Vendor Due Diligence Done Right
Vendor due diligence is a crucial activity many companies overlook … just ask leaders at Target.
In 2013, Target confirmed a security breach. Hackers gained access to customer data — including names, credit card information, and more.
As a result, Target agreed to pay $18.5 million to 47 states and the district of Columbia. That’s in addition to the $202 million they spent on legal fees and other costs related to the breach.
And there’s no denying the impact it had on their sales.
So, what does all of this have to do with vendor due diligence?
According to Shirley Inscoe, fraud expert and AITE analyst, “This incident appears to be tied to their [point-of-sale] system.”
In other words, Target’s vendor exposed them to risk, and they paid a hefty price.
Vendor due diligence can help avoid these scenarios. Unfortunately, 31 percent of organizations say they’re “well under optimal maturity level with regard to accessing and managing critical vendors.”
Below, we’ll cover everything you need to know to ensure your company doesn’t fall in that 31 percent.
What is vendor due diligence?
Vendor due diligence is the process of evaluating the risks involved in a partnership with a potential vendor. It helps organizations avoid or mitigate threats.
Vendor due diligence is also known as buy-side due diligence. (On the other side of the coin, you have seller-side due diligence, in which vendors evaluate the risks of partnering with a potential client.)
When should you perform a vendor due diligence assessment?
Your first vendor due diligence assessment should occur during the procurement process.
After issuing a request for proposal (RFP) and evaluating responses, identify a vendor shortlist — a group of four or five vendors that might make the final selection.
Then, conduct a due diligence assessment of the vendors on your shortlist before choosing which vendor you’ll ultimately partner with.
Below, we’ve created a vendor due diligence flowchart that demonstrates how to complete the process. It comes down to having your information technology, human resources, and legal teams independently assess each vendor on the shortlist.
After the assessments are complete, you will then evaluate vendors that are approved by each department and make your final selection.
According to Whistic, a website dedicated to providing the latest insights and updates on information security and third-party risk management, during this evaluation, you should also complete the following tasks:
- Track down appropriate vendor contacts or internal stakeholders.
- Communicate internally with stakeholders during the procurement process to facilitate the security review.
- Gather information on the services the vendor will be providing.
- Understand which of your company’s information or applications the vendor will have access to.
- Determine what risk level the vendor poses to your organization.
- Piece together the right questions for the vendor.
- Send a questionnaire request to the vendor.
- Follow up with the vendor to remind them to complete the questionnaire.
- Review vendor responses and documentation to evaluate risk.
- Draft action plans or determine next steps required by the vendor in order to protect your organization.
- Ensure that you have organized questionnaires and documentation in appropriate repositories for storage.
But keep in mind, vendor risk management doesn’t end after you make a purchase. It’s a key part of the supplier relationship management process that lasts throughout the entire partnership.
We recommend conducting vendor due diligence on a recurring basis — quarterly, biannually, or annually.
Conduct audits to determine the vendor’s performance since your last evaluation and consider any new developments that might impact risk, like:
- Mergers and acquisitions involving the vendor.
- New features and enhancements.
- New regulations.
- Changes in leadership.
Assessing vendor compliance
One of the most important aspects of vendor due diligence is assessing compliance. Many organizations need their vendors to comply, or at least support compliance, with regulations like:
- The General Data Protection Regulation (GDPR).
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- The Fair Labor Standards Act (FLSA).
- The Americans with Disabilities Act of 1990 (ADA).
- And much more.
And here’s the scary truth: If you fail to comply with these regulations due to a vendor’s mistake, your organization will face consequences.
Consider ADA compliance. According to the Equal Employment Opportunity Commission:
“Title I of the Americans with Disabilities Act of 1990 (the “ADA”) requires an employer to provide reasonable accommodation to qualified individuals with disabilities who are employees or applicants for employment, unless to do so would cause undue hardship.”
Employers are responsible for three categories of “reasonable accommodation.” The first covers “modifications or adjustments to a job application process that enable a qualified applicant with a disability to be considered for the position such qualified applicant desires.”
If you’re purchasing an applicant tracking system (ATS) with a job portal, understanding whether your vendor can support this accommodation is critical.
For example, you would need to know how the ATS integrates with systems that assist hearing- or vision-impaired applicants.
Assessing vendor security
Assessing data security is another major concern to consider during the vendor due diligence process, as demonstrated by the Target data breach covered above.
Companies considering investing in financial software or services, in particular, must do their homework before making a purchase.
In an article on Reuters, Abel Clark, chief executive officer of TruSight and former Thomas Reuters executive, noted that the financial services industry has seen increased innovation in recent years. This has led to more companies partnering with third-party vendors, which opens them up to greater risk.
And like with compliance, responsibility for a vendor’s security failure will ultimately fall to the client.
