This message was posted by a user wishing to remain anonymous
Nearly all of our NDAs or the Confidentiality sections of the agreements
require the return or destruction of confidential information upon termination, usually with appropriate carve-outs for regulatory record keeping or electronic backup. I think you would be reasonably justified in destroying most Due Diligence documents at nearly any interval you choose. TPRM guidance so far has been silent on record retention. We are comfortable with destruction after we complete an audit cycle after termination (e.g. 12-18 months after termination).
From an ongoing (not yet terminated) perspective, the current materials are the most relevant and upon completion of the current assessment, destruction of the prior supporting documentation is authorized. Actual destruction is based on the applicability of the prior assessment (improved, declined, neutral; follow-up action items, etc.).
As another responder noted, this should be detailed in your record retention program. Contract retention is generally covered by "statue of limitations" risk management.
Original Message:
Sent: 04-02-2020 06:07 PM
From: Tara Cole
Subject: Retention
This is a two part question:
1, how long do you keep cancelled vendor information? Is it something that should be put in the basement and left forever or is there a set amount of time that we need to keep them?
2, On current vendors, how long do you keep your due diligence paperwork? For financials and SOC reports. Do you pull everything older than so many years or do you keep everything for the life of the vendor?
Thank you all for your input and help.