I had one vendor request payment for their SOC report (requested a much higher sum than you've mentioned!)
We did not pay. We reviewed documents the vendor did provide, forwarded an in-house developed questionnaire and, after reviewing all available materials, completed our review. Our relationship manager for that vendor was required to execute a Risk Acknowledgement, recognizing that no SOC report, or other third party verification of control design and effectiveness, was available. That acknowledgement was presented to our Enterprise Risk Committee, and through that Committee, to our Board.
FYI, within the next 2 years, that vendor began providing the SOC at no cost. It would appear they wanted to recoup their initial costs from those customers initially requesting the report. But as more of their customers requested it, they began treating it as a cost of doing business.
Good luck!
Rosalie Stremple, MS-MIS, CTPRP, CBCP
**************************************************************