CTF Challenge #8: Can You Spot the Risky Vendor Before They Breach Your Business?

Difficulty: Intermediate | Reading time: 9 minutes | Product tie-in: Vendor Risk Assessment Kit for Australian SMBs ($97)

TL;DR

  • 62% of organisations experienced a data breach caused by a third-party vendor in the past 12 months [1]
  • This challenge presents five vendor scenarios — your job is to identify which ones represent unacceptable risk
  • Vendor risk decisions are not binary: the question is whether controls are proportionate to the data the vendor holds
  • The lil.business Vendor Risk Assessment Kit gives you a systematic framework to assess every vendor

The Setup: Rapid Growth, No Vendor Vetting Process

FastTrack Legal is a growing 22-person law firm in Melbourne. Over the past three years they have added 14 SaaS vendors to manage their operations. They have no formal vendor assessment process — tools were adopted because they solved immediate problems.

A new managing partner has asked you to assess the current vendor landscape and flag any high-risk vendors.

Five Vendors, Five Assessments

Review each vendor's profile. For each, determine: acceptable risk, manageable risk with controls, or unacceptable risk as currently configured.

Vendor 1: Clarity CRM

Clarity CRM manages FastTrack's client contact database, matter histories, and billing records. It holds personal information on approximately 4,200 clients including some financial records.

Vendor profile:

  • US-based, servers in Virginia and Dublin
  • SOC 2 Type II certified (2023 report — 18 months old)
  • No data processing agreement (DPA) in place with FastTrack
  • Privacy policy states: "We may share anonymised data with analytics partners"
  • Breach notification clause: "We will notify you within a reasonable timeframe"
  • No Australian data residency option

Assessment:

A) Acceptable risk — SOC 2 certification covers the security requirement
B) Unacceptable risk as configured — no DPA, offshore storage without APP 8 disclosure, expired SOC 2 report, and vague breach notification clause all represent material gaps [2]
C) Manageable with minor tweaks — update the SOC 2 certificate and it is fine
D) Acceptable risk — all reputable SaaS companies store data offshore

Vendor 2: DocuSafe Document Storage

DocuSafe provides encrypted document storage and client portal access. Clients can securely share documents with their lawyers via a web portal. It holds contracts, wills, estate planning documents, and family court records.

Vendor profile:

  • Australian-owned, data hosted on AWS Sydney
  • ISO 27001 certified (valid certificate — expires in 8 months)
  • Data processing agreement in place and signed
  • Annual third-party penetration test (summary report shared on request)
  • 72-hour breach notification clause
  • Pricing: $1,400/year

Assessment:

A) Unacceptable risk — ISO 27001 alone doesn't guarantee security
B) Acceptable risk as configured — Australian data residency, valid ISO 27001, signed DPA, pen test evidence, and specific breach notification clause all represent appropriate controls for the data held [2]
C) Manageable risk — but the pending ISO 27001 expiry is a gap to monitor
D) Unacceptable risk — 72 hours is too slow for breach notification

Vendor 3: TaskFlow AI

TaskFlow AI is a recently adopted AI productivity tool. Staff use it to summarise case notes, draft client correspondence, and prepare research summaries. The AI processes real client names, case details, and legal arguments.

Vendor profile:

  • US-based startup, founded 2024
  • No security certifications
  • Privacy policy states training opt-out is available but not enabled by default
  • Data retained for "model improvement" unless opted out
  • No DPA
  • SOC 2 audit "in progress"
  • $200/month subscription

Assessment:

A) Acceptable risk — staff can use discretion about what they enter
B) Unacceptable risk as currently configured — client data being processed by an AI tool trained on that data without DPA, without confirmed opt-out from training use, with no certification, creates significant privacy, confidentiality, and potential legal professional privilege exposure [3]
C) Manageable risk — staff can be told not to enter sensitive information
D) Acceptable risk — the vendor is reputable and staff discretion is sufficient

Vendor 4: PayClear Payroll

PayClear Payroll processes FastTrack's payroll including employee names, bank accounts, tax file numbers, and salary information.

Vendor profile:

  • Australian company, data in AWS Sydney
  • Not ISO 27001 or SOC 2 certified
  • Annual independent security review (report available on NDA)
  • Signed DPA
  • Privacy Act registered entity
  • Breach notification: "immediate notification upon confirmed breach"
  • In market for 12 years, no reported breaches
  • $800/year

Assessment:

A) Unacceptable risk — payroll data is highly sensitive and requires ISO 27001
B) Manageable risk with controls — Australian data residency, signed DPA, privacy registration, and independent review provide a reasonable baseline for payroll data. Request the security review report under NDA and confirm specific controls for tax file numbers and bank account data [2]
C) Acceptable risk — 12 years in market with no breaches is the best indicator
D) Unacceptable risk — "immediate notification upon confirmed breach" is a weak clause

Vendor 5: CloudPrint Print Management

CloudPrint provides a managed print service. FastTrack's printers route all print jobs through CloudPrint's cloud platform for management and logging. This means every document printed — including client contracts, court submissions, and confidential correspondence — passes through CloudPrint's servers.

