Contract Management

 View Only
  • 1.  Resellers vs the /underlying Service Providers

    This message was posted by a user wishing to remain anonymous
    Posted 09-28-2022 08:15 AM
    This message was posted by a user wishing to remain anonymous

    GM ThinkTank

    I am doing some research re Resellers (vendors who sell other vendors products (e.g., security services, archiving, transaction platforms, collaboration platforms etc..).  I would like to learn how organizations are treating their Resellers, especially the Resellers that sell high Inherent risk products (e.g., access to your network, running in the Cloud and processing Confidential/PII data) 

    1. Do you beef up the contract with the Reseller to make them responsible for the service (In my experience that is very difficult and most likely the Reseller will not accepts that)

    2. In addition to the contract with the Reseller, do you seek a direct, formal relationship with the Underlying Service Provider and put a contract in place (I think the best approach) and then perform due diligence on that Service provider 
    • If this is the approach - how do the Underlying service providers react to this?

    3. Not sure if there is another option?

    Any input and advice is welcome

    Appreciate it

    Cheers, John



  • 2.  RE: Resellers vs the /underlying Service Providers

    Posted 09-28-2022 12:25 PM
    There's another interesting angle to this scenario - You have a contractual relationship with the reseller - Reseller has a contract with the vendor.

    Your contract with the reseller well may restrict or cap their liability to you in the event of an incident. But what happens when - for example - there is a data breach with the vendor and you don't have a contractual link to them.

    In my experience a Reseller will never take responsibility for the vendors whose products they are selling to you. Trouble is - some vendors only distribute via resellers.

    ------------------------------
    Martin
    ------------------------------



  • 3.  RE: Resellers vs the /underlying Service Providers

    Posted 09-29-2022 09:07 AM
    Martin's point about the contract is key in my opinion and is what always makes these kind of relationships more complicated.  When we contract with a reseller we try to bake in the specific responsibilities of the reseller for example, obtaining periodic due diligence versus a direct contract with the service provider.  For smaller providers, we have had good luck negotiating with the reseller increasing their responsibilities and requirements.  Those would also be the relationships you could probably require a direct formal contract.

    The other issue which Martin also points out is that some vendors will only provide services via a reseller.  For those large vendors who only provide services via a reseller, my experience is that the customer has little to no leverage in contracting and I don't think a customer would be successful in requiring a direct contract.

    At our organization, we have both contracts only with resellers and contracts with both the reseller and underlying service provider.  For us it depends on the services purchased from the reseller and the provider of those services as well as the specific reseller being used.

    Shelly

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------



  • 4.  RE: Resellers vs the /underlying Service Providers

    Posted 10-03-2022 08:01 AM
    GM, Martin. GM Michelle 

    thank you for your thoughts and experiences 

    definitely agree.

    wise to create contracts with the Resllers and build in some provisions re required artifacts for onboarding and periodic ongoing monitoring 

    also. based on the type of service, try to get a contract with the underlying service provider.  I think, the only real way to protect your organization re day to day vendor operations (e.g.  disruptions, breaches, overall SLA monitoring and enforcement. etc)

    thank you both

    cheers