessment. This ongoing process starts with the premise that security postures change over time. New vulnerabilities emerge, personnel turnover affects practices, and changing regulations require updated controls. To keep up, organizations need to establish regular review cycles and maintain active oversight of their third-party ecosystems.
Key Steps in the Cyber Due Diligence Process
Identify and Prioritize Vendors and Third Parties
A critical first step in cyber due diligence is to create a comprehensive inventory of all vendors and third parties with access to your data or systems.
The list should include not just direct technology providers but also service companies, consultants, and even cleaning crews with physical access to facilities.
Tier these relationships based on factors such as data sensitivity, system access levels, and operational criticality. High-risk vendors, those handling sensitive customer data or with privileged system access, will require more rigorous evaluation and monitoring.
Evaluate Cybersecurity Frameworks (e.g., NIST and ISO 27001)
Assessing vendors against established cybersecurity frameworks gives you a standardized benchmark for security maturity.
For example, the NIST Cybersecurity Framework offers a comprehensive approach to managing cyber risks, while adherence to the ISO/IEC 27001 standard demonstrates a commitment to information security management systems.
Evaluate whether your vendors follow these frameworks and how effectively they’ve implemented the suggested controls. Doing so helps you identify gaps and provides a common language for discussing security requirements, benefiting both you and your partners.
Conduct a Vendor Cybersecurity Risk Assessment
A thorough risk assessment combines multiple methodologies to build a complete picture of vendor security. Assessment typically includes detailed questionnaires covering technical controls, security policies, and incident response procedures.
Follow-up interviews with vendor security teams can clarify responses and probe deeper into specific areas of concern. For critical vendors, technical assessments or penetration testing may be warranted to validate claimed security measures.
Review Certifications (SSAE18, SOC 2, and PCI DSS)
Third-party certifications provide independent validation of security controls.
- SOC 2 reports assess security, availability, processing integrity, confidentiality, and privacy.
- PCI DSS guides organizations handling payment card data.
- SSAE 18 (which superseded SSAE 16) establishes controls relevant to financial reporting.
Organizations should not only verify that vendors hold appropriate certifications but also review audit reports to understand any exceptions or qualifications noted by auditors.
Perform Onsite or Remote Security Audits
While documentation review provides valuable insights, direct observation through audits offers unparalleled visibility into actual security practices.
Onsite audits allow you to assess physical security, employee security awareness, and operational procedures. Remote audits, increasingly common post-pandemic, can still effectively evaluate technical controls, policy implementation, and security configurations.
Key areas to examine include access controls, data handling procedures, patch management practices, and incident response readiness.
Use Cybersecurity Due Diligence Checklists and Questionnaires
Checklists and questionnaires aid consistent, comprehensive evaluations across vendors. Effective checklists cover technical controls, administrative procedures, physical security, and compliance requirements.
Questionnaires should probe specific implementation details rather than accepting generic policy statements. All should reflect your industry’s best practices and your organization’s tolerance for risk.
Best Practices for Vendor Cyber Risk Assessment
Risk-Based Tiering and Enhanced Due Diligence
Not all vendors pose equal risk, making a tiered approach essential for efficient resource allocation. Apply enhanced due to vendors with access to sensitive data, critical systems, or those using emerging technologies like AI (practically everyone these days).
Again, the rapid deployment of AI systems introduces novel risks that traditional assessments may miss. For example, AI models can inadvertently expose training data, generate inaccurate outputs that compromise decision-making, or become targets for adversarial attacks. Evaluate how vendors implement AI, what data feeds these systems, and what controls prevent misuse or manipulation.
Red Flags to Watch For
Key warning signs should prompt immediate concern during assessments. Technical red flags include outdated software, missing security patches, weak authentication mechanisms, and inadequate encryption. Organizational indicators include high employee turnover in security roles, reluctance to provide documentation, or evasive responses to specific questions.
Particularly concerning in today’s environment is a lack of controls and policies around AI tool usage. Many organizations have adopted AI capabilities without fully understanding their extent or implementing appropriate governance. Vendors who cannot articulate their AI usage policies, data handling procedures for AI systems, or controls against AI-specific threats should get closer scrutiny.
Frequency and Monitoring: It’s Not One and Done
Effective vendor risk management requires continuous vigilance beyond initial assessments. Annual reviews should reassess critical vendors, while continuous monitoring tools can flag changes in security posture between formal reviews.
Key events, including security incidents, significant organizational changes, or the adoption of new technologies, should prompt reassessments regardless of scheduled review cycles.
How to Document Findings and Ensure Accountability
Comprehensive documentation creates accountability and enables informed decision-making.
