This message was posted by a user wishing to remain anonymous
Fascinating question.
At our company, the answer depends on what that software does. Generally, if the software provides a critical function OR gives the software provider access to sensitive data (defined here to be: any category that your company thinks should be protected by law or practice), then a SIG report is requested of the software provider-at the minimum. Critical function couldn't have been purchased without extensive due diligence to ensure the software would perform as advertised.
FWIW: Arrangements that give the software provider access to sensitive data increasingly require a contract throughout the financial industry.
Original Message:
Sent: 11-21-2024 10:16 AM
From: Michael Papcunik
Subject: Software purchased but no contract with the third party
There is software that we purchased to use; however, we do not have a contract with the vendor. The software is critical; however, I am struggling if this should be classified as a vendor, because there are no legal obligations between the software company and the bank.
Any thoughts or insights would be appreciated. Thank you.