We begin with responding to the customers' TPRM questionnaire, which should include details about our TPRM program.
If they still request access to 4th party DD materials, we advise them that these are only available through Multi-party NDAs. Very few of our requesting customers have proceeded to execute all the needed Multiparty NDAs to secure the requested nth Party DD materials.
To be candid, I'm surprised when my Third Parties tell me they have never been asked for permission to share their DD materials before.
I hope that doesn't that mean most of our peers are disclosing Confidential Information, in potential violation of their agreement(s) with their vendors.
Original Message:
Sent: 01-25-2023 11:44 AM
From: Anonymous Member
Subject: Request for 4th Party DD from a vendor
This message was posted by a user wishing to remain anonymous
I see several conversations here about 4th party/nth party due diligence, but I'm wondering how most people are handling one of your vendors coming to you to request 4th party due diligence, specifically calling out wanting to see SOC reports from your vendors that are a 4th party to them. Are you tracking down permissions to send them SOC reports from your vendors, are you referring them to the vendor directly so they can get their own NDA established (which would be hard without them directly contracting with your vendor), are you referring them to your own SOC report that covers your vendor management program, or how are you handling these requests coming in?