Due Diligence and Ongoing Monitoring

I'm interested in hearing how others account for third-party relationships that have rebranded, merged, or been acquired?

Specifically, when a third-party changes name or ownership:

• From which entity do you obtain due diligence (legacy name vs. new parent/brand)
• How do you label or track the relationship in your software?
• Do you require contract amendments?

Nicole, you will need to take your lead from your vendor on which due diligence to use and when it is available for mergers, acquisitions (M/A), and rebrands. Those are determined by the time of year the event occurred and whether the products involved will continue to be the same or whether they will be merged into other products. Any due diligence that is dated before the m/a date is likely to be irrelevant. I realize this is not a complete answer, but understand that you are not alone, and all of the vendors' clients also need that same information.  As far as contracts go, the M/A or rebranding should not impact the validity of your contract. It is common for contracts to stay in place under the previous name until the next renewal. If your vendor has not communicated information to you within a month after the event, reach out to them.

Nicole,

The merger, rebrand, acquisition depends on how and who owns the controls for the due diligence.  Rebranding is generally a simple name change, nothing in the underlying control framework changes.  Therefore, updates to your database regarding the details are generally all that is needed for audit and tracking purposes.  However, I would formally confirm that with the vendor.  

Mergers and acquisitions should be considered as a change in service/change is risk profile.  Things to consider (not an exhaustive list):

• Confirm all sanctions, litigation, etc. of the new company and its ownership
• Confirm what changes to the control framework (governing the services/products you currently receive) are anticipated and when.  
  • Confirm that no data will be migrated without approval
  • Review how your data moves during the acquisition/integration.
  • Ensure the new company inherits all regulatory responsibilities.  
• Document the vendor's response to your inquiry in your database
• Based on the timing provided, schedule your due diligence for the company that will own the controls governing the services.
• Review your current contract  
  • confirm whether consent is required before the contract can be assigned
  • determine whether a change in ownership triggers notification, renegotiation, or termination rights
  • Confirm whether SLAs remain binding

  • confirm whether the contract requires approval of any new subprocessors