Anyone who has worked in third-party risk long enough knows that when it comes to due diligence, you only get what you ask for, and sometimes, it’s like pulling teeth just to get the basics. We all know we need to collect documents, but it can be downright confusing.
Often, we’re left with questions such as:
- When do I need a SOC report?
- What are the financials I should be looking for?
- What policies do I need?
- What do I need to do as a baseline?
Beyond the Due Diligence Baseline
Most already have a good handle on the preliminary due diligence needs, but there are a few other document requests that should be used, not only in the vendor vetting period, but throughout the ongoing oversight and monitoring stages.
Let’s take a look at additional vendor documents you’ll need:
1. Financials. In addition to the annual report, if publicly traded, you’ll want to request a 10-K. If they’re not public, you’ll need to request at least three years’ worth of audited financials along with an accountant’s statement, which can often be tricky! Make sure to stay vigilant.
Why request financials? Many organizations are still recovering from the instability incurred over the last year. In truth, many won’t recover or will continue to try to operate at a deficit, which makes it critical to check that your vendor’s financial documentation shows that they’re a healthy company with proven ability to support your needs.
2. Insurance. General liability insurance is not enough. You’ll also want to request:
- Cyber insurance
- Required insurance standards
Why request insurance documents? In many cases, this is required in order to remain compliant. In fact, the OCC 2013-29 states: “Verify that the third party has fidelity bond coverage to insure against losses attributable to dishonest acts, liability coverage for losses attributable to negligent acts and hazard insurance covering fire, loss of data and protection of documents.”
3. Service Level Agreements. Typically, when it comes to contractual standards, the norm is to simply make sure they exist. But, if you really want to cover your bases, you should also ask the vendor to provide record of outages and SLA violations (which is usually a contractual obligation).
Why request service level records? Every contract worth its salt will have SLA inclusions. But, do they outline a set of penalty clauses specifying what would happen should they fail to deliver? Mistakes happen, but an organization who takes their work seriously should keep detailed records around failure and remediation.
4. Policies and Plans. To protect your organization from all angles, it’s imperative you have a full picture of how your vendors operate. You can get a pretty accurate feel for this by requesting and reviewing:
Why request policies and plans? In order to truly understand your vendor’s operating model, and to make sure it’s in alignment with your own, you must have a comprehensive understanding of all the policies, procedures, processes and people involved that may apply to the services they provide your organization. You may look at the list above and think, “Do I really need to request my vendor’s social media policy?” However, think about it this way, what if they don’t have policies in place and one of their employees happens to share private information around a merger or new product before it was made public knowledge… This could have massive implications.
5. Examinations and Reports. In addition to the questionnaires you send out, you should also request:
- Regulatory regional office record of audit reports
- Penetration testing results
- Business continuity testing results
- Disaster recovery testing results
- SSAE 18, SOC 1, 2 or 3 and bridge letter
It’s important to note that what you request will depend on the nature of services your vendor provides (For example, you don’t need penetration testing for a vendor that doesn’t host your data on their network and you don’t need disaster recovery testing, really, if your vendor doesn’t pose any business impact).
Why request examinations and reports? Especially after the many disastrous cyber vulnerabilities 2020 exposed, it’s more important than ever to determine if your vendor is secure. You’ll need as much information as possible about their risk management program, including areas of third-party risk management and responses to risky areas, such as cybersecurity.
6. Licenses or Certifications. Depending on industry, in addition to any and all required licenses (e.g., state money transmitter license), you’ll also want to make sure you ask for:
- HITRUST certification
- HIPAA certification
- PCI Attestation of Compliance (AoC)
- ISO certification
- NIST certification
Why requests licenses or certifications? Some certifications, such as the NIST certification, are relatively expensive. However, with NIST in particular, you can be assured that any products you receive have specifically tested to ensure accuracy and the highest possible levels of measurement, quality and productivity. Meanwhile, the International Organization for Standardization (ISO) is the world’s largest, non-governmental developer of standards and works to maintain more reliable trade and levels of quality. While these are voluntary, holding some of these kinds of certifications help paint a picture of the type of organizations you decide to work with. The more assurances you have, the better.
Typically, risk management failures happen for one of three reasons:
- Failure to set clear expectations
- Vendors are improperly monitored
- Vendors are taken at face value
You not only need to make sure you’re asking your vendors the right questions, but you also need to make sure you’re requesting the right documentation. Remember, you won’t get what you don’t ask for; and in this ball game, it’s better to have more than you need than not enough.
Figuring out what vendor management documents you need is only the first step in the process, next you have to collect them. Download the infographic.