Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Online Software Subscriptions/Tools that refuse to complete questionnaires

    This message was posted by a user wishing to remain anonymous
    Posted 11-15-2023 12:58 PM
    This message was posted by a user wishing to remain anonymous

    We have been having a number of requests for smaller/less expensive software vendors, typically from our engineering team, to be added where we pay a small fee per month to access. The vendor usually refuses to complete due diligence requests unless we become enterprise clients. They do have security documentation that can be shared, but this scenario limits our overall ability to evaluate risk with these vendors beyond that documentation. 

    Are there any best practices/other alternatives to evaluating this type of vendor?  Thanks in advance for any advice!



  • 2.  RE: Online Software Subscriptions/Tools that refuse to complete questionnaires

    This message was posted by a user wishing to remain anonymous
    Posted 11-28-2023 09:49 AM
    This message was posted by a user wishing to remain anonymous

    we have the same issue.

    Does anyone have a due diligence questionnaire that works well overall they are willing to share with me?  we try to have all vendors answer these on an annual basis.


    Original Message


  • 3.  RE: Online Software Subscriptions/Tools that refuse to complete questionnaires

    Posted 11-28-2023 10:28 AM
    Hi,
     
    I'm sorry to hear about your vendor situation. Unfortunately, it's not uncommon. However, you do have a few options to consider.
     
    Firstly, you could accept the situation as it is, use the best information you can get, and proceed with caution. Some regulators have acknowledged the limitations that organizations may face when requesting due diligence. As long as you can justify your decision to move forward with a vendor and provide evidence of your best due diligence efforts, that should be acceptable. However, it's important to remember that your organization is always responsible for the risks involved.
     
    Alternatively, you could have a call with the vendor and explain that it's unlikely for you to become an "enterprise client" when they cannot act in the best interests of their customers by providing information that will validate their controls.
     
    My personal favorite option is to engage a professional risk intelligence firm to provide you with a report on the vendor's cyber security profile. You don't need to ask the vendor's permission to gather this data, and these reports can be extremely valuable when you need to supplement missing due diligence documentation. Risk intelligence can be leveraged for one-time reports or on a subscription basis to supplement ongoing monitoring.
     
    I hope this helps, but I'm always interested in hearing what other members are doing.

    Original Message