Often, our modern business environment requires organizations of all sizes to work with large brand-name companies like AWS, Microsoft, AT&T, NASDAQ, or JP Morgan Chase. Companies like these are attractive because of their reputation, size, scale, and offerings. However, just because a company is well-known in the industry, doesn't mean it's necessarily more protected from business-disrupting events, such as data breaches. Still, your organization may have a significant need for what these companies offer and there may be few alternatives.
Effective third-party/vendor risk management requires thoroughly vetting vendors, especially those trusted to deliver high-risk products and services or are deemed critical to your operations. But, as many third-party practitioners know, the larger the company, the more difficult it can be to collect information and perform due diligence. However, that doesn't mean you shouldn't try.
Let's explore why and identify some strategies to help even the smallest organizations vet and manage these large companies.
The Challenges of Using Large Companies
Let's face it, given a choice, most of us would prefer to work with a company that has demonstrated industry expertise, has a large national or international footprint, can scale their solution to our needs, and is a trusted brand name to thousands of satisfied customers. In fact, because these companies are often the industry leaders, we trust these types of companies to deliver our highest-risk products and services. However, reputation and size don’t necessarily translate into a seamless or easy business transaction.
Working with these behemoth organizations often comes with challenges too. Let's look at some of them:
- No mutual non-disclosure agreement (NDA): Most large companies don’t offer mutual non-disclosure agreements unless they’re expressly included in the purchase agreement or contract. If an NDA is in place, it may be one-sided, which entails that the prohibition on sharing data applies only to your organization, not the vendor.
- No contract negotiation: Generally, your organization will be provided with a standard purchase agreement that doesn’t allow for the negotiation, addition, or changing of terms and conditions. While many of the largest companies do include standard language specific to their security, privacy, and compliance practices in their contracts, that purchase agreement won’t grant you essential rights such as the "right to audit." If your organization is also a large brand-name company, you may have more negotiating leverage, but, in most cases, your purchase agreement is "as is" – take it or leave it.
- Limited customer service or technical support: You may find that your standard service offering doesn't include any real customer service. Instead, you may be directed to a website with FAQs or troubleshooting hints. It may take much longer to resolve issues if you need to call customer service, and you’re unlikely to receive the kind of personalized attention you would get with a dedicated customer service agent or team.
- No participation in due diligence: As they have many customers, it is implausible that a large company could respond to or participate in every due diligence request; it is not practical. So, no matter how hard you press, they won't fill out a vendor risk questionnaire or respond to requests for documentation. This doesn't mean they aren't aware of or care about cybersecurity, privacy, business continuity, or regulatory requirements. In fact, many of the largest companies have incredibly effective controls and processes in place to protect their customers. However, that doesn't mean it is easy for customers to identify and validate those controls.
Practical Due Diligence Actions for Large Vendors
Suppose you’re faced with a new mega vendor and know you have zero chance of them participating in your due diligence process. Even if this is the case, you should still ask. While it may seem crazy to send that email to your sales rep, knowing they’ll decline, there is a slight chance that email could result in some helpful information such as a link to the company website where they post their policies, security certifications, etc. But, if the response doesn't materialize, you’ll still need to document your efforts. You’ll also have to do some proactive investigation.
Here are some practical actions to consider:
- Ask your sales rep if the organization has completed a Consensus Assessments Initiative Questionnaire (CAIQ) or a Standard Information Questionnaire (SIG). Both questionnaires cover multiple risk domains and can provide answers to many of your questions.
- Ask your sales rep if a website is reserved for customers that may include the data you seek. You might need to request access or get a password.
- Obtain a vendor monitoring and alert service report to investigate the company's security posture, reputation, financials, or negative news.
These methods should help you find enough information to guide your decision to engage with the company. Make sure your efforts are reflective of the risk. For example, if the vendor will access, process, transmit, or store sensitive information, you must validate their security and privacy practices to the best of your organization's ability. Document your methods and findings, even if there isn't much information available.
Remember, you should conduct an inherent risk assessment to document the risks first. After that, you must document all your due diligence efforts and include information on why alternative methods and data were necessary to accomplish your due diligence, or if there was a lack of information available.
The Amount of Vendor Due Diligence Needed and Ongoing Monitoring Expectations
So, the question remains, how much due diligence is enough? It doesn’t matter how much or how little due diligence you do. At some point, your organization must decide if the level of risk is acceptable and move on. This is true for all engagements. But, suppose you can't meet your typical due diligence standards. In that case, it's essential to document any alternative methods, missing information, and the level of risk remaining. Then seek approval from Senior Management, as they’re positioned to define the organization's risk tolerance and determine if the vendor engagement's proposed benefits outweigh the risks.
Next, you need to continuously monitor large vendors. After deciding to work with a large vendor, ensure you keep an eye on their performance and risk profile. Critical and High-Risk vendors should undergo a formal risk reassessment and due diligence on at least an annual basis. You still need to monitor your vendor between those formal reviews. Risk Monitoring and Alert services can support your monitoring efforts.
Other Considerations to Keep in Mind
Here are some other considerations you’ll want to think about:
- Single Point of Failure (SPOF) Vendors: Often, the same large companies we depend on can represent a single point of failure. Suppose a vendor supports a material or process, product, or service, and there are no immediate alternatives or backup vendors. In that case, that vendor is a single point of failure. When faced with a SPOF, you must take extra care to research the vendor's financial viability and business continuity plans and tests, to the best of your ability.
- The myth of being "too big to fail": When we think about "too big to fail," most of us remember the financial crisis of 2008 and the financial and insurance institutions that received government bailouts to prevent a systematic financial collapse. There have also been bailouts for the automotive and airline industries.
Over time, the idea of being too big to fail has led to a belief that these huge organizations supporting millions of businesses are being "managed" by regulators or held accountable by investors. Some may think that these companies will be kept afloat no matter what. That just isn't the case. Regulatory agencies hold these mega companies accountable the same way they do smaller companies by communicating requirements, requiring specific disclosures and reporting, and practicing regulatory exams. From a broader perspective, regulators are looking for weaknesses that could cause a systematic collapse of an industry, not monitoring or managing vendors on your organization's behalf. That means your organization is still responsible for ensuring reasonable due diligence and monitoring of your vendors. Regulators will want evidence that your organization acted responsibly by conducting as much due diligence as possible - even when it was difficult.
Those large brand-name vendors may bring incredible benefits to your organization, but not without risk. Your organization is responsible for identifying those risks and conducting due diligence to ensure that the vendor has appropriate controls in place to mitigate those risks. Receiving that information can be challenging or, even, downright impossible; however, that doesn't mean your organization won't be held accountable. No matter what methods are used to determine the sufficiency of the vendor's controls, you must be able to "show your work" and be able to defend your organization's decision to use the vendor or not.