Vendor profile:

  • UK-based, servers in the UK
  • No security certifications listed on website
  • Privacy policy: standard UK/EU GDPR compliance
  • No Australian DPA
  • Print jobs "temporarily stored" for up to 30 days for reprinting purposes
  • Staff share one generic login

Assessment:

A) Acceptable risk — printers are low-risk office infrastructure
B) Unacceptable risk as currently configured — every printed document passes through an offshore server with a 30-day retention period, no Australian DPA, no verified security controls, and a shared login. For a law firm, this creates privilege and confidentiality exposure on every print job [2]
C) Manageable risk — printing is transient and low-value
D) Acceptable risk — GDPR compliance in the UK is equivalent to the Australian Privacy Act

The Answers

Vendor 1 (Clarity CRM): B — Unacceptable risk as configured

4,200 client records with financial data, no DPA, expired SOC 2, vague breach notification, and undisclosed analytics data sharing. This needs: a signed DPA, fresh SOC 2 review, specific breach notification clause, and confirmation that analytics sharing is opted out. Cannot continue as-is.

Vendor 2 (DocuSafe): B — Acceptable risk as configured

This is what a well-managed vendor relationship looks like. Australian data residency, valid ISO 27001, signed DPA, penetration test evidence, and specific breach notification. The approaching ISO 27001 expiry should be tracked but does not make the vendor unacceptable today.

Vendor 3 (TaskFlow AI): B — Unacceptable risk as currently configured

This is the highest risk vendor on the list. Client legal information being used to train an AI model — without consent, without a DPA, with no security certifications — is a direct confidentiality breach risk. Legal professional privilege attaches to client communications; once that data enters a third-party AI training set, privilege cannot be restored.

Vendor 4 (PayClear Payroll): B — Manageable risk with controls

The fundamentals are reasonable: Australian data, signed DPA, privacy registration, independent review. The absence of ISO 27001 or SOC 2 is a gap but not a dealbreaker for payroll if the independent review shows reasonable controls. Request the report under NDA before confirming acceptability.

Vendor 5 (CloudPrint): B — Unacceptable risk as currently configured

Managed print services are consistently underestimated as a security risk. Every document that passes through the platform — including privileged legal documents — is sitting on a UK server for 30 days. A shared login means no individual accountability. This is a critical gap for a law firm.

What a Vendor Risk Program Looks Like

A mature vendor risk program for a 22-person firm doesn't need to be enterprise-scale. It needs:

  1. A vendor register with risk tier for each vendor
  2. A baseline questionnaire (data held, certifications, data residency, breach notification)
  3. A DPA requirement for any vendor holding personal or sensitive data
  4. Annual review triggers for certifications approaching expiry
  5. An escalation process for new vendor onboarding

The lil.business Vendor Risk Assessment Kit for Australian SMBs gives you all of this: a vendor register template, tiered risk questionnaire, DPA checklist, and decision matrix for vendor approval.

$97 — Get the Vendor Risk Assessment Kit

FAQ

A DPA is a contract between your business (the data controller) and a vendor (the data processor) that defines how personal information will be handled, protected, and what happens in a breach. Under the Australian Privacy Act, you remain responsible for personal information even after it is shared with a vendor. A DPA is your primary contractual protection. Any vendor holding personal information about your customers or staff should have a signed DPA.

Refusal to share security documentation (SOC 2 reports, penetration test summaries, ISO 27001 certificates) is itself a risk indicator. Reputable vendors operating at scale routinely share this information under NDA. A vendor that cannot or will not provide evidence of security controls should be treated as high risk by default. If you must use them, implement maximum compensating controls and minimise the data you share.

SOC 2 Type I assesses whether a vendor's security controls are suitably designed at a point in time. SOC 2 Type II assesses whether those controls operated effectively over a review period (typically 6–12 months). Type II provides significantly stronger assurance. When reviewing vendor certifications, prefer Type II reports and check the report date — SOC 2 reports older than 12 months provide limited assurance.

No — this is impractical and would exclude most SMB-appropriate tools. A risk-proportionate approach works better: ISO 27001 or SOC 2 Type II for vendors holding significant personal data, financial data, or providing critical infrastructure; independent security review for moderate-risk vendors; standard DPA and privacy policy review for low-risk vendors.

References

[1] Ponemon Institute, "Third-Party Risk Management 2025," Ponemon, 2025. [Online]. Available: https://www.ponemon.org

[2] Australian Signals Directorate, "Supply Chain Risk Management," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-managing-cloud/cloud-security/supply-chain-risk-management

[3] Australian Bar Association, "AI in Legal Practice Guidance Notes," ABA, 2025. [Online]. Available: https://www.austbar.asn.au

[4] OAIC, "Privacy and Third Parties," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/privacy-for-organisations/privacy-and-your-business/privacy-and-third-parties

[5] ISO/IEC, "ISO/IEC 27036: Information Technology — Cybersecurity — Supplier Relationships," ISO, 2023. [Online]. Available: https://www.iso.org/standard/27036

Know your vendor risk. The lil.business Vendor Risk Assessment Kit for Australian SMBs — $97, instant download.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation