I always look for specifics in the vendor agreement on their responsibilities if they encountered a security breach (if they maintain confidential information). And, if they provide a critical service, some time of assurance in the same agreement that they have disaster recovery or redundancy services for the relationship.