Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

I see several conversations here about 4th party/nth party due diligence, but I'm wondering how most people are handling one of your vendors coming to you to request 4th party due diligence, specifically calling out wanting to see SOC reports from your vendors that are a 4th party to them.  Are you tracking down permissions to send them SOC reports from your vendors, are you referring them to the vendor directly so they can get their own NDA established (which would be hard without them directly contracting with your vendor), are you referring them to your own SOC report that covers your vendor management program, or how are you handling these requests coming in?

We begin with responding to the customers' TPRM questionnaire, which should include details about our TPRM program. 

If they still request access to 4th party DD materials, we advise them that these are only available through Multi-party NDAs. Very few of our requesting customers have proceeded to execute all the needed Multiparty NDAs to secure the requested nth Party DD materials. 

To be candid, I'm surprised when my Third Parties tell me they have never been asked for permission to share their DD materials before. 
I hope that doesn't that mean most of our peers are disclosing Confidential Information, in potential violation of their agreement(s) with their vendors.
Original Message:
Sent: 01-25-2023 11:44 AM
From: Anonymous Member
Subject: Request for 4th Party DD from a vendor

This message was posted by a user wishing to remain anonymous

I see several conversations here about 4th party/nth party due diligence, but I'm wondering how most people are handling one of your vendors coming to you to request 4th party due diligence, specifically calling out wanting to see SOC reports from your vendors that are a 4th party to them.  Are you tracking down permissions to send them SOC reports from your vendors, are you referring them to the vendor directly so they can get their own NDA established (which would be hard without them directly contracting with your vendor), are you referring them to your own SOC report that covers your vendor management program, or how are you handling these requests coming in?

Without a multi-party NDA, we would address as you did, Greg, and provide general details about our TPRM program, including what we collect and evaluate.  In cases where 4th party suppliers have online trust center pages and security white papers, I'd feel comfortable including any public-facing materials in any questions about 4th party security or business continuity planning. Definitely interested in hearing how other folks are handling this area.

Original Message:
Sent: 01-26-2023 08:43 AM
From: Greg Schmeisser
Subject: Request for 4th Party DD from a vendor

We begin with responding to the customers' TPRM questionnaire, which should include details about our TPRM program. 

If they still request access to 4th party DD materials, we advise them that these are only available through Multi-party NDAs. Very few of our requesting customers have proceeded to execute all the needed Multiparty NDAs to secure the requested nth Party DD materials. 

To be candid, I'm surprised when my Third Parties tell me they have never been asked for permission to share their DD materials before. 
I hope that doesn't that mean most of our peers are disclosing Confidential Information, in potential violation of their agreement(s) with their vendors.
Original Message:
Sent: 01-25-2023 11:44 AM
From: Anonymous Member
Subject: Request for 4th Party DD from a vendor

This message was posted by a user wishing to remain anonymous

I see several conversations here about 4th party/nth party due diligence, but I'm wondering how most people are handling one of your vendors coming to you to request 4th party due diligence, specifically calling out wanting to see SOC reports from your vendors that are a 4th party to them.  Are you tracking down permissions to send them SOC reports from your vendors, are you referring them to the vendor directly so they can get their own NDA established (which would be hard without them directly contracting with your vendor), are you referring them to your own SOC report that covers your vendor management program, or how are you handling these requests coming in?