The Smallest Vendor May Hold the Largest Secret

Spend is a poor proxy for sensitivity. A tiny specialist may hold identity documents, location patterns or recovery access for an entire private institution.

The answer

Vendor risk programmes rank suppliers by spend and service criticality. That can place the most revealing provider at the bottom of the list. A boutique travel agent sees movement.

Vendor risk programmes rank suppliers by spend and service criticality. That can place the most revealing provider at the bottom of the list.

A boutique travel agent sees movement. A concierge holds passport copies. A small technology firm controls recovery. A household vendor knows access patterns. Their invoices are modest. Their information advantage is not.

Measure consequence, not procurement size

Assess what the provider can see, infer and cause. A low-spend firm may connect family, property, identity and schedule in one place.

Also measure substitution time. The small vendor may rely on one trusted individual with no documented handover.

Value object — The Disproportionate Vendor Screen

- Information domains visible.

- Authority or recovery role.

- Principal and family proximity.

- Subprocessors and personal devices used.

- Time and evidence required to replace.

- Contract, architecture and monitoring response.

Reduce the secret

Give the provider only the context required for the task. Use reference numbers, limited identity packages and temporary access. Keep authoritative records and recovery outside the vendor’s exclusive control.

Prepare the exit

Require return, deletion, transition assistance and incident contact. Test whether the institution can move the service without the vendor assembling the replacement.

The smallest supplier can hold the institution’s largest pattern. Rank vendors by what their compromise would reveal, not what their contract costs.

Where this breaks

Low-spend vendors often avoid mature review while receiving the richest raw context. Their small teams, personal devices and informal support routes can create a concentrated exposure nobody priced.

The operating move

Tier providers by information and authority, then give the smallest supplier the same serious questions as a major platform when consequence demands it.

Map data and inference, not invoices.

Identify personal-device use.

Keep recovery outside the vendor.

Test export and replacement.

The test

Assume the vendor disappears tonight. If the institution cannot recover its records and authority by morning, procurement size was the wrong risk measure.

Sources

  1. Swiss FDPIC: Data securitySwiss FDPIC: Data security

    Primary authority

  2. Swiss NCSC: Social engineeringSwiss NCSC: Social engineering

    Primary authority

  3. NIST: Cybersecurity Framework 2.0NIST: Cybersecurity Framework 2.0

    Primary authority

Ross BelhommePartner, Svperior / Legal

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry