Vendor due diligence is a crucial activity many companies overlook … just ask leaders at Target.
In 2013, Target confirmed a security breach. Hackers gained access to customer data — including names, credit card information, and more.
As a result, Target agreed to pay $18.5 million to 47 states and the district of Columbia. That’s in addition to the $202 million they spent on legal fees and other costs related to the breach.
And, there’s no denying the impact it had on their sales.
So, what does all of this have to do with vendor due diligence?
According to Shirley Inscoe, fraud expert and AITE analyst, “This incident appears to be tied to their [point-of-sale] system.”
In other words, Target’s vendor exposed them to risk, and they paid a hefty price.
Vendor due diligence can help avoid these scenarios. Unfortunately, 31 percent of organizations fall short. They report being “well under optimal maturity level with regard to accessing and managing critical vendors.”
Below, we’ll cover everything you need to know to ensure your company doesn’t fall in that 31 percent.
What is vendor due diligence?
Vendor due diligence is the process of evaluating the risks involved in a partnership with a potential vendor. It helps organizations avoid or mitigate threats.
Vendor due diligence is also known as buy-side due diligence. On the other hand, you have seller-side due diligence. This is when vendors evaluate the risks of partnering with a potential client.
When should you perform a vendor due diligence assessment?
Your first vendor due diligence assessment should occur during the procurement process.
After issuing a request for proposal (RFP) and evaluating responses, identify a vendor shortlist. The shortlist should be a group of four or five vendors that might make the final selection. Then, conduct a due diligence assessment of these vendors.
Below, we’ve created a vendor due diligence flowchart that shows how to complete the process. It comes down to having your information technology, human resources and legal teams independently assess each vendor.
After the assessments are done, evaluate the vendors approved by each department. Then make your final selection.
According to Whistic, a website dedicated to providing the latest insights and updates on information security and third-party risk management, during this evaluation, you should also complete the following tasks:
Recommended additional tasks to complete along with the security assessment
- Track down appropriate vendor contacts or internal stakeholders
- Communicate internally with stakeholders during the procurement process to facilitate the security review
- Gather information on the services the vendor will be providing
- Understand what company information or applications the vendor will have access to
- Determine what risk level the vendor poses to your organization
- Piece together the right questions for the vendor
- Send a questionnaire request to the vendor
- Follow up with the vendor to remind them to complete the questionnaire
- Review vendor responses and documentation to evaluate risk
- Draft vendor action plan or determine next steps to protect your organization
- Ensure that you have organized questionnaires and documentation in appropriate repositories for storage
Remember, vendor risk management doesn’t end after you make a purchase. It’s a key part of the supplier relationship management process that lasts throughout the entire partnership.
To be safe, we recommend conducting vendor due diligence on a recurring basis — quarterly, biannually, or annually.
Events to prompt a security audit
Conduct audits to determine the vendor’s performance since your last evaluation. Then, consider any new developments that might impact risk, like:
- Mergers and acquisitions involving the vendor
- Updated or new features and enhancements
- New regulations
- Changes in leadership
Assessing vendor compliance
One of the most important aspects of vendor due diligence is assessing compliance. Many organizations need their vendors to comply, or at least support compliance, with regulations like:
- The General Data Protection Regulation (GDPR).
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- The Fair Labor Standards Act (FLSA).
- The Americans with Disabilities Act of 1990 (ADA).
- And much more.
And, here’s the scary truth: If you fail to comply with these regulations due to a vendor’s mistake, your organization will face consequences.
Consider ADA compliance. According to the Equal Employment Opportunity Commission:
“Title I of the Americans with Disabilities Act of 1990 (the “ADA”) requires an employer to provide reasonable accommodation to qualified individuals with disabilities who are employees or applicants for employment, unless to do so would cause undue hardship.”
Employers are responsible for three categories of “reasonable accommodation.” The first covers “modifications or adjustments to a job application process that enable a qualified applicant with a disability to be considered for the position such qualified applicant desires.”
If you’re purchasing an applicant tracking system (ATS) with a job portal, understanding whether your vendor can support this accommodation is critical.
For example, you would need to know how the ATS integrates with systems that assist hearing- or vision-impaired applicants.
Assessing vendor security
Assessing data security is another major concern to consider during vendor due diligence. As illustrated by the Target data breach covered above. Due to this risk, companies considering investing in financial software or services, in particular, must do their homework before making a purchase.
In an article on Reuters, Abel Clark, chief executive officer of TruSight and former Thomas Reuters executive, noted that the financial services industry has seen increased innovation in recent years. This has led to more companies partnering with third-party vendors, which opens them up to greater risk.
And like with compliance, responsibility for a vendor’s security failure will ultimately fall to the client.
