Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Off Shore Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 12-29-2022 04:59 PM
    This message was posted by a user wishing to remain anonymous

    We are looking for guidance on what other financial institutions do for due diligence when a Service Provider states they use an offshore vendor for part of their services.  What questions do you ask?  Do you ask for further due diligence?  Do you allow the use of offshore vendors?

    Thank you,


  • 2.  RE: Off Shore Vendors

    Posted 12-30-2022 04:57 PM
    I'm not sure about financial institutions but I know for health care, we would need to know the following:

    1) Do offshore personnel handle any of our business/contracted services? If not, we don't really care to go further. 
    If they do, we would want to know:
    2) Do the offshore entities have any industry-known certifications that we can leverage for our own assessment?
    3) How does the offshore resource process data? A lot of companies have it set up where there are technical controls that disable print, move, copy features in addition to only having viewing access - where the data is only accessed and processed but it never "technically" leaves US soil. There are clean rooms too (no mobile devices are allowed).
    4) We ask about their policies and procedures to ensure that data is safeguarded. 
    5) We ask about their data handling/security awareness training practices. 

    We review all of that information and record it and make a decision from there on whether it is satisfactory or not.


  • 3.  RE: Off Shore Vendors

    Posted 01-03-2023 09:54 AM
    First and foremost I'd be asking what countries they outsource to.  There are some pretty obvious definite nos - China, Russia, Cuba, Iran, North Korea, Syria, plus about 15 more the Treasury Department, Commerce Department, and State Department list embargoes against. 

    I would also affirm their own 3rd party assessment processes to ensure they themselves have performed a high level of Due Diligence on any of their 3rd party vendors/providers.  Anything beyond that is where all of this is getting increasingly harder for all of us with 4th parties/Nth parties.  Unless you're directly contracted with someone and have "right to audit" or "right to review" called out specifically in your contract with them, no one at that 4th/Nth party level to you has to participate at all in any requests you may have for questions to be answered or documents to be sent to you for review (Business Continuity Plans, Disaster Recovery Plans, any info on how they maintain security procedures and data privacy commitments, whether they access secure data from unsecured locations, etc.). 

    Another other issue with offshore providers is there really aren't equivalents to a SOC report or ISO/NIST certifications that would be able to give you any assurance either because those are all US-based audits. Our contracts typically state that contracting out at all is not acceptable without prior approval of that 4th party by us.  That is ultimately the best practice, however, you have to be prepared that somewhere someone is going to bypass that and you won't even know until you know. 

    So in summary, best practices are to be sure your contracts include your right to audit and that they cannot outsource any of your work without prior approval, and that you have done deep due diligence on them so you have the utmost confidence they are locking things down on their end to begin with - especially looking for some sort of third-party audit for confirmation whether it's a SOC report, ISO certification, NIST certification or something similar.  In the end, if you tell them they need to find someone US-based that you approve of to outsource to, they'll do it if they want your business, even if it's just for your account.


  • 4.  RE: Off Shore Vendors

    Posted 01-04-2023 10:18 AM
    Great ideas and suggestions already from posters.  For information on offshore service providers I would pose all questions to your primary service provider rather than attempt to obtain directly from the Nth party, if your partner has done appropriate due diligence, they should be able to answer all questions.  If they can't, that is a big red flag.

    One question I always ask is where operations are backed up.  If the primary offshore location cannot operate for any reason, where do those services go for handling.  If it's a location within that same country, I ask for the specifics of the geographic locations (address of each location is my preference, city name being minimum expectable).  Its basic concentration risk but in some locations its incredibly important.  If you have a primary offshore location that is on a coast and that coast experiences severe weather, you don't want a back-up location also on the coast.  

    I also always ask for clarity on NPPI or PHI- if the offshore provider does not have access its a much smaller risk.  If there is NPPI or PHI, I request an accounting of the exact data they will have access to.  I additionally would want to know the following:
    • Are offshore staff dedicated to providing services only to your organization or do staff provide services to multiple organizations?
    • Are offshore services provided in a "clean room" environment?
    • Describe how physical access to workspace is controlled
    • Is there surveillance of workspace where services performed?                               
    • Are virtual desktops (VDI) utilized by offshore staff?        
    • Does your organization control system access approval and termination?
    • Will data reside in the United States?

    The above gives a starting place and depending on the answers, gives you direction on where to dig deeper.

    Shelly

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------