This question ultimately hinges on your organization's risk appetite. Organizations with larger Third-Party Risk Management (TPRM) teams may have the resources to extend due diligence to nth parties, particularly those with access to sensitive data. In contrast, smaller organizations might limit their focus to critical or Tier 1 providers, often relying on third-party tools to assist with due diligence.
At our organization, we adopt a risk-based approach to assess our fourth parties, determining whether to trace data to the fourth or fifth party based on the risk posed by the vendor. Frequently, the SOC report will indicate which subservice parties are involved in delivering a service.
It's essential that your third-party agreements include protections for when subservice providers are involved and outline specific due diligence requirements for nth parties.
We often encounter challenges when a third party directs us to their own third party, who may refuse to share information. This is where your agreements become crucial. Additionally, it's important to evaluate your third parties' TPRM programs to ensure their standards and control reviews align with your organization's requirements.
I always emphasize the importance of following the data. If your third party is critical and their subservice provider or nth party has access to sensitive information, you must ensure that this data is adequately protected. This approach helps you maintain assurance within the risk tolerance of your TPRM programs.
Original Message:
Sent: 09-25-2024 01:50 PM
From: Alina Conway
Subject: Subservice Providers
What kinds of controls have you implemented for your identified subservice providers? Specifically, do you obtain and review your subservice providers' SOC reports? If yes, how do you determine which subservice providers to review? Also, if you are doing this, what has been your third party's response to a request for their subservice providers' SOC reports? Are they generally open to this, or only if you have explicit language in your agreements that require them to provide their own and their subservice providers' SOC reports? Have you run into any issues with clickwrap language on the subservice providers' SOC reports that precluded you from being able to review the report?