Due Diligence and Ongoing Monitoring

We're currently working on developing risk assessments for our vendors. I'm curious to know how most go about assessing the resellers. We have numerous software as services vendors which are contracted through a reseller. Should we include the reseller as one of the vendors and complete a risk assessment? Should we complete a risk assessment and monitor due diligence on the vendor only?

Thanks for your input!

This is a tough one, and in the various times I've encountered this issue, I think the results and outcome have all been different. The trickiest parts are figuring out if the SaaS vendors are willing to work with you directly and also how you track the resell relationship in your inventory. Understanding not everyone has a 'Venminder' and I've had to run TPRM out of spreadsheets at times - its tough. Furthermore, sometimes you have the same reseller for multiple products, and the way you go about getting due diligence accomplished for those individual products can vary. 

Anyway, I think your question was more about whether to review the resellers themselves - first you have to know how the contracts are laid out, and who is responsible for what. Even still, I think that as long as the reseller doesn't have a significant amount of data or access to your facilities, you should be fine with conducting a minimal amount of 'standard' due diligence or vendor vetting. Ideally, you should be able to run it through a simple 'inherent' risk assessment, and it would come up low. Sometimes I've had to list the reseller and product as the same 'vendor' because I relied on the reseller to supply all the required due diligence for the services provided. Whatever you decide to do, just document as best you can, and justify your reasoning. 
I realize this hasn't quite cleared the mucky water much, but I hope it helps. I'd be happy to discuss further if you'd like to reach out.

What is everyone else doing?

Original Message:
Sent: 05-13-2020 06:08 PM
From: Erika Rios
Subject: Resellers

We're currently working on developing risk assessments for our vendors. I'm curious to know how most go about assessing the resellers. We have numerous software as services vendors which are contracted through a reseller. Should we include the reseller as one of the vendors and complete a risk assessment? Should we complete a risk assessment and monitor due diligence on the vendor only?

Thanks for your input!

​Agreed - the waters can be very murky. 
When working with my internal vendor owners, I often use an example of buying sneakers.  I can purchase Nike sneakers from Macys or Foot Locker.  In most cases Macys and/or Foot Locker are just delivering the sneakers to me, they aren't coming into my closet overnight to clean the sneakers (I wish) Thus, Macy's and Foot Locker are low risk.  Similar thought process to the sneakers (or the software purchase), I purchased sneakers, is the end of it?  Or is Nike preforming maintenance on my sneakers?  Periodic upgrades, etc.  If Nike will have access to my closet (my network) then its a much deeper dive.  At this point it can be difficult to get data out of Nike.  Fortunately, in recent years, I have seen Nike (aka software companies) become more transparent.  They know if they want their software installed in highly regulated industries (Financial Services/Healthcare/etc) they need to be more transparent and provide documentation, allowing the end users to demonstrate control.
Hope this helps.
Original Message:
Sent: 05-15-2020 11:11 AM
From: Nicole O'Brien
Subject: Resellers

This is a tough one, and in the various times I've encountered this issue, I think the results and outcome have all been different. The trickiest parts are figuring out if the SaaS vendors are willing to work with you directly and also how you track the resell relationship in your inventory. Understanding not everyone has a 'Venminder' and I've had to run TPRM out of spreadsheets at times - its tough. Furthermore, sometimes you have the same reseller for multiple products, and the way you go about getting due diligence accomplished for those individual products can vary. 

Anyway, I think your question was more about whether to review the resellers themselves - first you have to know how the contracts are laid out, and who is responsible for what. Even still, I think that as long as the reseller doesn't have a significant amount of data or access to your facilities, you should be fine with conducting a minimal amount of 'standard' due diligence or vendor vetting. Ideally, you should be able to run it through a simple 'inherent' risk assessment, and it would come up low. Sometimes I've had to list the reseller and product as the same 'vendor' because I relied on the reseller to supply all the required due diligence for the services provided. Whatever you decide to do, just document as best you can, and justify your reasoning. 
I realize this hasn't quite cleared the mucky water much, but I hope it helps. I'd be happy to discuss further if you'd like to reach out.

What is everyone else doing?

Original Message:
Sent: 05-13-2020 06:08 PM
From: Erika Rios
Subject: Resellers

We're currently working on developing risk assessments for our vendors. I'm curious to know how most go about assessing the resellers. We have numerous software as services vendors which are contracted through a reseller. Should we include the reseller as one of the vendors and complete a risk assessment? Should we complete a risk assessment and monitor due diligence on the vendor only?

Thanks for your input!