Vendor Due Diligence Checklist: A 5-Step Guide

What is Vendor Due Diligence?

Vendor due diligence is the process for determining the amount of risk associated with relationships with third-party organizations in a supply chain. Vendor due diligence processes may apply both to current vendors as well as potential vendors before or during the onboarding process.

IT vendor risk management is the practice of assessing and mitigating risk related to vendors providing IT services.

What are the Challenges in Vendor Due Diligence?

Traditional methods of vendor due diligence rely heavily on manual processes such as collecting questionnaires, reviewing documentation, or performing desk assessments and on-site visits. Because these processes are time-consuming and cumbersome, vendor due diligence assessments can’t be processed at a pace that allows for timely vendor onboarding and continuous monitoring of risk.

Vendor Due Diligence Checklist

Third-party vendors can open the doors to growth and competitiveness, but they can also introduce operational, cyber, or financial risks.

Whether you’re starting out or an established business, the process of selecting and onboarding a new vendor is a critical juncture that requires careful due diligence. But what information should you collect from your vendors, and how can you verify that it’s accurate?

We’ve compiled a vendor compliance due diligence checklist that includes baseline information that can inform your procurement decision-making. Not every item in this list is a necessity, but the more you complete, the more thoroughly you can mitigate risk in the vendor selection process.

1. Basic Company Information

Collecting basic information can help you verify that the company is legitimate and licensed to do business in your area. You’ll also want to collect information on key personnel for use in further risk assessments.

• Articles of incorporation (or similar corporate charter)
• Business license
• Company structure overview
• Biographical information of executives and board members
• Location (are they located in a high-risk country?)
• Proof of location, such as photographs or an on-site visit
• References from credible sources

2. Financial Information

It’s important to check that a vendor is financially solvent and paying their taxes. There’s no sense in working with a vendor that won’t be in business next month. Conversely, a strong growth pattern could forecast an increase in prices down the line. Be sure to request information on the following:

• Tax documents
• Balance sheets
• Loans and other liabilities
• Major assets
• Compensation structure

3. Political and Reputational Risk

Vendors with access to important information or systems, such as payroll providers or accountants, must be scrutinized closely. By diligently examining these aspects, you can ensure that vendors are subjected to a thorough evaluation, reducing potential risks to your organization. Check the following:

• Watch lists and sanctions lists: Is the vendor's organization listed on key watch lists, global sanctions lists, or lists published by regulators?
• Lawsuits and regulatory violations: Is the vendor or key individuals subject to any ongoing or past lawsuits related to their services or regulatory violations?
• Politically Exposed Persons (PEP) and law enforcement lists: Determine if key personnel within the vendor's organization are listed on PEP and law enforcement lists.
• Risk-related internal policies and procedures: Review the vendor's internal policies and procedures related to risk management and data security.
• Consumer Financial Protection Bureau (CFPB) reports: Obtain and assess any relevant reports or actions taken by regulatory agencies, like the CFPB, against the vendor.
• Negative news reports: Search for negative news reports or articles about the vendor's organization, especially those related to security breaches or unethical behavior.
• Social media: Monitor the vendor's activity on social media platforms, looking for any red flags or controversial statements/actions.
• Complaints and negative reviews: Check for customer complaints and negative reviews regarding the vendor's services or conduct, both online and offline.

4. Cyber Risk

When you onboard new vendors, it’s critical to understand their cybersecurity postures. After all, when you work with a vendor you agree to take on any cyber risk associated with that organization. Unfortunately, these risks are on the rise:

• 62 percent of network intrusions originate with a third-party.
• 72 percent of organizations have experienced at least one significant disruption as the result of a third-party relationship.

Conducting due diligence is essential, but as you add more vendors to your digital supply chain, keeping up with security questionnaires and assessments is tough. A study by Accenture found that 79 percent of companies are adopting new technologies faster than they can address related security concerns.

A risk-based approach can help manage this problem. Not all vendors will require the same level of due diligence. Instead, tier your vendors according to their importance to your business and access to critical data, then perform the appropriate level of due diligence according to risk. Add the following to your cyber risk checklist:

• Cyber risk assessment questionnaire: Customize your questionnaire to the tier, industry, and level of access the vendor will have. Include questions about the vendor’s protocols for risk management and security, incident response plans, history of cyber breaches, and governance practices. Learn more about how you can automate the security questionnaire process so you can confidently onboard new vendors and get them quickly working for your business.
• Security rating assessment: Augment your security questionnaires by incorporating objective data about a vendor’s security performance. A security rating scores your vendor's overall cybersecurity posture with a higher rating equating to better performance. A rating can also shine a light on past security issues, including any cyber incidents.
• Vendor attack surface: Analyze the vendor’s attack surface to discover any security gaps in their digital infrastructure.
• Cybersecurity frameworks: Has the vendor adopted a cybersecurity framework—such as NIST or SOC2? Do they comply with regulations like GDPR, DORA or NIS 2? And how do they ensure continuous compliance?
• On-site visit to assess security controls: This may be necessary for higher-tier vendors such as those that provide mission-critical services or have access to sensitive data.

5. Operational Risk

As part of the vendor due diligence process, you’ll want to assess whether the vendor is exposed to operational risks that could negatively affect your company. One example of this type of risk is downtime for a cloud service provider (whether due to a cyberattack or operational issue) that could impact your operations.

To understand operational risk, collect the following:

• Does the vendor have such a plan in place? If they do, does their plan assure you that the vendor can continue to offer services in the event of a disaster, cyberattack, or other disruption? What SLAs can you expect? Also, does the vendor have cybersecurity insurance?
• Employee practices: What are the vendor’s hiring and background check protocols? Do they have protocols for cybersecurity training (74 percent of all cybersecurity breaches are the result of privilege misuse or human error)?
• Vendor due diligence: Does the vendor conduct adequate due diligence on its third parties and subcontractors? How will the vendor notify you in the event of a third-party cyber incident on its network? What recourse do you have?

Next Steps

After data is collected, verify and compare it with best practices and your organization’s risk appetite to determine whether a vendor relationship should be pursued.

Vigilance shouldn’t stop there. Continue to monitor vendor relationships—particularly high-tier vendors—for the life of the relationship. For example, a vendor’s security posture is constantly changing. To mitigate any risks to your organization, develop a process for continuously monitoring your vendor’s changing risk profiles.

Finally, look for ways to automate your vendor due diligence process. Automation can help you speed up vendor risk assessments, security questionnaires, and other pre-contract processes.

Best Practices for Vendor Due Diligence

When you’re seeking to improve your vendor due diligence process, these best practices can help you make more informed decisions:

Set risk tolerance thresholds and tiers

Establish an acceptable risk threshold that a third-party must achieve before they can be considered as a potential vendor. To make vendor due diligence more efficient, you can tier your vendors based on their risk and criticality to your business. Vendors like accounting firms or payroll companies that inherently represent greater risk and have access to sensitive company data should meet a higher threshold than vendors like office supply firms who pose less risk to your supply chain.

Continuously monitor risk

While you can’t continuously conduct in-depth audits or assessments for each vendor, you can keep your finger on the pulse of vendors’ cyber hygiene by continuously monitoring their security posture. Security ratings like the data and analytics provided through Bitsight Security Ratings can trigger automatic alerts when a vendor’s security posture deviates from pre-agreed risk thresholds or contractual SLAs, and provide historical context into a third-party’s security performance.

Automate due diligence processes

By automating processes, your teams can effectively manage vendor due diligence without increasing headcount. Automation can help to quickly discover and mitigate unforeseen cyber risk throughout your vendor landscape and ensure that critical data is shared with stakeholders. By quickly validating your vendors’ responses to security questionnaires, you can more easily identify red flags that require deeper investigation.

The Secret to Effective Vendor Due Diligence

While vendors are critical to your organization, relationships with these third parties inevitably expose you to certain amount of cyber risk. The headlines are full of supply chain hacks that have resulted in massive operational disruption, high costs to remediate exposure, and damage to business reputations.

An effective vendor due diligence process should address these concerns, and efficiently identify risk within the supply chain and in potential vendor relationships. However, the methods for assessing cyber risk across an extended supply chain are typically time-consuming and inefficient. According to Forrester, more than two-thirds of businesses rely on manual processes for their third-party risk management programs. These cumbersome procedures hinder productivity and consume your team’s valuable time, and can potentially expose your organization to increased cyber risk.

Bitsight provides an end-to-end third-party risk management network for fully automated vendor assessment and onboarding. With Bitsight, your vendor risk management team can conduct high-quality, efficient security risk assessments without adding to headcount.