Cybersecurity Risks Ramp Up Amid Geopolitical Tensions and Regulatory Changes
As organizations grapple with the challenges posed by geopolitical tensions, uncertain supply chains, and rapidly evolving regulatory landscapes, the urgency for robust risk management programs has surged. Companies are increasingly focusing on mitigating risks associated with their business relationships as they face a multitude of security threats while needing to remain compliant with an expanding web of regulations.
Among the critical tools in the arsenal of risk managers is the Standard Information Gathering (SIG) Questionnaire. This widely adopted assessment allows organizations to evaluate the security, privacy, and compliance risks associated with their third-party service providers and vendors. Developed by Shared Assessments, the SIG questionnaire standardizes the process of gathering essential information about vendors’ security measures, enabling companies to avoid the inefficiency of crafting bespoke questionnaires for every assessment.
While many professionals have become proficient in utilizing the SIG Questionnaire, this year has ushered in notable updates that all organizations must be aware of. The revisions found in the 2025 SIG reflect an increasing emphasis on stricter regulatory compliance and enhanced governance regarding third-party risk management. Organizations that proactively adapt to these changes will position themselves to be more resilient and secure in an increasingly complex vendor landscape.
The importance of the SIG in third-party risk management cannot be overstated. Customizing risk profiles for each service provider would demand an impractical amount of time and resources. The SIG Questionnaire addresses this by offering a consistent framework for evaluating vendors, streamlining the assessment process and making risk evaluations more comprehensive and comparable. Organizations benefit from reduced workloads, both for themselves and vendors, who can complete the questionnaire once and distribute it among multiple clients.
Before onboarding new vendors, companies typically deploy the SIG Questionnaire to assess their security postures. The risk management teams then analyze the responses to identify potential gaps in security and determine if additional controls or audits are warranted before engagement. While this system has proven effective, a suite of updates has recently been introduced which is vital for effective third-party risk management programs.
The latest update to the SIG for 2025 includes several enhancements, such as new questions and expanded content mappings, all designed to align with the current regulatory landscape. Though no new risk domains have been added, significant improvements have been made, including additional questions focused on response requirements, contingency planning, and evolving threats.
Notably, the 2025 SIG includes direct mappings to 31 reference documents, which simplifies regulatory compliance. It also aligns with three key regulatory frameworks: the E.U. Digital Operational Resilience Act (DORA), the E.U. Network and Information Security Directive 2 (NIS2), and the NIST Cybersecurity Framework 2.0. As organizations face increasing scrutiny around their cybersecurity posture, aligning with these frameworks is crucial.
To prepare for these enhancements, risk teams should familiarize themselves with the new functionalities of the SIG and explore its upgraded features. Updating assessment templates to include the latest regulatory mappings is essential for maintaining compliance, and participating in training sessions offered by Shared Assessments can keep organizations abreast of best practices.
As businesses navigate these complex dynamics, the evolution of the SIG serves as a critical response to shifting geopolitical landscapes and regulatory demands. Enhanced vendor risk management that addresses multiple risk domains is imperative to meet the growing challenges in cybersecurity. With the updated SIG Questionnaire, organizations can better manage their third-party risks amidst this increasingly intricate environment, ensuring they are equipped to deal with the unique risks each vendor presents.