To mitigate these risks, the Office of the Comptroller of the Currency (OCC), a division of the U.S. Department of the Treasury, offers guidance for “national banks and federal savings associations (collectively, banks) for assessing and managing risks associated with third-party relationships.”
They state that an effective vendor risk management program should include:
- Plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses and oversees the third party
- Proper due diligence in selecting a third party
- Written contracts that outline the rights and responsibilities of all parties
- Ongoing monitoring of the third party’s activities and performance
- Contingency plans for terminating the relationship in an effective manner
- Clear roles and responsibilities for overseeing and managing the relationship and risk management process
- Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management
- Independent reviews that confirm the bank’s process effectively manages risks
Of course, banks aren’t the only organizations that need to mitigate risk through vendor due diligence.
Recommended risk assessment questions
- Do you have a formal development process that includes security?
- Are developers trained on secure coding?
- Is compensation tied to secure coding practices?
- Are products assessed by security experts (in-house or other)?
In addition, you may also wish to consider factors such as encryption capabilities and data center tiers.
Understanding encryption capabilities
Vendors typically use 128-, 192-, or 256-bit encryption to prevent unauthorized access to data.
Techopedia breaks down what that means:
“256-bit encryption refers to the length of the encryption key used to encrypt a data stream or file. A hacker or cracker will require 2256 different combinations to break a 256-bit encrypted message, which is virtually impossible to be broken by even the fastest computers.
“Typically, 256-bit encryption is used for data in transit, or data traveling over a network or Internet connection. However, it is also implemented for sensitive and important data such as financial, military or government-owned data. The U.S. government requires that all sensitive and important data be encrypted using 192- or 256-bit encryption methods.”
Understanding data center tiers
Most data storage centers are classified as Tier 1, Tier 2, Tier 3, or Tier 4.
Here’s how Study.com explains Tier 4 data centers:
“A Tier 4 data center is the most expensive to build, run, and maintain, but it provides the highest level of protection for a company’s data. For larger companies, Tier 4 is often a requirement to keep them in business.”
With Tier 4 data centers, your organization should experience no downtime. Study.com notes, however, that not all organizations need a Tier 4 data center.
“Not all organizations can afford, or need, to make the huge investment required for a Tier 4 data center. Companies that do need Tier 4 have multi-million dollar revenues, earn the majority of their revenue from e-commerce, have a business model built solely for IT, or are those for which any downtime would be fatal.”
It’s up to you to understand your organization’s needs, as well as your vendor’s capabilities.
Assessing potential user risks
Your vendor due diligence should also consider how your vendor can help protect against internal risk.
According to Harvard Business Review:
“Human error is a major factor in breaches, and trusted but unwitting insiders are to blame. From misaddressed emails to stolen devices to confidential data sent to insecure home systems, mistakes can be very costly.”
For example, many electronic health records (EHR) systems now offer mobile capabilities. This allows doctors and nurses to document patient information from their phone or tablet. Indeed, while this technology often increases adoption of the EHR and allows medical professionals to hold more engaging conversations with patients while updating records in real time, it opens organizations to risk.
If a doctor or nurse loses their phone or tablet, it could easily fall into the wrong hands. Consequently, an unauthorized person could then gain access to patient records, violating their rights under HIPAA.
With the right capabilities, however, vendors can help mitigate or even prevent this problem. Multi-layered user authentication can prevent unauthorized records access, for instance. In addition, the EHR vendor might even provide a way to remotely deleting patient information from a device.
When evaluating software, make sure to identify areas where users can unintentionally open your organization to risk and determine whether your vendor can help close these security gaps.
Vendor due diligence checklist
Between compliance, security and protecting against potential user risks, completing vendor due diligence can certainly seem a bit overwhelming.
To help simplify the process, we put together this 16-point vendor due diligence checklist. Use it as a starting point to evaluate potential risk.
- Does the vendor offer flexible user permissions?
- Do you have the ability to wipe information off stolen mobile devices?
- Is multi-level user authentication required?
- Will the vendor provide training for your staff?
- Does the vendor provide training for their own staff?
- Will you receive alerts about suspicious activity?
- Does the contract adequately detail ownership and responsibilities?
- Is data stored in multiple, redundant servers?
- Are the data centers adequately tiered?
- Does the vendor offer 192- or 256-bit encryption?
- Do they offer version tracking?
- Will you have access to downtime tracking and updates?
- Is there adequate database auditing?
- Does the vendor have a documented security strategy?
- Are documented contingency plans in place?
- Do independent agencies conduct security reviews?
Use DDQs to simplify the process
One of the simplest ways to engage in vendor due diligence is with a due diligence questionnaire (DDQ). However, DDQs must be very thorough to properly assess and mitigate vendor risk.
Check out our list of the 7 of the best DDQ examples. There you can see how organizations are using DDQs to uncover hidden risks and financial pitfalls — before making a purchase.