We normally do a financial review on all vendors, regardless of rating. IT Security Assessment is done on any vendor providing technology solutions. Business Continuity and Disaster Recovery Plans and Testing results are required for vendor that rate high on Operational Reliance.
We do evaluate whether a vendor is in scope for SOC1 and /or SOC 2 review as well and request the SOC reports.
Vendor Risk Manager, CRVPM IV, CBCP