There was another post on this back in 2021 with no feedback, so I'm hoping this can get some traction. We have a CDC that we use for SBA loan packaging. Over the past few years, it's been a struggle to get their due diligence and what we do get shows concerns with their information security/cybersecurity posture. I know they are SBA-regulated, but to my knowledge, SBA does not evaluate IT/cybersecurity controls of these companies. We have begun evaluating a new CDC and I'm finding similar issues as our existing one. If you are using CDCs, how are you managing these?
-------------------------------------------