Back in the day (when GLBA was still a newborn), most vendors were clueless regarding the due diligence exchange that necessary for their regulated clients. Often there were no internal processes for handling due diligence questionnaires and the last thing you wanted was to have risk content addressed by anyone on a sales team.
I learned that the key was to locate the right vendor resource ('thank you, LinkedIn') which was often the CIO or head of IT back then and have a phone conversation with my questionnaire in front of me. I always explained what I was doing and that the discussion notes would be incorporated into our formal 'vendor management' documentation. It worked in the nascent days of the discipline and can probably be used for the small vendors.
The associated reality is that many small firms do not have the resources or the governance maturity to be effectively providing services to regulated entities. I work for a global financial institution and encounter this dilemma in niche markets where the choice of vendors is very limited (example, a payroll vendor in a country where you only have a dozen employees). In such cases where there is weak assurance of controls or program maturity, there should be a solid internal review process to determine if the third-party risk is within the tolerance level of the business unit itself (financially) or the organization as a whole (cyber and reputation exposures).
------------------------------
L. Beachy
------------------------------
Original Message:
Sent: 04-02-2024 04:29 PM
From: Michael Prowell
Subject: Vetting smaller vendors
I am in the process of vetting some smaller vendors and attorney firms that does not have all the required documentation. Does anyone have a process or questions they use to vet smaller vendors that they can share?