Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Subservice Providers

    Posted 10 days ago

    What kinds of controls have you implemented for your identified subservice providers? Specifically, do you obtain and review your subservice providers' SOC reports? If yes, how do you determine which subservice providers to review?  Also, if you are doing this, what has been your third party's response to a request for their subservice providers' SOC reports? Are they generally open to this, or only if you have explicit language in your agreements that require them to provide their own and their subservice providers' SOC reports?  Have you run into any issues with clickwrap language on the subservice providers' SOC reports that precluded you from being able to review the report?



  • 2.  RE: Subservice Providers

    Posted 5 days ago

    This is a great question! I think from a general TPRM best practice perspective, its very important to understand how your vendors use subservices and for what. Ultimately, you need to treat the 4th parties from your critical vendors and high risk vendors similar to how you treat those 3rd party vendors. The first step is understanding what data they have access to and how they are used by the vendor.  I do suggest a SOC review. Often vendors expect this and should be able to help you get what you need from the 4th party.  In some cases, organizations do not give their SOC reports to anyone that's not a direct client, in that case, IF you feel your Vendor's TPRM program is robust and aligns with yours, you can opt to utilize their assessment of the vendor and their review of the CSOCs etc. I would be interested in what others in similar roles have experienced or can offer regarding any feedback or resistance they have experienced requesting this type of review.




  • 3.  RE: Subservice Providers

    Posted 5 days ago

    We only review our third-parties. We expect them to manage their third-parties and review the appropriate documentation. Our questionnaire asks questions regarding how they manage their third-parties, and we review their VM policy and SOC report.

     

    If there was ever a doubt, we might dig further and request items from our vendors on this.

     

    Cheryl Turner

     






  • 4.  RE: Subservice Providers

    Posted 5 days ago

    This question ultimately hinges on your organization's risk appetite. Organizations with larger Third-Party Risk Management (TPRM) teams may have the resources to extend due diligence to nth parties, particularly those with access to sensitive data. In contrast, smaller organizations might limit their focus to critical or Tier 1 providers, often relying on third-party tools to assist with due diligence.

    At our organization, we adopt a risk-based approach to assess our fourth parties, determining whether to trace data to the fourth or fifth party based on the risk posed by the vendor. Frequently, the SOC report will indicate which subservice parties are involved in delivering a service.

    It's essential that your third-party agreements include protections for when subservice providers are involved and outline specific due diligence requirements for nth parties.

    We often encounter challenges when a third party directs us to their own third party, who may refuse to share information. This is where your agreements become crucial. Additionally, it's important to evaluate your third parties' TPRM programs to ensure their standards and control reviews align with your organization's requirements.

    I always emphasize the importance of following the data. If your third party is critical and their subservice provider or nth party has access to sensitive information, you must ensure that this data is adequately protected. This approach helps you maintain assurance within the risk tolerance of your TPRM programs.