A Fresh Look at Vendor Due Diligence
Vendor due diligence, an oldie…but a goodie. Vendor due diligence has been a risk mitigation technique since the words Caveat Emptor were first spoken. But what about today? How much emphasis should your firm place on vendor due diligence? Why should you care? Let us count the ways.
1. Risk identification is increasingly difficult in our global, digital economy. 2. Most small firms don’t have a formal risk management program, which means they often don’t have a vendor management program. 3. The rise of technology has resulted in the decentralization of business operations as technology and service vendors manage key aspects of a firm’s business operations. 4. Regulators are aware of the trend in outsourcing and expect businesses to effectively manage the related risks. 5. There are a few key considerations when establishing a vendor management program.
Risk Identification: Earning a Spot on the Risk Register
First, let us consider how firms identify risks and develop controls. Firms with formal risk management programs typically have a running list of key risks or a risk register. When creating a risk management program, each source of risk and its potential impact on the business is considered, along with mitigating controls and the go-to response for foreseeable events. Vendor due diligence has been a staple on larger firm risk registers for quite some time. Smaller investment advisory firms may not be as formal with risk management and often don’t keep a risk register, but they should still go through the thought process. In fact, the SEC will often ask for a copy of the firm’s risk assessment. As patterns go, this is one risk area that is on the rise as evidenced by recent SEC exam deficiency letters.
Risk and Vendor Management Apply to Firms of All Sizes
The use of vendors increases the flow of information in and out of a business, which raises the risk profile of data security. With the rise of technology and its ease of access, many small firms outsource a considerable amount of risk to vendors. Core recordkeeping systems, network configuration partners, and data centers are business operations that are typically outsourced by smaller firms, along with the risks associated with those operations.
Risk management for smaller firms is largely about managing the vendors. Cybersecurity, the privacy of confidential information, business continuity, disaster recovery, fraud, and financial stability risks are common areas that small firms should address when firms rely on the outsourcing of business operations or systems. Decentralization leads to a lack of transparency as to how risks are managed and can lead to a lack of control or a firm’s ability to mitigate the risk. Therefore, firms following this business model need to develop controls to manage these risks.
For example, almost all small firms outsource aspects of their IT, along with cybersecurity risk. Vendors can provide innovation and scale that would be difficult to achieve by a small firm. But with these benefits comes the need to implement a strong vendor management program to identify and mitigate risks. It is not a stretch to assume firms will become even more reliant on vendors, especially IT functions, which makes a vendor management program even more important, especially as cybercrime continues to rise in global proportions. These considerations will assuredly drive increased attention from regulators.
The Rise of Technology, the Cloud is King
Speaking of trends, the cloud is king. What an efficient game changer. Just because you are on the cloud does not mean the underlying risks go away. Configuration considerations are essential in any environment, but even more pronounced when your firm is one of many being serviced in a distant, ubiquitous cloud environment. Back-up data centers, levels of cloud vendors, and general complexity make risk management problematic, and sound vendor oversight even more critical.
Cloud specific risks are identified and reported by The Cybersecurity and Infrastructure Security Agency (CISA). CISA is a new agency within the Department of Homeland Security whose mission is to be the nation’s cybersecurity risk advisor, working with partners to defend against today’s threats and collaborating to build a more secure and resilient infrastructure for the future. CISA issued Analysis Report AR19-133A recently the illuminating risk of administrator account default settings and the unintended exposure if not understood and set optimally.
Regulators are Raising the Profile of Vendor Management and Cybersecurity
If the pure escalation of risk in our global, digital economy doesn’t grab your attention, perhaps the regulators will. Risk alerts, exam priorities, fines, and penalties are on the rise. One has to look no further than the rise in cybersecurity risk and pain associated with the failure to establish reasonable controls. The headlines are full of stories of cyber events that have cost companies thousands, millions, or billions of dollars. Real problems happen, regulators respond, laws change.
The OCIE Risk Alert dated May 23, 2019, entitled "Safeguarding Customer Records and Information in Network Storage—Use of Third Party Security Features" highlights weaknesses firms have with misconfigured network storage solutions, inadequate oversight of vendor-provided network solutions, and insufficient data classification policies and procedures.
Unfortunately, the regulators don’t provide much help on how to build an effective vendor management program. For those looking to establish one, below are some key considerations.
Tenants of a Solid Vendor Management Program
A sound vendor due diligence program is a primary way firms can guard against risks presented in outsourcing key functions. One size does not fit all, and as with most things, an effective vendor management program should take a risk-based approach. The outline below provides some common risk areas that firms should consider when outsourcing business operations. Once the firm has identified those risks, it can utilize common due diligence practices to evaluate a vendor’s security.
Vetting Suppliers Beforehand
Onboarding Supplier Risk Evaluation
- Information and legal risk
- Performance and service level risk
- Reputational risk
- Operational risk
- Regulatory risk
- Financial and supply chain risk
- Agree to your firm's data security, HR, confidentiality, and other applicable policies, or have substantially the same policies or stronger
- Strategic long-term alignment between your firm and the vision of the supplier; bias towards fewer, but more strategic vendors; streamlined more focused diligence
Supplier Qualification and Vetting
- External audit reports such as SOC 1 reports are common for larger service providers; IT service providers on top of their game may have a SOC 2 available to clients providing assurance on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. The standard for regulating these five issues was formed under the AICPA Trust Services Principles and Criteria.
- Standard Information Gathering (SIG) documentation may also be available to provide assurance and transparency regarding controls in place
- USA Patriot Act Denied Persons List check
- OFAC and other government watch-lists or infractions lists
- TIN/Business number check
- Entity search results, business registration
- Insurance certificate
- Audited financials, as appropriate, notes regarding uncertainties and going concern risk
- Physical or logical supplier access to customer data are a key differentiator in risk assessment and contractual requirements around those risks
- Strong standard clauses
- Consider legal review of exceptions
Risk Ranking Suppliers
- Develop a supplier risk matrix that depicts your firm’s risks and scores each supplier
- Assess the risk of a new supplier at onboarding and add to the matrix
- Perform a fresh risk assessment of critical suppliers on an ongoing basis, at least annually for a smaller firm
Ongoing Due Diligence on High-Risk Suppliers
- A key, again, is suppliers that have access to your client data, especially Personal Identifiable Information (PII); like Wikipdedia says, PII as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual
- For high risk suppliers, staying on the distribution list for a current SOC audit report from the external auditors is a good idea. If you recognize the name of the accounting firm even better. Reading the report is not for everyone, but a key opportunity for efficient supplier due diligence.
- Other considerations for high risk vendors include participation in the vendor’s BCP plan, or even site visits to understand firsthand how your service is provided
- There is no substitute for hands-on, frequent relationship touchpoints, strategy sessions, performance reporting against standards, process improvement initiatives, as appropriate for vendors that have truly ascended to be so critical you think of them more as partners than vendors. When you achieve this service provider nirvana, there are never surprises come due diligence time.
Do you have critical vendor relationships exposing your data to the cloud? Can your service provider articulate how your data is secured and how BCP works? Do you sleep like a baby when you think about your vendors? If any of these questions leave you feeling uneasy, it may be worth taking a fresh look at your vendor due diligence program.