If I interpreted your question correctly, I would recommend that your company perform Due Diligence on the Resellers you have contracts with depending on how integral the Resellers are to your organization.
It is an important exercise for identifying risks that are presented to your organization. Resellers are a revenue generating function, which can carry high risk not traditionally critical by definition.
Beyond this, there is a customer impact at stake, which should be vetted in order to ensure security and availability of services.
However, I am not certain that the Resellers you are describing in the question are Critical to your organization. I recommend that you evaluate Criticality based on these 3 criteria as a best practice listed below:
- Would the sudden loss of this third party vendor cause a significant disruption to our business?
- Would the sudden loss impact our customers?
- If the vendor service is disrupted, would there be a negative impact on our operations if time to restore service required more than 24 hours?
Let me know if this helps and I would be interested in how others approach this situation!
Original Message:
Sent: 04-21-2023 12:44 PM
From: Anonymous Member
Subject: Reseller Agreements, Where YOU Are the Reseller
This message was posted by a user wishing to remain anonymous
We have several instances where we have a Reseller Agreement in place with a company whose products we offer to clients as part of our service package. Traditionally, we have NOT treated the company with whom we have the reseller agreement as a Critical vendor because we do not hold the contract for the service, but rather our clients who are using the product or service hold that direct agreement. We have felt it is the clients' responsibility to do their own due diligence on the company whose product or service they are using (and maybe even us as a reseller to them). Recently we've had a change in a few management roles and the newer managers are wanting us to elevate the criticality of the companies we have the reseller agreements with and treat them as Critical vendors. Are any of involved with similar relationships, and how do you have those vendors set up?