Defining Due Diligence

Regulators are putting the hurt on companies with weak vendor management programs. For service providers large or small, this means your client businesses are required to ask you for more detailed, often non-public information about your business; especially regarding your financial performance, operations, and controls for managing security and risk. Your clients need this information to perform a risk assessment- in order to make a more informed decision about relying on you to provide them with services. Most view Due Diligence as a bunch of boring paperwork, reporting, and compliance overhead. In this series of articles we’re going to teach you how to transform Due Diligence requests into a serious competitive advantage!

Get the edge on your competition – Be prepared, timely, and thorough with Due Diligence Requests

Who would you pick to provide your business with a critical service – the one that responds with “Uh… Due diligence? SOC-2? Audit? I’m not sure.. I’ll have to put you in touch with our CFO/CEO/Security Person/Etc…” or the one that says “Glad you asked, I was just about to bring that up! I’m sending you our Due Diligence package right now- it’ll come to you through our encrypted email service, so keep an eye out for it.”

I know which one I’d go with after that conversation. By being prepared to answer Due Diligence requests quickly and professionally, you will crush your competitors.

Five types of information you should consider

Okay, we’re done beating you over the head with why it’s important, and how you can profit from being ready for it. Let’s break down the first five crucial components of a Due Diligence package:

  • Audited financial statements, annual reports, SEC filings, and other available financial indicators: Depending on the nature and criticality of the service(s) you provide, your customers may be required to determine if your business is likely to be around for the duration of an extended contract, or that you have access to the capital you may need for expansion, new equipment, or other costs in order to provide them with the service.
  • Significance of the proposed contract on the third party’s financial condition: Clients need to determine whether the proposal is a huge part of your annual revenue or business as usual. It may impact a risk assessment and what other questions they ask you. They have to ensure that the proposal is the right fit, and not being pushed because it’s a huge boost for your company’s coffers.
  • Experience and ability in implementing and monitoring the proposed activity: How many total customers do you have? Are you staffed adequately to meet the contract’s terms? How long have you been providing the service to others, and what licensing/certification/experience does your company have in doing so? Clients have to answer these questions as part of their risk assessment process.
  • Business reputation: Have you been in the news for a breach, lawsuit, or other issue? What do others say about your business? Clients are going to ask you for references, and will do additional research on their own. Provide them with at least three independent contacts, and cover any other relevant information with them.
  • Qualifications and experience of the company’s principals: Provide a brief fact sheet that outlines your leadership team at a high level. What are their backgrounds? Education, licenses or other qualifications? How about their experience as leaders and with the industry? This is another part of any Vendor Management program that they’ll be asking you about.

That’s probably enough to chew on right now. Next time we’ll cover five more types of information you can have ready for your customers. Provide them with the best experience possible and get a leg up on the other providers they may be considering!

Dealing with information security, Due Diligence, and other Risk Management issues can be a time-intensive, frustrating hassle. Don’t burn valuable time and energy in becoming a risk or security expert-You have a Business to Run!

Let our experts do the heavy lifting for you.  You’ll get peace of mind and feel confident that your due diligence package was designed or reviewed by professionals that live and breathe these best practices every day.


Stefan Dorn on Linkedin
Stefan Dorn
Senior Security Analyst (Team Lead) at FRSecure
Stefan Dorn is a technical leader and entrepreneur with 15+ years of technical and director-level management experience in IT infrastructure and security program development. Stefan leads FRSecure’s technical team, focused on penetration testing, purple teaming, digital forensics and incident response (DFIR). FRSecure’s technical team is continuously training on the latest tactics and techniques, resulting in cutting-edge methodologies that drive FRSecure’s technical security services.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *