We are experiencing more and more pushback from vendors in supplying answers to our due diligence questionnaire and ongoing monitoring, especially in the cybersecurity arena. Some are willing to share an information security dump but that's it. I'm sure others are experiencing similar situations. Does anyone have any suggestions or different methods they have found successful? Where does one go when a vendor won't complete a questionnaire and refuses to release any information to a third party, such as Venminder. Thanks for your input!
That is the same with our vendors as we are requiring more stringent attestation, including cyber. One vendor wanted us to execute and Tri-Party NDA which we declined, and we sent them an excel version of the same questionnaire for completion with no issue. Hopefully this helps!
If they won't release information to a third party, will they release it directly to you?
No, they won't complete our request for information or our questionnaire.
These are challenges I have addresses by writing internal policies that establish specific requirements and cooperation from third parties. Once requirements are established and make their way into contract templates third parties are bound to them and must meet those requirements or are assessed whatever penalties Legal deems appropriate. If these issues come up pre-contract for new vendors and a quality risk assessment cannot be completed I typically raise a risk (unable to determine the risk the third party may pose to the organization due to an absence or quality of information) and have a senior business representative approve the risk if they choose to move forward with the relationship. Hope this helps