Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

September 2019
They should be key players in the process.
By Caroline McCaffery
I received my first security questionnaire in 2011,while I was working as the general counsel to a tech startup. Not being familiar with this document, I punted it to our VP of Engineering. After email exchanges over a few weeks, we met to review the technical questions. I am so glad I stayed involved in responding, because some of the questions had legal implications and required careful drafting. However, I did not set up a process for future questionnaires. I wish I had.
     Companies really need a process. In 2011, buyers of services—that is, companies procuring services from vendors—did not regularly send their vendors security questionnaires. When they did, vendors could reasonably respond on a case-by-case basis without incurring significant costs. Today, security questionnaires, also referred to as vendor assessments, are quite common. They’re frequently used to satisfy due diligence requirements that have been put in place by recent privacy regulations.
     These days, I run a business that helps companies fill out these documents. Many are long, complicated, confusing and burdensome. There are many pitfalls in filling them out. And even if you manage to complete one beautifully, you may find that you’ve taken so long that the job has already been awarded to a competitor. 
     There is no One Way, and there are no guarantees. But if your company receives a security questionnaire, here are some tips to minimize the risks and maximize your chance of success. 

The Response Team
It’s hard and time-consuming to respond to security questionnaires, because the information needed is stored in many different places around the organization. I recommend that you set up a response team to manage the coordination and collaboration required. The response team members should include the stakeholders who know the answers to a majority of the questions. You’ll probably need representatives from information security, information technology, HR, compliance and procurement, and maybe finance or operations, depending on your organizational structure. If you don’t have all of those departments, find the people responsible for those areas.
     I left out one area: legal. You should definitely include a lawyer on the team. The last thing you want is to go through the arduous process of filling out the questionnaire and then bring it to your lawyer, who has had no involvement, and listen to a long list of questions and possible objections.
     That alone would be reason enough to involve a lawyer from the beginning. But it’s not the only one. Counsel should review responses for confidentiality and liability. If your company is subject to unauthorized access of its systems resulting in customer data loss, the security questionnaire will be subject to litigation discovery. Those responses could become critical facts to determine fault.
     I suggest that in-house counsel—if you have one—would also be an excellent choice to lead the response team. An attorney is likely to carry the authority to pull in senior stakeholders to join the team by appropriately explaining the importance of the security questionnaire. And the lawyer may be negotiating other legal documents that reference information provided in the security questionnaire. For example, I have seen in-house counsel agree in a data protection agreement to provide notice within 48 hours of a data breach, whereas the security team’s response to the same question was 72 hours.
     Some in-house counsel may be concerned that they do not have enough knowledge about data privacy regulation or cybersecurity to properly oversee this process. But an in-house lawyer doesn’t have to be an expert to lead the team. There are plenty of specialty outside counsel who can help, and there are companies like mine that can manage the whole process. But in-house counsel is best suited to work with their colleagues.
     For companies that don’t have inside lawyers, it is important to hire an outside lawyer to advise the team throughout the process, and another team member could be designated to lead, such as someone on the technical side.
     Once the leader has been named and the other team members have been tapped, you’ll need to call an organizational meeting. The leader should explain the task at hand, and describe for the members their roles and responsibilities, which will include answering the questions that they are best qualified to address.

The Master Response Template
Unfortunately, security questionnaires are becoming increasingly more complex. There are several standard templates for buyers to choose from, some of which contain several hundred questions. The vendor does not get a choice about which form to fill out, so you can get lots of questionnaires of varying length and complexity.
     The good news is that, unlike customized questionnaires, the standardized templates can guide the response team’s process. Because of their depth and length, one can be used and expanded into a “master response template.” In our experience, approximately 60-70 percent of answers do not change frequently, which we define as every six months. For example, several questions ask about the vendor’s security program or policies, which are typically reviewed once a year. The benefit of creating a master template is that it saves time—up to 50 percent.
     Some questions from the standardized templates will not be applicable to your business. Others will be stale or make no sense. Still, it’s a great starting point for the response team to get ahead of security questionnaires, and it may enable the leader to plug in lots of answers without involving other team members, thereby lowering the “cost” of responding.
     Be careful not to make the master response template too large and unorganized. Many buyers use custom questionnaires, and if you add all of those questions to your master, it may become unwieldy and unhelpful. The master template should be drafted so that it’s easy to use and understand.

