What is supplier due diligence?

Rebecca Bada Headshot
Rebecca Bada
Senior GDPR Consultant

The modern business landscape means that organisations are more interconnected than ever before, relying on third-party vendors for a wide range of services. Just think of outsourced IT support or cloud computing, customer service, payment providers, delivery partners, development resources, etc. However, this reliance on third parties also introduces a risks to your cyber security and data protection that must be carefully managed.

Without management of these risks, a data breach at a third-party vendor can have a devastating impact to you. It can lead to the loss of sensitive data, financial losses and damage to your reputation. That's why it's so important to conduct thorough cyber security and data protection due diligence on any third-party vendor before you do business with them.

What is supplier due diligence?

Supplier due diligence is the process of gathering information to understand the credibility and suitability of a prospective partner or vendor. It aims to assess their security posture to identify any potential risks.

Performing checks is a standard approach to nearly all facets in life, e.g. family, work, education et al, so supplier due diligence should not be foreign concept. Conducting supplier due diligence can help guide decision-making when choosing the right vendor, detect risks with potential suppliers and protect customer data in the process. It's also considered good business practice and can help mitigate future financial and reputational damage caused by a data breach.

Supplier due diligence is considered good business practice and can help mitigate future financial and reputational damage caused by a data breach.

What are the risks of not conducting supplier due diligence?

We live in a world where your business security could be theoretically perfect, and yet your data is still exposed. How? Through a supplier. Interconnected services and data sharing means that their risks are your risks, and vice versa.

The risks of not conducting supplier due diligence are significant. If a third-party vendor is breached, your organisation could be exposed to a number of risks, including:

  • The loss of sensitive data
  • Financial losses
  • Damage to your reputation
  • Regulatory fines

Levelling up the supply chain together

Every business must surely have noticed the increasing importance being placed on supply chain security. The extra time spent filling in supplier due diligence questionnaires can’t have gone unnoticed, and it’s a key driver behind the increased ISO 27001 adoption. Though it might mean you spend more time on these activities, the reasons behind them are good: it means everyone’s assessing the risks and, I’d hope, taking steps to address them. In short, the whole supply chain is levelling up together.

Due diligence icons on a futoristic dashboard

Case Study: MOVEit

MOVEit, a popular file transfer software, was exploited by hackers which impacted the security of hundreds of companies world-wide, exposing the data of hundreds of thousands of people. Hackers exploited a zero-day SQL exploit, and the severity of data the cyber criminals potentially have access to is notable: bank details, identification data and contact information, among much more.

The attacks follow a pattern of targeting key services within an organisation’s supply chain. For example, British Airways weren’t themselves attacked, but their customer data was still leaked thanks to a provider of theirs using MOVEit.

It’s essential that the risks posed by your partners and providers is identified, codified, managed and mitigated. Be proactive and positive, but also make sure you get the assurance you need: ask to see evidence of recent penetration tests from a reputable pen test provider, and likewise for ISO 27001. If you identify a supplier as being high-risk, then don’t be afraid to insist on your own audits. Your partner will understand – afterall, they might make the same requests of you!

Data protection due diligence

Many organisations can easily fall into the trap of neglecting the data protection side of the procurement process due to a lack of due diligence. Whilst ‘cyber security’ takes more of the headlines, data protection has its own regulations and requirements that cannot be ignored. Article 28 of the GDPR states that a data controller must only use a data processor that can provide “sufficient guarantees” (particularly in terms of its expertise, resources and reliability) to comply with the UK GDPR and protect the rights of individuals.

Onboarding vendors to process your customers' or employees' data is implicitly stating that you trust them to process your personal data. This must be agreed upon by both parties by signing a Data Processing Agreement (DPA), which we talked more about in this blog.

It's recommended and best practice for supplier due diligence to be an ongoing process with data controllers reviewing a processor's compliance on a continual basis. Effective and regular due diligence can help safeguard a company from risks to its functionality, reputation, and finances.

How to do supplier due diligence?

