What is a Vendor Due Diligence Process?
Vetting and choosing vendors are some of the most important decisions you’ll make for your business, especially when it comes to information security. They could do everything from run your call center to store your data, monitor your systems, or destroy your records. Yes, you can outsource a process or a department to vendors – but you can never outsource risk. No matter the vendor, they pose some level of risk to your organization – especially financial risk, operational risk, reputational risk, and cyber risk – because they have access to your data, network, hardware, cloud, and more. This is why you must thoroughly vet potential vendors using a vendor due diligence checklist.
Once you’ve narrowed your vendor options to those that can support your needs, it’s time to gather the information that will help you take a risk-based approach to vendor selection – this is the vendor due diligence process. This information should help you rank the risk that potential vendors would pose to your organization, which strengthens your organization and protects you from insecure or irresponsible vendors.
Streamlining the vendor due diligence process is essential to its success so that it doesn’t become arduous and intimidating. Plus, vetting your vendors isn’t a one-time process; you should continually assess whether they’re introducing more risk into your environment or meeting your security standards. In order to streamline this process, we’ve put together a vendor due diligence checklist as a guide. This checklist isn’t extensive – questions could change based on your requirements or the company, industry, size, or region. It asks potential vendors to submit general information about their company, a financial review, reputational risk information, evidence of insurance, technical documentation regarding information security, and their policies. The more you know about potential vendors, the easier it is to assess their risk. Let’s take a look!
Vetting with a Vendor Due Diligence Checklist
There are obvious, foundational documents that are absolutely necessary to obtain from potential vendors. This general information will confirm that the company is legitimate and licensed to do the work you need. This includes items like articles of incorporation, proof of location(s), any dba, aka, or fka information, and an overview of the company structure.
Assessing financials may seem irrelevant to your vendor selection process, but you do want to ensure that potential vendors are financially solvent. Would you want to partner with a company that may not be in business next year? To perform a financial review, you will need to know major assets, principal owners, loans, etc.
When you choose to work with a vendor, you’re putting part of your business in their hands. Take choosing an audit firm, for instance. Would you want to hire a firm whose managing partner for audit quality was convicted of fraud? Absolutely not – that’s why assessing reputational risk is so important, even with companies you would typically trust (like a Big Four firm or even household names). If you don’t include reputational risk in your vendor due diligence process, you may miss information that would have changed your decision, like complaints or reports from the CFPB or BBB.
Gathering insurance information from potential vendors is similar to gathering general information – it’s a must-have and foundational to your decision-making. Gather information on general liability insurance, cyber insurance, or insurance specific to services.
Information Security Technical Review
When a vendor performs a service for you that impacts your data security or privacy programs, you must do a thorough vetting of their information security program. The more they are willing to show you during the vetting process, the better. A good starting point is collecting internal or external audit reports, pen testing reports, and their history of data breaches.
Policies and procedures are the backbone of any organization. If a potential vendor cannot provide policies that cover change management, data retention, or privacy, they probably do not have the controls needed to protect your organization’s data network, hardware, or cloud.
Once your potential vendors have submitted all of their answers from the vendor due diligence checklist, you may be in one of the following situations:
- A potential vendor is not willing to answer all of your questions. Depending on the nature of your question, you may have the right to be suspicious of their processes and determine that they do not understand your standards.
- A potential vendor answers all of your questions but their evidence proves they pose significant risk to your company, and it is unreasonable to try and mitigate. Cross them off your list!
- A potential vendor doesn’t quite meet your standards, but the risk they pose isn’t significant, and they are willing to improve their information security practices in exchange for your business. Now it’s up to you to determine what you require of them to change – more frequent pen testing? A SOC 1 Type II report? The inclusion of new Trust Services Criteria in their SOC 2 audit? Better policy documentation?
- You have more questions based on a potential vendor’s initial answers. Ask them! If they want your business badly enough, they will cooperate with your due diligence process.
- One potential vendor’s security processes stand out among the rest – your choice is easy!
If you don’t currently perform vendor due diligence, consider using our vendor due diligence checklist as a guide. If you choose a vendor without vetting and assessing what types of vendor risk they present and whether the relationship will help achieve your objectives, you can put your business in jeopardy. Have more questions about vendor relationships and they can impact information security? Want to put KirkpatrickPrice through your vendor due diligence checklist? Let’s talk today!