To mitigate these risks, the Office of the Comptroller of the Currency (OCC), a division of the U.S. Department of the Treasury, offers guidance for “national banks and federal savings associations (collectively, banks) for assessing and managing risks associated with third-party relationships.”
They state that an effective vendor risk management program should include:
- Plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
- Proper due diligence in selecting a third party.
- Written contracts that outline the rights and responsibilities of all parties.
- Ongoing monitoring of the third party’s activities and performance.
- Contingency plans for terminating the relationship in an effective manner.
- Clear roles and responsibilities for overseeing and managing the relationship and risk management process.
- Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
- Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
Of course, banks aren’t the only organizations that need to mitigate risk through vendor due diligence.
Mary Ann Davidson, chief security officer at Oracle, recommends asking software vendors the following questions as part of your risk assessment process, regardless of industry.
- Do you have a formal development process that includes security?
- Are developers trained on secure coding?
- Is compensation tied to secure coding practices?
- Are products assessed by security experts (in-house or other)?
You may also wish to consider factors such as encryption capabilities and data center tiers.
Understanding encryption capabilities
Vendors typically use 128-, 192-, or 256-bit encryption to prevent unauthorized access to data.
Techopedia breaks down what that means:
“256-bit encryption refers to the length of the encryption key used to encrypt a data stream or file. A hacker or cracker will require 2256 different combinations to break a 256-bit encrypted message, which is virtually impossible to be broken by even the fastest computers.
“Typically, 256-bit encryption is used for data in transit, or data traveling over a network or Internet connection. However, it is also implemented for sensitive and important data such as financial, military or government-owned data. The U.S. government requires that all sensitive and important data be encrypted using 192- or 256-bit encryption methods.”
Understanding data center tiers
Most data storage centers are classified as Tier 1, Tier 2, Tier 3, or Tier 4.
Here’s how Study.com explains Tier 4 data centers:
“A Tier 4 data center is the most expensive to build, run, and maintain, but it provides the highest level of protection for a company’s data. For larger companies, Tier 4 is often a requirement to keep them in business.”
With Tier 4 data centers, your organization should experience no downtime. Study.com notes, however, that not all organizations need a Tier 4 data center.
“Not all organizations can afford, or need, to make the huge investment required for a Tier 4 data center. Companies that do need Tier 4 have multi-million dollar revenues, earn the majority of their revenue from e-commerce, have a business model built solely for IT, or are those for which any downtime would be fatal.”
It’s up to you to understand your organization’s needs, as well as your vendor’s capabilities.
Assessing potential user risks
Your vendor due diligence should also consider how your vendor can help protect against internal risk.
According to Harvard Business Review:
“Human error is a major factor in breaches, and trusted but unwitting insiders are to blame. From misaddressed emails to stolen devices to confidential data sent to insecure home systems, mistakes can be very costly.”
For example, many electronic health records (EHR) systems now offer mobile capabilities. This allows doctors and nurses to document patient information from their phone or tablet.
While this technology often increases adoption of the EHR and allows medical professionals to hold more engaging conversations with patients while updating records in real time, it opens organizations to risk.
If a doctor or nurse loses their phone or tablet, it could easily fall into the wrong hands. An unauthorized person could then gain access to patient records, violating their rights under HIPAA.
With the right capabilities, however, vendors can help mitigate or even prevent this problem.
Multi-layered user authentication might prevent an authorized user from accessing the records, for instance. The EHR vendor might even provide a method for remotely deleting patient information from the device.
When evaluating software, make sure to identify areas where users can unintentionally open your organization to risk and determine whether your vendor can help close these security gaps.
Vendor due diligence checklist
Between compliance, security, and protecting against potential user risks, completing vendor due diligence can seem a bit overwhelming.
To help simplify the process, we put together this 16-point vendor due diligence checklist you can use as a starting point to evaluate potential risk.
- Does the vendor offer flexible user permissions?
- Do you have the ability to wipe information off stolen mobile devices?
- Does the system require multi-level user authentication?
- Does the vendor provide training for your staff?
- Does the vendor provide training for their own staff?
- Will you receive alerts about suspicious activity?
- Does the contract adequately detail ownership and responsibilities?
- Is data stored in multiple, redundant servers?
- Is the data held in an adequately tiered data center?
- Does the vendor offer 192- or 256-bit encryption?
- Does the vendor offer version tracking?
- Will you have access to downtime tracking and updates?
- Is there adequate database auditing?
- Does the vendor have a documented security strategy?
- Does the vendor have documented contingency plans?
- Do independent agencies conduct security reviews?
Use DDQs to simplify the process
One of the simplest ways to engage in vendor due diligence is with a due diligence questionnaire (DDQ). But DDQs must be very thorough for responses to provide your organization with the information needed to properly assess and mitigate vendor risk.
Check out our list of the 7 of the best DDQ examples you can find to see how organizations are using DDQs to uncover hidden risks and financial pitfalls — before making a purchase.