Resellers aren't really in a very different boat than the vendors who use someone else to host their data.
If you're in a financial institution and there is NPI, then the SSAE 18 guidelines kick in, which means you should try to get a doc of some sort so you can review the data protections of the 4th party.
There are lots of companies out there that will not share the SOC of one of their vendors. There are others, like AWS, that are readily available. In most cases, auditors can't really comment if the request is made and the answer is "no". They may ask why you keep doing business with them, but they can't force the issue too far, from what I've seen.
I can't recommend contacting the 4th party directly. They have no reason to give you anything, you have no contract directly with them - it seems like the old "trying to teach a bear to dance" where all you do is waste time and annoy the bear.
If this technology is of a retail variety, then I think you might be spinning your wheels a little. Ordering a PC through a reseller, where that PC will have NPI isn't appropriate. If it's a data variety, where the vendor is using someone else as SaaS, IaaS, PaaS, etc. then I'd recommend asking for a SOC for that vendor. Sometimes the answer will be yes, sometimes no.
In some cases, I find that the SOC of the vendor is thin in some areas, like physical or environmental security, because they lean on one of their own vendors to take care of those things.
As for the more thorough investigation of their vendor management program - if you can get it, sure. The thing is, if it's mentioned in the 3rd party's SOC report [and it should be], then you have a document from an auditing source that confirms that the program exists. I'd say stop there before you fall too far down the rabbit hole.
------------------------------
Dave Howe
CIO
Franklin First Federal Credit Union
------------------------------
Original Message:
Sent: 06-06-2022 02:44 PM
From: Stephanie Bowersox
Subject: Technology Resellers
Looking for thoughts on how to handle resellers, specifically for technology. We've got a handle on the reseller vendor, but looking into how to proceed with the 4th party (item being purchased).
-Are you relying on your contract verbiage to make the 3rd party fully responsible for the 4th party?
-Are you asking the 3rd party to provide due diligence documents on the 4th party?
-Are you reaching out to the 4th party and conducting due diligence on them as like you would if they were your 3rd party?
-Are you conducing a more in depth review of the 3rd party's vendor management program?
I know much of this will be case by case, depending on if NPI is involved and the criticality of the technology being purchased but if you are collecting documents from the 4th party are you getting as much as they will offer or simply obtaining a SOC where available?
Thank you!