Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Ongoing Monitoring

    This message was posted by a user wishing to remain anonymous
    Posted 05-18-2023 04:23 PM
    This message was posted by a user wishing to remain anonymous

    We are experiencing more and more pushback from vendors in supplying answers to our due diligence questionnaire and ongoing monitoring, especially in the cybersecurity arena. Some are willing to share an information security dump but that's it.  I'm sure others are experiencing similar situations.  Does anyone have any suggestions or different methods they have found successful?  Where does one go when a vendor won't complete a questionnaire and refuses to release any information to a third party, such as Venminder.  Thanks for your input!



  • 2.  RE: Ongoing Monitoring

    This message was posted by a user wishing to remain anonymous
    Posted 05-18-2023 04:39 PM
    This message was posted by a user wishing to remain anonymous

    That is the same with our vendors as we are requiring more stringent attestation, including cyber.  One vendor wanted us to execute and Tri-Party NDA which we declined, and we sent them an excel version of the same questionnaire for completion with no issue.  Hopefully this helps!  




  • 3.  RE: Ongoing Monitoring

    This message was posted by a user wishing to remain anonymous
    Posted 05-18-2023 04:39 PM
    This message was posted by a user wishing to remain anonymous

    If they won't release information to a third party, will they release it directly to you?




  • 4.  RE: Ongoing Monitoring

    This message was posted by a user wishing to remain anonymous
    Posted 05-22-2023 03:36 PM
    This message was posted by a user wishing to remain anonymous

    No, they won't complete our request for information or our questionnaire.




  • 5.  RE: Ongoing Monitoring

    Posted 05-22-2023 01:43 PM

    These are challenges I have addresses by writing internal policies that establish specific requirements and cooperation from third parties. Once requirements are established and make their way into contract templates third parties are bound to them and must meet those requirements or are assessed whatever penalties Legal deems appropriate. If these issues come up pre-contract for new vendors and a quality risk assessment cannot be completed I typically raise a risk (unable to determine the risk the third party may pose to the organization due to an absence or quality of information) and have a senior business representative approve the risk if they choose to move forward with the relationship. Hope this helps