Consider the reputation of a company, its history with their client data releases and their history with security breaches. Larger companies will have more reporting when problems occur. Smaller companies are a bit more problematic.
Reputation can be unknown and data about them a bit thin. You need to rely on the supporting evidence that is shared. How detailed is it, how often they speak about it. Do they adapt it over time and communicate responsiveness to breaches and situations. How long have they been in business and how many clients have they serviced.
If you speak with existing or past clients, was there some difficulty because of security procedures. This can actually be a positive sign because it means they are paying attention to it and it’s a part of a more disciplined process. Do they allow you secure access to their network? That’s a bad sign. If you can gain access then all their clients can as well, not a good security practice.