The Due Diligence Imperative: Homes, Cars, and Software

Would you buy a house without an inspection? Would you buy a car without a Carfax report? Then why buy software without due diligence? These are big decisions and investments. A house and a car for an individual or family. A commercial or enterprise software for an organization.

What is TPRM?

The due diligence of a third party software, often termed as third-party risk management (TPRM) or vendor risk management (VRM), is about managing risk when engaging with external vendors, contractors, software, and service providers.

Why due diligence matters

Last year's CrowdStrike incident highlighted how much businesses rely on third-party technology providers. The widespread outage, which impacted essential services like air travel, banking, and healthcare, demonstrated that insufficient due diligence on these external partners can severely threaten a business's ability to operate. This incident also prompted the Financial Conduct Authority (FCA) to reiterate the importance for financial firms to prove their operational resilience, ensuring they can maintain critical services even during significant disruptions.

While CrowdStrike is a commercial endpoint protection software, many free software which may not warrant a comprehensive risk assessment, can also end up costing organizations thousands of dollars in regulatory fines and legal penalties. Most often, reputational damage and The New York Times headlines too if they are elite.

At Drexel University, we do not differentiate between free and commercial software. We assess the risk posed by third party software and ensure that all community members using software in their day-to-day work understand the risk and take appropriate measures to manage the risk. From educational software like Padlet, to customer relationship management software like Salesforce.

Even after due diligence, and implementing appropriate controls, there will always be some leftover risk, also known as residual risk. When you buy a house, after following all the recommended steps in the due diligence period, it is still not guaranteed that there will not be any problems a year or two later. Same with the car, you cannot guarantee that there will not be any tire blowouts or mechanical issues. These are called inherent risks.

Similarly, third party software has inherent and residual risks. Our goal is to identify these risks, manage them, and reduce them to a level that is acceptable to our organization.

Now, how do you get started?

1. Assessment criteria

First, you need to build an assessment criteria. We use an intake form to triage vendors and determine if a comprehensive risk assessment is required. This includes:

• Type and volume of data: Will the software store/process sensitive data such as PII, PHI, or FERPA? How many users will use the software? How many user records will be stored?

• Operational criticality/importance: How important is the software to operations? Is it a mission critical software? What impact will it have should there be any disruption?

• Access to systems: Will the software integrate with any enterprise or other critical systems?

• On-prem vs. hosted: Will the software be hosted on-premise or cloud? The organization has full control and responsibility for on premise, whereas cloud the responsibility is shared for security and maintenance.

• Cost/value of software: Higher the cost, larger the financial and operational investment, requiring a more comprehensive review. Low cost or free software may not warrant a thorough review, but a basic assessment is still important to discover potential risks, should there be any security incident or data breach.

2. Inspection and due diligence

Have you ever bought a used car? I have. My due diligence started with vehicle history report. Several companies such as Carfax, AutoCheck, and Bumper.com offer vehicle history reports providing information about accidents, title issues, and maintenance records. This helps buyers make an informed decision.

In the security world, these vehicle history reports are "security questionnaires" and "independent assurance reports." These vary depending on the industry, compliance frameworks, regulations, security and privacy standards, and other variables including type of data or providers.

• Generic – Standardized Information Gathering (SIG), NIST, ISO, CIS Controls

• Industry specific – HIPAA, PCI DSS, GDPR, CCPA, HECVAT

• Independent assurance reports – SOC reports, ISO 27001 certification

• Type of data and product – CSA CAIQ (for cloud providers), CMMC (for controlled unclassified information)

As a higher education institution, we use Higher Education Community Vendor Assessment Toolkit (HECVAT), created by leaders in higher education to evaluate technology vendors. While the higher eds are not required to specifically use HECVAT, the benefit of using it is twofold. The questionnaire is specifically designed for higher eds, allowing them to address campus specific needs, policies, and requirements. For vendors, it streamlines the process, allowing them to maintain one accurate and up-to-date standard questionnaire, and sharing them with many prospects. This saves their valuable time and resources.

3. Continuous monitoring

After completing the initial due diligence for house and car, is the job done? No. You keep an eye out to ensure things from electrical systems to roof, plumbing to HVAC, are functioning properly. In the case of car, you watch out for dashboard warning lights to ensure brakes, tire pressure, and fluid levels are at an optimal level.

Third-party vendors are no different. You continuously monitor their security posture to ensure you can identify new vulnerabilities, data breaches, and other security exposures that could affect the institution. Third-party risk intelligence solutions like Security Scorecard, BitSight, and Prevalent are helpful in managing ongoing third-party risk and providing early warning signals of security incidents. It also helps to follow the principle of "trust but verify," allowing you to validate security controls reported in security questionnaires and attestation reports.

4. Legal and contractual considerations

When buying a house or a car, there is a purchase agreement to protect both the buyer and the seller. There are several other agreements when financing through a third-party lender.

Similarly, there are legal and contractual agreements in a business transaction involving software or services. These agreements describe services provided, service levels, quality, pricing, and other terms. Any shortcomings or lack of security controls in a third party's security program can be addressed through security clauses including but not limited to cyber insurance coverage levels, incident notification timeline, business continuity and disaster recovery, external audits and certifications, data ownership, and roles and responsibilities.

This is an important and final step in the due diligence process. Because the company lawyers would not be able to use "The vendor promised on a Zoom call that they maintain data backups and regularly test them" in court.

Final thoughts: what works for us may not work for you

While there are some standards in the due diligence process, it still varies a lot depending on the industry, company size, resources, budget, etc. Like many other things, third-party risk management is also not a one-size-fit-all. Here are some thoughts to consider for your program:

• Team sport: TPRM is a team sport. It requires communication and collaboration with all internal and external stakeholders. Internal departments such as Security, Privacy, Export Control, OGC, et al. must work together to review and manage the risk. It is also important to work with peers and experts in the industry to gain broader awareness of emerging third-party risks.

• Be flexible: A vendor may not have a big team or resources to complete a security questionnaire of 200+ questions, but they may have a public Security or Trust Center page with relevant information about their security controls. Leverage it and cross reference with your security requirements.

• Embrace automation and AI: No security team has time today to review 300+ security questions. Build workflows to reduce the time and resources spent on low-risk vendors. Use the power of AI tools to summarize and analyze security documents. Make sure you have the appropriate data protection plan before you run confidential vendor documents in AI. Start with "What are the key findings from the report? and What are the specific IT controls implemented by?"

• Become resilient to Black Swan: You may have a large team and all the necessary tools and resources to perform risk assessment, but realistically, you cannot. There will always be users and departments who may buy free or low-cost software using their own card, circumventing formal processes of security, legal, and procurement. Also, traditional risk assessments, built on known risks and historical trends, cannot account for inherently unpredictable events. A strong and resilient third-party risk management program will help absorb shocks and manage risk from all shades of swan.