Having a clear understanding of the vendor's business operations and how they interact with your organisation will help you to identify the specific risks that they pose. For example, if a vendor is providing cloud computing services, you will need to understand how they store and protect your data – asking for evidence of regular penetration testing and log monitoring or SIEM would be appropriate here. If they’ll process personal data, then asking about their GDPR policies and procedures, DPIAs and DPAs is relevant. And if these acronyms are a mystery to you, no need to worry – just reach out to a data protection officer for a helping hand.

The supplier due diligence process can be broken down into the following steps:

  1. 1
    Identify the vendors This includes identifying all of the third-party vendors that have access to your data or systems.
  2. 2
    Gather information This information should include the supplier’s security posture, their compliance with industry regulations, and their history of data breaches.
  3. 3
    Assess the risks This involves evaluating the information you have gathered to assess the level of risk posed by each vendor.
  4. 4
    Make a decision Based on your assessment of the risks, you will need to decide whether or not to do business with each vendor.

This information can be gathered through a variety of sources, including:

  • The vendor's website
  • Publicly available records
  • Interviews with the vendor's management team
  • Security assessments
If a vendor is providing cloud computing services, you will need to understand how they store and protect your data.

The need to assess the vendor's compliance with industry regulations and best practices is important because this will help you to ensure that they are taking the necessary steps to protect your data. For example, if a vendor is required to comply with the Payment Card Industry Data Security Standard (PCI DSS), you will need to verify that they are in compliance.

The importance of having a strong contract in place that outlines the vendor's security obligations is that this will give you legal recourse if they fail to meet their obligations. For example, your contract should specify the vendor's responsibility for data breaches and the steps they will take to notify you if a breach occurs.

Even after you have conducted due diligence on a third-party vendor, it is important to continue to monitor their security posture on an ongoing basis. This is because the security landscape is constantly changing, and a vendor that was considered to be secure today could be breached tomorrow.

Supplier due diligence checklist

Frameworks like ISO 27001 are a useful way to get you thinking in terms of risk, both within your organisation and from your suppliers. If you’re struggling, Bulletproof has a team of friendly, experienced information security consultants who can help. As a headline guide, here is an outline supplier due diligence checklist for cyber security and compliance:

Cyber Security

Cyber Security

  1. What is the vendor's security policy?
  2. How does the vendor manage access to their systems?
  3. What security controls are in place to protect data?
  4. How does the vendor handle security incidents?
  5. Does the vendor have any known security vulnerabilities?
  6. What steps do they take to gain oversight of their security?
  7. Has the vendor been breached in the past?
  8. Do they train their staff?
  9. Do they penetration test at least annually and provide evidence?
  10. Do they map their security spending to their risks (such as via ISO 27001)
Compliance & Data Protection

Compliance & Data Protection

  1. Does the vendor comply with industry regulations?
  2. Do they comply with optional as well as mandatory regulations?
  3. What steps do they take to secure personal data?
  4. How do they demonstrate compliance with (e.g.) GDPR?
  5. Are all certifications relevant and renewed?
Reputation & Culture

Reputation & Culture

  1. What is the vendor's reputation in the industry?
  2. Have there been any notable or voluminous complaints about the vendor's services?
  3. Does the vendor share your company's values?
  4. Do you feel comfortable working with the vendor's team?

Summing up supplier due diligence

Supplier due diligence is an essential process when seeking new vendors as it allows organisations to make an informed decision on whether to proceed with a business partnership and should form part of business compliance strategies Only by identifying and mitigating the risks posed by third-party vendors can you prevent a data breach.

Rebecca Bada Headshot

Meet the author

Rebecca Bada Senior GDPR Consultant

As one of our more experienced data protection officers, Rebecca knows data protection inside and out. Her favourite topics to write about include UK & EU GDPR, DPO activities and the often-overlooked PECR regulations.

Take a risk-based approach to security & compliance

Get started with a cost-effective, practical, and effective security strategy by using ISO 27001 to asses your real risks.

Get started today

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.