How has vendor due diligence (DDQ) changed in a world of cyber risks?

By Lisa McLaughlin and Graham Davies

Businessman and businesswoman working

The SS&C CTO Forum earlier this month was an opportunity for Chief Technology Officers to get together to share information and discuss topical issues in an informal and open manner. The topic of this form was due diligence and here’s what we found.

The consensus: as we make our way around the world, cyber risks are a hotter topic, which goes up to the board level and most likely here to stay.

What’s the importance of due diligence?

To understand or to measure an organization taking into account where your data is; should include performing a due diligence on your vendors.

Attendees agreed! It’s a shared responsibility – Investor protection and market integrity encompasses the attention of the regulators, data controllers and processors expectations.

“Prior to cyber risks being forefront, DDQ was more about monitoring your vendors and their capability to provide services where firewalls were certainly once good enough”

Panelist and Director of Information Security at SS&C Graham Davies noted in his observation the past 3 years, the number of due diligence requests from clients, prospects, and investors has doubled each year. The complexity and number of questions in due diligence questionnaires have also increased and it is not uncommon to receive 200+ questions relating to information and cyber security.

What is the Drivers of the Due diligence process?

Cyber risks bring big demands in the regulatory landscape. The growth of due diligence is driven by the Regulators with the SEC being a vocal point in terms of protecting investors, assessing cyber risks launching their first sweep on cyber security in April 2014.

The media buzz has also played its part in ensuring that cyber security is a regular board meeting topic of discussion, and as a key vendor, SS&C are often asked to present its controls and strategy to address cyber security risks.

How dense does your organization go when assessing your vendors?

Assessing your organizations risk must include assessing the risk level of your vendors- follow the data.  How deep depends on the sensitivity or classification of information held along with the amount of data the vendor has access to.

In summary, cyber security due diligence has become a mandate in a world of cyber. By adopting standardized due diligence questionnaires such as that from Aponix and the Alternative Investment Technology Executives Club (AITEC) creates transparency in implemented controls, but also gain efficiencies while meeting regulatory responsibilities.

Standardizing allows for a seamless vetting process!

A special thank you to the panelists and we look forward to seeing you at the next SS&C CTO Forum.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s