Due Diligence Preparation Part 1: Vendor Management
Due diligence is part of every professional service firm’s life these days. More mature clients, institutional investors, and regulators all require regular review of policies and procedures. The IT components of these continue to evolve, with two major themes emerging: IT/cybersecurity resilience and vendor management.
Vendor Management Fundamentals
Vendor management consists of tracking and assessing key risks from your vendors. Due to the elevated risk that naturally exists in IT, vendors are often your highest risk. The $179mm Home Depot breach was due to an attack via a poorly secured vendor. Clients and regulators (such as your cyberinsurance carrier) are starting to realize these risks, and often require a formal vendor management program.
We have a few easy steps to build a basic vendor management program.
Identify any vendors in scope for IT management. This process is typically simple - do they have a login to your network (such as a consultant or managed IT provider), a device in your office (such as a copier vendor), or provide an IT service/platform (such as a cloud-based accounting system)? A counter-example is a cleaning service - chances are good they do not fall under this scope, but there may be concerns about hard copies of confidential information laying around the office.
Define your baseline questions for general risk. There are two sets of questions that should be asked that concerns general risk management. Do they carry an acceptable amount of insurance, and can they prove it by providing a certificate of insurance (COI)? Do their contracts follow your best practices, such as having reasonably large limits of liability?
Define your baseline questions for IT risk. Now we get into the gritty technical details. Do they follow best practices around multifactor authentication (if not - quickly find a new vendor!) One easy option here is to take questions from your most recent cyberinsurance application and ask them to provide answers. CGP also has a baseline assessment available here that you are welcome to copy!
Stay organized and re-assess annually. Make sure you document all responses and any files provided. A good vendor management program re-assesses annually, ideally in lockstep with any contract expiration dates. As part of your annual contract re-negotiations (you are doing that, right?) you should continue to apply tighter requirements.
Ready to bring in the experts on vendor management? The partners at CGP have years of experience building and managing due diligence programs for law firms, financial services, and more.