What is Vendor Due Diligence?
Vendor due diligence– it’s a favorite topic of few people, but in today’s risky environment, it’s one of the most important ways to protect your organization. Vendor due diligence is the process by which an organization examines a current or potential vendor’s risk to its business operations. Vendor due diligence is a key component of vendor management, which is required under federal law.
However, knowing your vendors and understanding the risks they pose to your institution is far more than just a compliance requirement: it’s necessary for running a successful operation.
The third-party risk management guidelines issued by the OCC and the FFIEC are still causing ripples in the financial services community. And many organizations are still feeling the pressure. With increased reliance on third parties for these services, as well as increased scrutiny from examiners, auditors and even leadership teams and boards of directors, this pressure is greater than it’s ever been.
Your 5 Step Guide to Creating a Vendor Due Diligence Checklist
Whether vendor management is an outsourced service or still performed in house, it’s time to rethink and mature your vendor due diligence process, starting with these five tips:
1. Prioritize Vendors by Risk
Due diligence should be performed on all vendors, but not to the same degree. Far too many organizations perform the same amount of due diligence on every vendor, likely resulting in inadequate due diligence on higher-risk vendors and excessive due diligence on lower-risk vendors. That’s a lose-lose proposition of inefficiency and inadequacy.
Using a risk-based vendor due diligence approach solves this problem. It focuses your effort where it’s most beneficial, which happens to coincide with the areas emphasized by regulatory guidance. Here are the four key steps to a risk-based vendor due diligence checklist:
1. Pull the most recent list of all your vendors
2. Classify them by definitive “risk-based” categories:
- General vendors: vendors who do not have access to your network or your data. These account for the majority of vendors.
- Confidential/Sensitive Data vendors: your sensitive and/or confidential data and information is in their hands
- Strategic vendors: you cannot do business without them.
3. Perform the appropriate level of due diligence as described below for those risk categories.
4. Repeat the due diligence at appropriate intervals (for strategic vendors, no less than annually).
2. General Vendor Due Diligence: Quick and Painless
Any time you contract with an outside vendor, investigate the following factors and ensure all corresponding documentation is stored in a safe place, like a dedicated vendor management repository:
- Business Impact Analysis: Ask yourself: what happens to your organization if something happens to this vendor, i.e., they go out of business or lose a key subcontractor?
- Business Type and Status: Determine if the vendor is a legal entity, and of what type: corporation, LLC or sole proprietorship.
- Insurance: Confirm the vendor has general liability insurance and if any specialty insurance is needed.
- Contract: Develop a written, enforceable agreement.
- Service Level Agreements: Ensure that both parties have agreed on how performance will be measured.
- Relationship Owner: Identify the employee who will own this relationship and monitor performance.
- Confidentiality Statements: This typically occurs when proprietary information will be shared with the vendor, i.e., details about an upcoming product launch shared with a graphic designer or freelance writer.
This level of due diligence is sufficient for vendors in the General category, which likely make up most of your vendor list.
3. Confidential/Sensitive Data Vendor Due Diligence: Extra Cautious
Vendors that have access to your confidential or sensitive data should be placed in the Confidential/Sensitive Data category. In addition to completing the tasks for General vendors, you must conduct enough additional due diligence on these vendors to understand whether they are able to protect your data to the level required by the Gramm-Leach Bliley Act, including:
- Third-party Audit: Determine if the vendor has a current, appropriate third-party audit on file and collect the corresponding SOC report. In the absence of an external audit, your organization may use an internal audit to determine if that gives you enough confidence about the vendor’s internal controls and ability to keep data secure.
- Additional Insurance: Confirm that, within the vendor’s general liability policy, it has specific Cybersecurity and Errors and Omissions (E&O) coverage.
- Bonding: In addition to insurance, confirm that the vendor is bonded.
- Specific Contract Language: Pay more attention to GLBA vendor contracts, incorporating specific language about your right to audit and their responsibility to safeguard confidential data.