Assessment reports should clearly identify findings, assign risk ratings, and specify the required remediation actions along with their deadlines. Also, establish clear escalation procedures for high-risk findings and track the progress of remediation. And regular reporting to senior management will help your organization ensure appropriate visibility and resource allocation for vendor risk management.
Common Tools and Templates Used
Cybersecurity Due Diligence Checklists
Effective checklists typically include sections on:
- Information security policies
- Technical controls
- Physical security measures
- Incident response procedures
- Business continuity planning
- Regulatory compliance
Questions should be specific and measurable, avoiding yes or no responses in favor of detailed explanations.
Sample Cyber Due Diligence Questionnaires
Well-designed questionnaires progress from general security governance to specific technical implementations. Questions should also require evidence or documentation to support claims.
Key areas for inquiry include:
- Data classification and handling procedures
- Access control mechanisms
- Network security architecture
- Vulnerability management processes
- Security awareness training programs, and
- Third-party risk management practices
For example, “What threats are most likely to occur?” and “Which of these threats are likely to have a significant impact on your company if they do occur??”
See more suggested questions in our risk assessment guide.
Security Ratings and Continuous Monitoring Platforms
Modern security platforms leverage automation and AI to provide ongoing visibility into vendor security postures.
These tools aggregate data from multiple sources, including breach databases and vulnerability scanners. They analyze the data to assign risk scores and flag any shifts for analysts.
When properly implemented, AI-powered security tools can identify patterns and anomalies that human analysts might miss, providing a crucial line of defense against increasingly sophisticated AI-powered attacks. The key to effective use lies in using AI as a force multiplier for security teams rather than a replacement for human judgment.
Cyber Due Diligence Services & When to Seek Help
When to Bring in an MSSP or Cybersecurity Consultant
Consider bringing in outside cybersecurity expertise, such as a managed security services provider (MSSP), to:
- Bridge gaps in your in-house team’s knowledge
- Address complex vendor ecosystems
- Meet regulatory requirements for independent validation, and
- Free up your team’s time for higher-level strategic initiatives
Benefits of Outsourcing Your Cyber Due Diligence
Professional security firms bring numerous advantages to the due diligence process, including:
- Experience across multiple industries, providing insights into best practices and common pitfalls
- Up-to-the-minute knowledge of expanding threats and regulatory requirements
- Advanced tools, including AI-driven security platforms that internal teams may lack
- Assessments potentially conducted faster as well as more thoroughly than possible for internal teams juggling competing priorities
Xantrion’s Approach to Information Security Vendor Risk Assessment
Xantrion takes a proactive, relationship-based approach to cybersecurity that extends to comprehensive vendor risk assessments.
Each client receives a dedicated, US-based virtual chief information officer (vCIO) who maintains a deep familiarity with the client’s business, technology stack, and specific security requirements. The result: assessments tailored to an organization’s unique risk profile.
It’s all about moving beyond checkbox compliance to assessment programs that evolve with threats and grow with organizations. Whether building these capabilities internally or partnering with experts like Xantrion, the goal remains the same: creating a resilient digital ecosystem where security extends across all business relationships.
Adidas was able to assure customers that no payment information was compromised in its recent breach. However, the incident did affect anyone who had contacted Adidas customer service. And showed how even seemingly peripheral vendors can become attack vectors. The incident should serve as a wake-up call to all businesses that effective cybersecurity due diligence extends beyond a company’s own offices.
Learn more about how Xantrion can help your organization conduct cybersecurity due diligence and manage vendor risk with our managed security services.
Frequently Asked Questions
What is due diligence in cybersecurity?
Cybersecurity due diligence is the process of systematically evaluating an organization’s security posture, including its policies, controls, and practices for protecting digital assets and sensitive data. In addition to helping teams identify their own vulnerabilities, cyber due diligence can help them identify risks posed by other companies before entering business relationships or completing M&A activities.
What should a vendor cybersecurity assessment include?
A comprehensive assessment of a vendor’s cybersecurity posture should evaluate such fundamentals as security policies, technical controls, compliance certifications, incident response capabilities, and data handling practices. It should also include documentation reviews and testing to verify claims made by the vendor.
What is enhanced due diligence in cybersecurity?
Enhanced due diligence involves deeper investigation of high-risk vendors or situations. This may include onsite audits, penetration testing, detailed technical assessments, background checks on key personnel, and an evaluation of the vendor’s relationships. Enhanced procedures are typically reserved for vendors with access to especially sensitive data or critical systems.
What’s the difference between cyber due diligence and IT due diligence?
While IT due diligence focuses broadly on technology infrastructure, systems, and capabilities, cyber due diligence specifically targets security controls, vulnerabilities, and risk management practices. Cyber due diligence is a specialized subset of IT evaluation, concentrating on threat protection and data security.
