What kind of due diligence should you do on your due diligence professional?
All vendors should be assessed based on their access to your confidential and proprietary information, access to your network, and criticality to your operations. As such, your due diligence professional should certainly be on the inventory of vendors and risk assessed like other vendors you use. We have completed the SIG questionnaire and it is readily available to our Vendor Due Diligence clients.
What tips do you have when you face a vendor whose answers are mostly “this is confidential non-public information?” We have asked a particular broker who claims to have an SSAE 16 done for a copy of that report and they respond that it is confidential.
This is a common problem that our service solves. We ensure receipt of adequate responses in a timely fashion. We use our industry expertise to determine relationship-appropriate questions, vendor relationships to access proper channels for obtaining information, and utilize our partner’s automated platform to make responding easy on vendors. Plus the aforementioned economy of scale helps lessen vendor workload and increase response quality.
As for SSAE 16’s specifically, these reports are designed for the use of stakeholders, which includes clients. In fact, that’s why so many of our IA clients have us develop them – for their institutional clients. The information contained therein should not be fully confidential non-public information. However, the scope of, or certain controls within the report may not pertain to the services you receive. A summary or redacted report should provide the balance between their confidentiality and your need to perform due diligence on them.
Since most IAs use the same major vendors, DST, StateStreet, etc., would we benefit from economies of scale? Would the due diligence be unique for each IA in relation to the big service providers?
We will survey large firms repeatedly while boutiques may only be surveyed once any given year. We have made assumptions about how the costs will spread, thus assuming an economy of scale, and have priced the service on a flat fee schedule for simplicity. Please let us know if you prefer different cost attribution by going to www.ashlandpartners.com/vendordd.
Interpretation and acceptance of risk can vary by IA, however there are great similarities in the way the IA industry utilizes many of the large providers and we have built our service based on our industry expertise and understanding of those industry dynamics. We offer optional add-on services for 1) questionnaire customization and 2) risk-analysis and reporting.
How should we deal with vendors with whom we already have a relationship? Say a vendor has been providing services for the last five years. Do we go back and conduct due diligence?
Of course a good vendor due diligence program should include evidence gathering prior to entering a relationship, but also as a part of ongoing monitoring including prior to re-contracting services. Any of these steps are frequently overlooked or at least insufficiently carried out given a vendor’s risk profile. In case due diligence has not been performed on pre-existing providers, we recommend doing it now while taking a reasonable approach toward resulting remediations. While you can’t go back in time, you can at least document the present state of the vendor’s operational controls and accept (or remediate) your risk findings.
Can you explain how you approach a vendor such as Bloomberg where access to information and responsiveness is extremely limited to an individual firm?
We strike the balance between protecting vendors’ proprietary data and ensuring you understand vendors’ operational controls as they pertain to protecting your sensitive data. While we see many firms these days ensuring their contracts provide for the ability to audit, examine, or otherwise perform periodic due diligence, many haven’t gotten onboard yet. This is part of the reason why we offer this service. We know the right questions to ask, who exactly at each vendor to ask, and we make sure to get responses quickly and that the responses are adequate for optional risk analysis and/or reporting to be performed.
Should we perform due diligence on third party vendors related to employee benefits (HR related vendors)?
These vendors should be inventoried and assessed along with all of your vendors. If the assessment indicates the vendor has access to PII (very likely), the vendor should be approached in a similar fashion as one with direct access to PII on your network.
What does PII stand for?
Personally Identifiable Information. Examples include names, addresses, social security numbers, account numbers, logins, passwords, etc.
Would we be paying Prevalent on top of your fees? Or is the platform included in your fee?
Ashland Partners’ fees are the only fees paid. We have a sub-licensing arrangement with Prevalent in order to allow our clients to use the platform’s output for their internal purposes at no additional cost.
What is a SIG format?
SIG is the acronym for the Standardized Information Gathering questionnaires, which is an industry-vetted list of questions for conducting due diligence and is sponsored/maintained by the Shared Assessments Group. We utilize SIG question sets based on the nature of the vendor.
What if the vendor does not want to answer our vendor due diligence questionnaire? Or what if we can’t have big vendors like Fidelity or Salesforce answer our questionnaire?
We strike the balance between protecting vendors’ proprietary data and ensuring you understand vendors’ operational controls as they pertain to protecting your sensitive data. While we see many firms these days ensuring their contracts provide for the ability to audit, examine, or otherwise perform periodic due diligence, many haven’t gotten onboard yet. This is part of the reason why we offer this service. We know the right questions to ask, who exactly at each vendor to ask, and make sure we get responses quickly and that the responses are adequate for optional risk analysis and/or reporting to be performed.
What would be an example of a low risk vendor?
Low risk vendors are typically those who do not have access to your confidential or proprietary information, access to your network, nor are they critical to your operations. A common example that many people cite is the cleaning firm for the office or building. However, cleaning firms tend to have extensive access to facilities, and often during unsupervised times. As such, this should not be considered a blanket statement that they are always low risk without considering the effectiveness of compensating controls you have in place (i.e. clean desk policies, etc.).