An Open Standard for Vendor Risk Management in Financial Services

There is often an imbalance in resources and influence between large financial institutions and smaller vendors (or vice versa). Big banks and investment firms can impose strict cybersecurity questionnaires and requirements, which small fintech or IT vendors struggle to manage with limited compliance staff. Conversely, a small financial advisory firm may have little leverage to demand security information from a much larger technology provider. This asymmetry leads to inconsistent diligence – large firms may exhaust vendors with demands, while small firms might not get the attention they need. Open VRM’s standardized approach helps level this playing field by setting common due diligence standards for all, as an “open model initiative” intended to create consistency across stakeholders.

Currently, clients often send their own questionnaire to vendors, resulting in vendors answering the same security questions over and over in different formats. It’s not uncommon for a single vendor to fill out hundreds of questionnaires from separate clients, consuming enormous time and effort. A 2019 study found that third-party 15,000 hours annually to completing security assessments, costing nearly $2 million per year, yet only a small fraction of those assessments lead to meaningful action. This duplication is wasteful for vendors and provides little value to clients. It also leads to stale or inconsistent information, as vendors may update one client’s questionnaire but not another’s. Overall, the lack of a shared system creates needless redundancy.

Financial regulators have made it clear that firms are responsible for the cybersecurity of their third-party providers. The same laws and rules that apply to a financial organization “trickle down” to its vendors. Regulators like the SEC, FINRA, state financial authorities, and other institutions mandate their covered entities to perform due diligence and ongoing monitoring of vendor security controls. For example, recent SEC regulations explicitly require firms to “oversee, monitor, and perform due diligence” on service providers to ensure they protect customer information and notify the firm of any breach. Similarly, the New York Department of Financial Services (NYDFS) cybersecurity mandates that companies have policies to ensure third-party service providers meet cybersecurity standards. This regulatory pressure forces even small financial firms to impose rigorous cybersecurity requirements on every vendor. Many vendors, especially smaller ones, struggle to understand and comply with the array of client requests referencing SOC reports, ISO certifications, and various frameworks. Meanwhile, many financial firms admit they lack the staff or expertise to thoroughly review all their vendors as regulators expect – in one survey, 64% of financial organizations had not completed or updated vendor due diligence annually due to resource constraints. The result is a compliance gap that could lead to fines or security incidents.

Open VRM is designed as a public standard rather than a proprietary tool. It was spearheaded by Buckler (a cyber program management firm) with oversight from an independent advisory board of industry experts. This advisory board includes cybersecurity professionals, compliance experts, legal counsel, and financial services thought leaders who volunteer their guidance. By involving a broad community in governance, Open VRM ensures the standard isn’t dominated by any single vendor or financial firm’s interests. The platform is continually updated in response to regulatory changes and participant feedback, making it a living, community-driven system.

Unlike traditional VRM software that often charges hefty fees (sometimes to both the institution and the vendor), Open VRM is zero-cost to use. Vendors can join the platform, complete their risk profile, and share it with unlimited clients for free. Clients (financial institutions) can likewise access the directory and review vendor information at no cost. This free model removes the financial barrier to entry, encouraging widespread adoption. Open VRM is offered as a freemium by Buckler. The goal is to make the baseline due diligence process universally accessible.

At the heart of Open VRM is an industry-standard questionnaire that all vendors complete. This comprehensive questionnaire was pre-vetted by cybersecurity compliance experts to align with regulatory and best-practice requirements. It covers critical areas such as information security policies, access controls, data encryption, incident response, business continuity, privacy and more – essentially a holistic vendor security assessment. Because all vendors answer the same core set of questions, clients no longer need to send out their own customized lists. The Open VRM questionnaire serves as a common denominator that satisfies the information needs of most financial institutions. This standardization greatly reduces duplicate effort.

In addition to the questionnaire, vendors can upload supporting evidence documents – such as SOC 2 audit reports, ISO 27001 certificates, cybersecurity insurance information, policies, and any other documentation that clients typically request. All these artifacts are stored in one private repository associated with the vendor’s profile. Vendors control access to their documents and questionnaire: they can make it available to all clients, force them to request access that they will review and approve (default), or ask that clients signed documents such as NDAs. This centralized document storage means vendors no longer have to email large files to each client or maintain multiple portals; they update their documents in Open VRM and all authorized clients can see the latest versions. Clients benefit by having a one-stop location to retrieve up-to-date proof of a vendor’s controls.

Open VRM includes a growing Vendor Directory – a database of vendor profiles that financial institutions can search and access. Over 600 vendors were pre-populated into the directory at launch with basic public information scraped from the web (company name, websites, etc.), and by 2025 the directory has grown to 1,100+ vendors listed. Vendors are invited to claim or create their profile, complete the questionnaire, and publish their information. Financial institutions (clients) can log into the vendors page they work with or are considering. They can then request access to each vendor’s full questionnaire responses and documents with a click. When the vendor approves the request, the client can instantly view the vendor due diligence package. This directory model saves enormous time – rather than contacting a vendor and waiting for replies, a client might find that the vendor has already populated their Open VRM profile and can grant access rapidly. It also helps firms discover new vendors; for example, a firm searching the directory by service category might identify vendors that meet their security criteria, effectively using Open VRM as both a risk management and vendor selection tool.