My Biggest Client Just Sent Me a Security Questionnaire, What Do I Do?

7 Steps to Security Fulfilment

When you receive a security questionnaire from your biggest client, you’ll need to ensure that you complete it correctly or risk the client taking their business elsewhere.

With the number of cyberattacks increasing, and supply chain attacks increasing by 430% in a single year, the probability of being sent a security questionnaire is high and increasing.

Assuming you don’t want to lose the custom of your biggest client, here’s what you need to do after you receive their request.

Why Have You Received a Request for a Security Questionnaire?

There are many reasons why your client may have sent a security questionnaire to you. These include compliance with existing or new regulations, the need for due diligence, requirements of their own cybersecurity programs, and to meet the requirements of cybersecurity insurance policies.

The information that you will need to supply may vary between clients, but could cover specific areas such as:

  • IT infrastructure
  • Web applications
  • Data privacy policies and procedures
  • Your cybersecurity measures, including hardware and software protection
  • Organizational security
  • Incidence response measures
  • Control of access

5-Step Process for Answering a Security Questionnaire

A strategic and measured approach will ensure that you provide all the information required in a timely fashion. The following five steps should ensure that you cover all that is needed.

Step #1: Consider Your Client’s Needs

It is essential to fully understand what your client needs from you, and why. This will help you decide who needs to be involved in the process of answering security questions. As you can see from the example areas that the questionnaire may cover (and it is by no means a comprehensive list), the questionnaire can be wide-ranging.

It is unlikely that one person will have the breadth of knowledge needed to complete the questionnaire on their own – though you should have a lead person who orchestrates the process.

Tiro Security founder Jenai Marinkovic says, “Consider whether you will be storing, transmitting, processing, or accessing any client sensitive information, and the sensitivity of that information. Sensitive information should be defined by the client.”

Step #2: Question If the Questionnaire Is Needed

Before starting the questionnaire, consider if it is necessary. A client may have sent the same questionnaire to all their partners, vendors, and clients – blanket coverage that is not necessary. You must study the questionnaire before filling it in, and treat every point with curiosity. ‘Why does my client need this information?’ is a question you should ask about every question asked of you.

Jenai says that it’s important to consider the relevancy of the questions. “Ask yourself ‘Are the security questions that are being asked relevant and appropriate to the scope of work I am providing?’”, she says.

Step #3: Decide the Data You Will Share

It will be necessary to decide which of your data you will share with your client. You’ll need to assess each data set for relevance to your clients’ request, and ensure that by sharing it you are not breaching any policies or regulatory requirements. You may also have concerns over security of data for business purposes.

Don’t risk your company’s and other clients’ security by sharing data that is not needed to be shared. If you need to push back, then do so.

Step #4: Consider Alternatives

If you are unhappy with sharing certain information with a client, you might consider offering alternatives instead. This will show a willingness to be open, but a need to protect your own data, policies, procedures, and practices.

If offering alternatives, explain why, and provide examples that will show you can protect their resources. You could do this using a pre-filled questionnaire, compliance report, or even holding a meeting with your client to discuss alternatives that will be suitable for them.

Step #5: Relate Your Answers to Your Security Assessment

Has your company had a security assessment? If not, consider having one done before you answer the security questionnaire. This will help to give you a better understanding of the risks presented, and to answer all applicable questions on the security questionnaire – referencing the security assessment wherever pertinent.

Step #6: Reference Security Remediation Planning

If you fall short in any area, can you reference a security remediation plan that will eliminate gaps in a reasonable and mutually acceptable timeframe? An effective remediation plan will demonstrate that you take cybersecurity, due diligence, and your client relationships seriously.

Step #7: Be Open and Accommodating

Be transparent about your security measures and your compliance with regulations. Be open about how you plan to tackle specific issues raised, and ensure that you show you are a responsible partner. This openness will help to build the trust that is essential to profitable partnerships.

Always Be Professional

Remember, your client has sent a security questionnaire because they must. They don’t want to jeopardize a successful partnership, but this is something they must do. They will want to work with you, but they will also expect you to comply with their request for information.

“Compliance and procurement people are time starved,” says Jenai. “They have a Herculean level of work that needs to be completed to manage their company’s third-party supplier risk. They work very hard to try and streamline and standardize these questionnaire workflows. Do not fall into the trap of trying to contest each question. Forcing them to manage by exception disrupts their processes and can impact your client’s willingness to work with you.”

If there is information you feel you cannot share, never be dismissive of your client. Work with them to resolve issues and arrive at an agreeable compromise.

If you have received a security questionnaire from a client and you are unsure of how to progress with it, you should seek independent help and advice. Please don’t hesitate to contact us for a top-level security service from an external position: all the benefits, none of the stress.

Posted in