E-Commerce alliance pushes cyber audits for vendors

The audits will cost $1,200 to 1,500, much less than a detailed audit by their own staff would cost, and less than the cost to the alliance.

The non-profit formed by major internet companies to benchmark their vendors’ cybersecurity said last week that it had already received about 500 requests for companies to be audited under its new standard.

The Vendor Security Alliance said it would be announcing arrangements for engaging third-party auditors to verify the cybersecurity questionnaires submitted by vendor companies and allocate a letter grade to them after Thanksgiving.

The questionnaire, which has been downloaded 6,000 times in the U.S., Europe and Asia, includes more than 130 questions and requires supporting documentation to be submitted.

“Companies can send the questionnaire to their vendors and ask them to fill it out,” then assess the responses themselves, said VSA President Ken Baylor, the head of compliance for founder-member Uber.


“Some companies are happy with that,” he told CyberScoop in an interview.

But alliance members can also request and pay for a third-party audit of the questionnaire responses from companies they are buying from, said Baylor. Around 500 such audits have already been pre-purchased by alliance members, he said.

The other alliance members are Airbnb, Twitter, Dropbox, Atlassian, Docker, GoDaddy, Palantir and Square.

The VSA will set up a separate entity to oversee the audits, he said “a firewall for commercial privacy” needed so that other members of the alliance won’t know who might be exploring a business relationship with a particular vendor.

The companies will pay $1,200-1,500 for the audit, said Baylor — much less than a detailed audit by their own staff would cost, and less than the cost to the VSA.


If a company’s audit is only bought once ” we’re going to lose out,” he said.

On the other hand, if multiple companies pay for the same vendor’s audit report during its period of validity, then the VSA will cover its costs or even make money.

“We are a non-profit, our goal is to improve the cybersecurity practices of vendors, while reducing costs for members” Baylor said.

The VSA’s objective is to leverage a common standard into economies of scale — ending a situation where a vendor might have to demonstrate its cybersecurity bona fides separately to every potential customer — at great expense in time and money.

“Some large enterprises are replacing their own audits with” the VSA questionnaire, Baylor said. Many startups are adopting the questionnaire and benchmarking their practices against it as well, he said.


The hallmark of the VSA questionnaire is not that it sets a high bar or a low bar, Baylor said. Rather, it is “a very thorough bar.”

“The important thing is the risk,” he explained, “The big question we ask up front is ‘What data do you have?’ The controls have to appropriate for that.” A company that processed financial transactions would have a very different security baseline than one which processed email mailings.
Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts