Due Diligence 5-Step Checklist
Written by: Black Kite
As if managing your own cyber risk profile isn’t challenging enough, your organization must concern itself with how every one of your suppliers and vendors addresses risk. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
Cyberattacks related to third parties are increasing. However, only 23% of security and risk leaders monitor third parties in real-time for cybersecurity exposure, according to Gartner data.
Conducting a due diligence process for vendors or third parties can seem cumbersome. However, these entities can be the weakest elements in your organization’s cybersecurity – making them the easiest points of access for cybercriminals to bypass your third-party risk management (TPRM) system. Regardless of a company’s size, business leaders need to take on a rigorous due diligence system to protect their data.
Understanding Third-Party Due Diligence
“Due diligence” is an in-depth investigation, or analysis carried out to validate the facts of a matter under consideration. While this term is predominately used in the financial industry for providing concise financial information to potential buyers, it slightly differs from how it’s used in TPRM and the cybersecurity domain.
Step 1: Identify the Criticality of Vendors
The first step of the due diligence process is identifying the criticality of your vendors in your business’ cyber ecosystem(s). Each player in an ecosystem may vary from private firms, non‐profits, and government entities to processes, cyber devices, and even human beings.
Decision-making that is leverageable in identification can include checking the type of service the vendor provides. It could be as critical as a software provider or a hosting provider. Check the type of access granted to the vendor, like internal VPN access, or physical access. Check the number and type of data shared with the vendor. Watch the type and number of PII records check the volume of business-confidential data shared.
Step 2: Look For Your Assets
It is important that business owners take care of their assets, in particular, their data. Whether it be company confidential data such as proprietary manufacturing, engineering process, or the PII of a customer, you need to know where your data extends in the entire ecosystem. Black Kite’s third-party data breach portal displays numerous breaches over the years caused by cloud vendors, software vendors, and even suppliers.
A significant percentage of these breaches result from once-shared and then forgotten data on cloud servers and/or vendor servers.
Step 3: Make Vendors Part of Your Risk Assessment
It is important that risk managers adopt the same risk-aware attitude in the due diligence process. This logic will allow them to focus their limited resources on the vendor issues which present a risk beyond the organization’s risk appetite.
Risk managers should delve into threat scenarios, the shared and affected asset(s), their value to the organization, as well as their value to the entire ecosystem.
Step 4: Use a Framework to Make Step 3 Manageable
The NIST Cybersecurity Framework (CSF) comes in handy in the vendor due diligence process. This framework can be seen as a common language aiming to improve “risk and cybersecurity communications” both internally and across stakeholders in a cyber ecosystem.
It is an inclusive framework that can be used across many businesses and different domains. The cybersecurity functionalities are narrowed down to five functionalities here: Identify, Protect, Detect, Respond, and Recover.
Identify: The Identify Function assists in developing an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. In the vendor due diligence context this function includes:
- Understanding assets, in particular, shared assets
- Identifying cybersecurity policies within the vendor
- Identifying a Risk Management Strategy for the organization including establishing risk tolerance with a perspective of shared services and data
Protect: This function outlines appropriate safeguards to ensure the delivery of critical services. Examples include:
- Which protections for Identity Management and Access Control are in place at a vendor
- Data Security protection consistent with the organization’s risk strategy
Detect: The Detect Function enables timely discovery of cybersecurity events. This includes ensuring Anomalies and Events are detected, and their potential impact is understood.
Respond: Includes activities once a cybersecurity incident is detected. The Respond Function is about containing the impact of a potential cybersecurity incident. This includes checking to see if any mitigation activities are performed to prevent the expansion of a cyber event.
Recover: This function includes maintaining plans for resilience and restoring any capabilities or services that were impaired due to a cybersecurity incident. This might include checking to see whether there are improvements based on lessons learned and reviews of existing strategies on the vendor side.
Step 5: Use an Assessment Tool
Businesses have been leveraging vendor assessment tools for years, either remotely through vendor questionnaires, surveys, or on-site audits. Although vendor questionnaires are still part of the due diligence process, they have proven to create shortcomings over the years. Some of these include:
- vendors might not be fully transparent in the fear that the results will affect the relationship
- questions might not cover all the risks
- the answers will be scoped with a third party’s knowledge of the Information Security infrastructure
Relying solely on a questionnaire makes the due diligence process less reliable. Although a more reliable option, on-site audits are very costly and time-consuming.
With this in mind, Security Rating Services have brought a new perspective to vendor risk management and due diligence processes. Organizations have consulted credit rating agencies, like Moody’s, Fitch, and S&P, for years to learn more about their financial posture. In essence, the security rating an SRS assigns to a company is not very different from a credit rating. But standards-based methods matter in trusting the reliability of ratings.
Black Kite is the world’s only fully transparent, standards-based cyber ratings platform, ensuring all users know exactly how their findings are calculated. We map to globally recognized and trusted standards like MITRE and NIST. Our continuously updated global database of high-quality risk intelligence provides the confidence to take action, housing data on 34 million companies and counting – 4x that of our competitors. Moreover, every finding we have is correlated to 2 or more data sources, rather than utilized at face value.
A Combination of Cyber Rating and Compliance Modules in Due Diligence
With the Black Kite Compliance Module, the classification allows you to measure the compliance level of any company for different regulations and standards, including NIST 800-53, ISO27001, PCI-DSS, HIPAA, GDPR, Shared Assessments, and others. This process could be a vendor assessment in the due diligence process or a third party in an existing supply chain.
This prediction is not a replacement for a regular compliance assessment, but it is a very good baseline to start working with. Black Kite’s platform allows users to update the compliance level of their organization after the estimated level by filling out questionnaires embedded in the platform. It can be thought of as a survey sent out to the vendor in the due-diligence process as complementary information to their cyber rating.
You can share compliance control items/questions with vendors using Black Kite’s Strategy Report, or by directly inviting them to the Black Kite platform. Vendors can then fill out the control items/questions, and Black Kite can map the answers to other regulations and frameworks available in the system.
See the Compliance Module in Action