Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Timing of on-going due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 01-28-2021 12:37 PM
    This message was posted by a user wishing to remain anonymous

    Currently, our review cycle is as follows:
    • Critical/High - Quarterly
    • High - 2Every 6 months
    • Medium - 1x Year
    • Low - 1x a year

    We would like to make changes to this but not sure what is "Best Practice" or standard.  Can others please share their review timing?

    Thank you.


  • 2.  RE: Timing of on-going due diligence

    Posted 01-28-2021 12:53 PM

    We have our vendors tiered according to risk and criticality. (Tier 1 being the highest and Tier 3 being the lowest.)

     

    We review Tier 1 vendors every year, Tier 2 every 2 years, and Tier 3 every 3 years.



    Erica Lane, CompTIA Sec+ Certification | Information Security Analyst II
    City Bank




    Member FDIC | Equal Housing Lender

    Confidentiality Notice: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please delete this message immediately and advise the sender that you have received this message in error by reply e-mail or by calling 1-800-687-2265. Thank you for your cooperation.






    Original Message


  • 3.  RE: Timing of on-going due diligence

    Posted 01-28-2021 01:12 PM
    Allot of third party due diligence is not going to be updated by the vendor more frequently than annually- SOC reports and most other audits, evidence of insurance etc. have 1 year cycles.  Even vendor testing is usually performed on an annual cycle (DR testing as an example).

    Similar to Erica, we review operationally critical vendors annually and moderate every 2 years.  ​We try to time our reviews to correspond with when the vendor is most likely to have updated due diligence.  As an example, we will look at the audit report date from the most recent SOC and time next review for approximately 12 months from that date.

    Shelly
    Original Message


  • 4.  RE: Timing of on-going due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 01-28-2021 03:45 PM
    This message was posted by a user wishing to remain anonymous

    Critical - Annually
    Significant - Every 2 years
    Non-essential - Every 3 years 

    Auditors and examiners have confirmed that this review schedule is reasonable.
    Original Message


  • 5.  RE: Timing of on-going due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 01-28-2021 03:46 PM
    This message was posted by a user wishing to remain anonymous

    Currently, our review cycle is as follows:
    • Critical/High - Annual assessment
    • Medium - Once every 2 years
    • Low - Once every 3 years
    *The initial due diligence review is performed prior to services and signature of contracts. Then the above schedule is enforced according to the overall residual risk.
    Original Message


  • 6.  RE: Timing of on-going due diligence

    Posted 01-29-2021 08:57 AM

    I'll chime in that I agree that quarterly reviews are overkill, unless they have earned a red flag because of a qualified SOC report, or financials that are failing, or some sort of OFAC violation perhaps?

     

    For the usual course of events, you really aren't getting much new data after a quarter, unless it's a publicly traded company whose finances are getting troubled.

    SOC's and/or an SSAE18 review doesn't get new information faster than annually, so it feels like a lot of effort for no new information.

     

    We use the relatively standard

    High – annual

    Moderate – 2 year review

    Low – 3 year review.

     

    Prior role, we had an extra layer –

    Critical High – annual

    High 18 months

    Moderate – 2 yrs

    Low – 3 yrs

     

     

    And I would make the case that at the very bottom, needing little to no review are things like association memberships, utilities, mandated relationships [think FDIC].

    But that's in a different thread.  Not trying to open new cans with new worms.

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer

     

     




    Original Message


  • 7.  RE: Timing of on-going due diligence

    Posted 01-29-2021 09:09 AM

    Good Morning,

     

    Do you a compliance risk checklist for loan vendors?

     

    Thank you

     

    Sent from Mail for Windows 10

     




    Original Message


  • 8.  RE: Timing of on-going due diligence

    Posted 01-29-2021 10:12 AM

    We have a compliance checklist for pretty much everyone, to establish a baseline, from a GLBA perspective.

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer

     

     




    Original Message


  • 9.  RE: Timing of on-going due diligence

    Posted 03-06-2021 04:25 AM
    A good model in my view:

    Critical and High risk vendors- once in 12 months
    Medium risk vendors: Once in 18 months
    Low risk vendors- once in 2 years. One may also do a high level check to exclude a certain category of vendors provided they have certain non negotiable controls in place and certified by the vendor relationship manager.

    Tweaks to timelines to be done based on the industry as well, for example, BFSI vendors may need to have more stringent timelines, perhaps.
    Original Message