- Confidentiality Agreements: While a confidentiality statement may not be required for all general vendors, your organization should draw up confidentiality agreements with all GLBA vendors because of their access to your confidential information.
- Information Security: In addition to contract agreements about information security, obtain a copy of the vendor’s Information Security Policy.
- Business Continuity and Disaster Recovery: Review the vendor’s Business Continuity Plan, including all test results to gain reasonable confidence that they can protect your data in the event of a disaster and have accounted for all foreseeable disasters. Does the plan give you reasonable confidence that they can continue to offer services in the event of a disaster or other business interruption? While many vendors will not share their entire plan due to the sensitive information contained, a summary should be available for review.
- Employee Background Checks: Understand the vendor’s hiring protocol, including whether they complete background checks for functions that will be responsible for your data.
- Additional Questions: Additional questions may be necessary depending on the access to data or systems granted to the vendor and the work performed by the vendor. This may include questions about their information security or systems protocols, procedures for breach notification, etc.
- Vendor’s Own Due Diligence: Find out if the vendor is conducting adequate due diligence on subcontractors used to perform services.
While these additional tasks will require more time, remember that this level of vendor due diligence is only needed for a finite group.
4. Strategic Vendor Due Diligence: Ensure Your Business Viability and Continuity
These vendors are those that your institution cannot operate without. They perform a critical product, channel, operational or technological function. The strategic category usually consists of the fewest number of vendors, providing an inverse equation: the least number of vendors require the most due diligence. In addition to the Confidential/Sensitive Data and General information collected above, you should collect the following:
- Financial Soundness: Review of the company’s financial statements, conducted by someone with extensive finance and accounting experience.
- Ownership of the Company: Determine who owns the company, and whether it’s a domestic or foreign entity. In many cases, it will be important to research beneficial owners who may not be legal owners.
- Contract Protections: Use detailed language that ensures the continuity of the vendor’s critical function.
- Continuous Relationship Monitoring: Identify how (manually, systemically or both) the vendor’s performance will be monitored, and by whom.
- Capacity: Determine the vendor’s capacity. How many other entities does it serve? Are you confident in the vendor’s ability to continuously provide the function you need?
- Legal and Compliance Issues: Check to see if the vendor has any pending lawsuits or compliance violations and review their past history of the same.
- Mergers or Acquisitions: Be aware of any news regarding mergers or acquisitions with the vendor. Make sure your contract protects you in any of these events.
- Corporate Image, News and Social Media: Follow their brand in traditional and social media in order to intercept any hints of trouble for the vendor.
- Alternative Vendor on Deck: Identify another viable vendor who could take over in the event this vendor can no longer perform their critical function.
That’s a lot of work, but for most organizations, this only needs to be completed on one or two vendors, and rarely more than five.
5. Don’t Go Overboard with Vendor Due Diligence Policies
One of the most common mistakes in vendor management is making the program unmanageable. This often stems from a misunderstanding about what is expected, resulting in unrealistic expectations that are unsustainable, reducing the effectiveness of a vendor management program. Understand the “why” behind every document requested and every question asked. Rather than using cookie-cutter lists of hundreds of questions, only ask those that are relevant to your due diligence procedures.
Comprehensive Vendor Management is Achievable—and Necessary
While time-consuming, it’s in your institution’s best interest to ensure that general vendors have been appropriately vetted, that Confidential/Sensitive Data vendors can protect your sensitive data, and that Strategic vendors can perform their critical functions. Otherwise, the penalty could come in the form of both lost business and compliance violations—a double whammy no business wants to face.
Need Help With Your Vendor Management Program?
CSI’s team of industry experts specializes in vendor risk management. Contact a Fintexpert today to learn more.
Steve Sanders serves as CSI’s chief information security officer. In his role, Steve leads CSI’s information security vision, strategy and program, and chairs the company’s Information Security Committee. He also oversees vulnerability monitoring and awareness programs as well as information security training. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber-risk oversight.