Here’s how to effectively ask your vendors to confirm their data security measures in place, ensuring that your business—and your clients—are protected.

Step 1: Frame the Request Clearly

Your goal is to gather information on the security protocols your vendors have in place. Keep the tone professional but direct. The request should highlight the importance of securing shared data and emphasize the need for compliance with industry regulations.

Here’s a sample subject line:"Request for Information on Data Security Controls"

Start with a brief introduction explaining why you’re reaching out. Here's a simple example:

Hi [Vendor’s Name],
The security of our data is a top priority. We're reaching out to understand the security measures you have in place, including policies, procedures, and technical safeguards like multi-factor authentication, use of password managers, antivirus, and encryption.

Make it clear that this is a routine request and part of your commitment to protecting data across your ecosystem.

Step 2: Specify What You Need to Know

Don’t leave room for ambiguity—be specific about the controls you're looking for. Here’s what to include in your request:

• Multi-factor authentication (MFA): Confirm they’re using MFA to access systems and applications.
• Password management: Ask if passwords used are unique to your company and not reused elsewhere.
• Secure storage of passwords: Ensure they use a secure method, such as a password manager, to store credentials.
• Disk encryption and antivirus: Confirm that systems are using disk encryption and up-to-date antivirus software.

Being clear about your expectations allows the vendor to respond without confusion or back-and-forth clarification, speeding up the process.

Step 3: Explain Why It Matters

While security may seem like a dry topic, grounding your request in real-world consequences makes it more compelling.

It’s essential for us to ensure our data—and our client’s and employee’s data—is protected under your management. This not only gives peace of mind to our stakeholders but also helps us meet regulatory requirements.

Your vendors need to know that their security practices affect your overall risk profile and compliance efforts. This aligns their responsibilities with your own obligations under regulations like HIPAA, GDPR, or PCI-DSS.

Step 4: Ask for Confirmation

The final part of your request is straightforward: ask for confirmation of the controls. Here's a concise example:

Could you provide confirmation that the following controls are in place?

• Multi-factor authentication is used to connect to our computers and applications
• Passwords are unique to our company and securely stored
• Your systems utilize disk encryption and antivirus software

This lets the vendor know exactly what you’re asking for, making it easy for them to provide the right information in their response.

Step 5: Maintain Open Communication

Close your request with an offer to answer any questions the vendor may have. It’s important to keep the lines of communication open to clarify any misunderstandings and ensure they feel supported.

Thank you for your attention to this matter. If you have any questions, please let me know.

A friendly tone encourages cooperation and helps foster trust between you and your vendor.

Final Thoughts: Take Control of Your Supply Chain Security

Ensuring your vendors meet strict security standards isn’t just best practice—it’s essential. By sending clear, professional requests for security confirmations, you safeguard not only your company but also the data of your clients and employees.

Ready to tighten your vendor security?

‍Start today by sending a security attestation request and make sure your supply chain is as secure as your own systems.

‍