The Process
Overall, the process should look something like this, once the response team receives the questionnaire. The whole job can be accomplished in literally a day or two, and setting up a system in advance can greatly speed the response time.
1. Quick review/assessment by the team leader of the questionnaire (usually received from sales).
2. Team leader answers as many questions as possible using the master response template.
3. Leader assigns unanswered questions to other team members, calls a meeting if necessary.
4. Team members update the leader so that he/she always knows the status of all assignments.
5. After all team members have responded, the leader and lawyers conduct final review.
6. Completed questionnaire is returned to sales. 

Buyers send questionnaires to the vendor’s point of contact—usually the sales team. They often arrive at the request for proposal stage or immediately before signature. It’s important that the sales team understands that it needs to forward the document to the response team leader immediately. A continuing danger is that the form will disappear on someone’s desk or in someone’s inbox, leading to a fatal delay.
     The team leader should quickly review the document. Sometimes a vendor receives a security questionnaire inappropriately. Maybe you’re not even processing sensitive data. We have seen buyers follow compliance instructions, such as a vendor assessment, even though there is no actual reason for it. The buyer’s compliance or procurement team may not even be aware of the services you’re providing. The response team needs to identify if this is happening as quickly as possible so that the sales team can raise the issue with the buyer.
     There may be other ways to speed the process. If your company has gone through the rigorous (and expensive) SOC 2 or ISO 27001 audits, then the buyer might accept these reports in lieu of the security questionnaire. The response team should give the sales team a toolkit that lets them know of any third-party audits that can be shared.                                                                              
     Security questionnaires can range from just a few questions to 350 or more. It can be tempting to try to find shortcuts to speed up the process. One that we commonly hear complaints about from buyers is that a member of the sales or marketing team crafted the response. Don’t do that. The sales and marketing teams are not responsible for implementing the procedures you have in place to secure customer data. It may speed up the response time, but you will lose deals.
     When the response team receives a security questionnaire, the leader should review it and answer as many questions as possible using the template. If answers in the template are outdated or there are questions that the template does not address, the leader should draft an email to the rest of the team requesting the missing information. If you only have a few missing pieces of information, using email to collaborate should not be difficult. If there’s more, the leader should call an in-person meeting as quickly as possible. The leader could also use a management tool that enables real-time collaboration.
     Once the security questionnaire is complete, the leader should review the responses with counsel prior to sending it back to the sales team. This final read-through is a way to check for potential liability, lapses in confidentiality and also information sharing for any other agreements that the company is reviewing that involve the buyer.
     The response team should be prepared for follow-up questions, but these are rare. If the leader checks back with the sales team to see if the buyer purchased the vendor’s services, this is great data to use to prove the value of the response team.

The Bottom Line
There is no doubt that security questionnaires are painful. They are very long and overbroad, but they’re a necessary cog in your sales wheel. Many questions are asked with an obvious bias toward a certain answer, pressuring you to respond in the “right way.” Some even provide you with immediate feedback on your answer, identifying a “no” as a red flag, or highlighting a “yes” in green.
     With a potential sale on the line that may have taken months to cultivate, the salesperson wants every answer to be green. However, your response team will undoubtedly answer some questions in the red. And that’s OK. There may even be questions that you can’t answer. That’s OK, too. Just let the sales team know, so that they are prepared to explain.
     The most important thing is that you answer the questions to the best of your ability, and demonstrate that you have appropriate administrative, technical and physical controls in place. That’s all that you’re really trying to communicate, and it’s all that the buyer really needs to know.

Caroline McCaffery is the CEO and founder of ClearOPS, Inc., a data privacy and cybersecurity technology company that provides vendors with a simple-to-use system for managing security questionnaires. Prior to ClearOPS, she was outside counsel to companies like del.icio.us, BillMeLater and Fotolog; and was general counsel at Sailthru and Clarifai. She is a frequent speaker on topics such as data privacy, ethics in AI, and women in law and in business. She earned her B.A. in International Relations from the University of Pennsylvania and her J.D. from New York University School of Law. She is a member of the bar in both New York and California and is a Certified Privacy Professional (CIPP/US). She can be reached at [email protected]