This is a tough one, and in the various times I've encountered this issue, I think the results and outcome have all been different. The trickiest parts are figuring out if the SaaS vendors are willing to work with you directly and also how you track the resell relationship in your inventory. Understanding not everyone has a 'Venminder' and I've had to run TPRM out of spreadsheets at times - its tough. Furthermore, sometimes you have the same reseller for multiple products, and the way you go about getting due diligence accomplished for those individual products can vary.
Anyway, I think your question was more about whether to review the resellers themselves - first you have to know how the contracts are laid out, and who is responsible for what. Even still, I think that as long as the reseller doesn't have a significant amount of data or access to your facilities, you should be fine with conducting a minimal amount of 'standard' due diligence or vendor vetting. Ideally, you should be able to run it through a simple 'inherent' risk assessment, and it would come up low. Sometimes I've had to list the reseller and product as the same 'vendor' because I relied on the reseller to supply all the required due diligence for the services provided. Whatever you decide to do, just document as best you can, and justify your reasoning.
I realize this hasn't quite cleared the mucky water much, but I hope it helps. I'd be happy to discuss further if you'd like to reach out.
What is everyone else doing?
Original Message:
Sent: 05-13-2020 06:08 PM
From: Erika Rios
Subject: Resellers
We're currently working on developing risk assessments for our vendors. I'm curious to know how most go about assessing the resellers. We have numerous software as services vendors which are contracted through a reseller. Should we include the reseller as one of the vendors and complete a risk assessment? Should we complete a risk assessment and monitor due diligence on the vendor only?
Thanks for your input!