If you are like a lot of organizations, the COVID-19 pandemic forced you to review how your operations and consider migration of some previous internal “on-premises” applications to the cloud to make it easier for your workforce to function.

Many organizations did this in a rush and out of necessity. As a result, shortcuts relative to due diligence procedures over selection of vendors may have occurred.

Vendor due diligence

It is not too late to perform that due diligence. Indeed, vendor due diligence is an important component in an overall continuous Third Party Risk Management Program. In addition to the traditional evaluation of the financial solvency and reputation of the vendor, organizations should also evaluate:

1. Vendor Location – is the vendor in a troubled “hot-spot”? Is the vendor in a foreign country which U.S. laws governing customer data have an impact?
2. Data Security – if the vendor has access to your data, will it be secure and meet regulatory standards? What controls do they have in place over the security of that data?
3. Vendor’s Vendors – are there potential vendors that your vendor utilizes that will impact your data? What is their due diligence process?
   
   This is often overlooked by organizations but recently came to full view in the December 2020 SolarWinds breach. Some of your vendors may have utilized SolarWinds’ Orion product. Did YOU reach out to them to see?
4. Disaster Recovery and Business Continuity - in the event of a disaster, do your vendors have plans in place to restore operations? Do they test this plan regularly?

The above are just a few of the questions that you should pose for potential new vendors as part of the on-boarding process. Also, as we will discuss more in Part 2 of this series, due diligence is not a one-time task; it should be a continuous component of your Third Party Risk Management Process.

Need further guidance on designing and implementing a vendor due diligence process ? Contact our Information Security Services Team.