Managing Third-Party Risk: Due Diligence Best Practices for Service Providers Handling Confidential Information

Organizations rely on a wide range of third‑party service providers to support their operations. Common examples include bookkeeping services, client relationship management systems, document and email archiving solutions, IT support, financial planning software, and custodians. Selecting the right providers is a critical decision, as these partners help keep operations running effectively and often have access to confidential information about the organization and its clients. Without a careful and deliberate approach, organizations expose themselves to significant financial, regulatory, and reputational risks.

Compliance with regulations such as Regulation S‑P and Regulation S‑ID requires protecting client data and implementing measures to mitigate identity theft. This article highlights four common shortcomings frequently identified in internal audits and regulatory examinations and offers practical best practices to address them.

Even if your organization is not yet subject to federal or state regulations, the guidance outlined here can support the handling of non‑public client information, strengthen collaboration with regulated partners, and help align vendor oversight practices with future regulatory expectations.

Common Findings & Best Practices

1.      Failure to Conduct Risk Assessments

Many firms lack a formal process for evaluating and documenting the risks posed by their third‑party vendors. A common issue is treating all vendors the same, regardless of the type or volume of client data they can access.

Tips & Best Practices:

• Document your risk assessment and conduct a thorough review at least annually.
• When classifying vendor risk, evaluate key factors such as the type of data accessed (including sensitive personal information), whether access is limited to certain clients or extends to all clients, availability of SOC reports or other independent testing, use of fourth‑party vendors, federal regulatory status, and examination history.
• Use the results of your risk assessment to determine the appropriate frequency for ongoing vendor oversight.

2.      Missing Contractual Protections

Several deficiencies have been identified in vendor agreements, including missing data protection provisions, the absence of defined incident response timelines, a lack of rights to obtain SOC or other assurance reports, insufficient management of subcontractor risk, and missing clauses related to data return or destruction.

Tips & Best Practices:

• Develop a comprehensive contract review checklist and use it to reconcile against vendor agreements to confirm that all essential areas are addressed.
• For any gaps not covered in the agreement, review the organization’s privacy notice along with relevant internal policies and procedures to determine whether compensating controls exist and that all identified gaps, along with any mitigation steps, are clearly documented.

3.      Inadequate Written Policies & Procedures

Many compliance policies were overly generic and did not provide sufficient detail on vendor management procedures. They often failed to outline the required steps for initial due diligence or ongoing monitoring, and did not specify when or how control reviews should be performed.

In some cases, policies addressed only initial due diligence and omitted expectations for ongoing oversight. In others, procedures listed the documents to collect and review but did not include steps to demonstrate or evidence that the reviews were actually completed.

Tips & Best Practices:

• Clearly state that due diligence must be completed before granting third‑party access to organizational data. For ongoing oversight, define specific review intervals (e.g., annually or based on the vendor’s risk rating) rather than using vague terms such as “periodically.”
• Describe how documentation requirements will vary based on relevant factors, such as each vendor’s risk classification or the availability of certain reports. For example, you may require negative news searches for all vendors, while SOC 2 reports may be required only for higher‑risk vendors.
• Clarify how you record reviews and outcomes by memo or checklist for example.

4.      Insufficient Vendor Documentation Gathering & Review

Organizations often face challenges in determining which documents to request from vendors at the start of the due diligence process. In several instances, vendors made SOC 2 reports available, but these were not obtained.

For companies that did not have a SOC 2 report, there was no defined procedure for requesting alternative documentation to validate data security controls. In some cases, firms granted access to sensitive client information based solely on reviewing a privacy policy.

Tips & Best Practices:

• Inform the vendor that your organization is subject to privacy and information security regulations, and request a comprehensive “due diligence package” outlining their data security practices. This often provides more complete information than asking for individual documents.
• Identify the scope of the vendor’s independent testing and request their most recent SOC 2 report or comparable assurance documentation, if available.
• Request copies of all relevant privacy, identity‑theft prevention, and information security policies and procedures.
• Conduct an online search – using AI tools as needed – for negative news or incidents related to data loss, breaches, or other security concerns involving the vendor.
• Develop a due diligence checklist that documents what was reviewed, who completed the review, the date of completion, and whether the results were satisfactory. When issues arise, include notes describing how they were investigated and resolved.
• If your firm lacks internal expertise, consider partnering with an external provider to assist in reviewing SOC 2 reports or other technical documentation.

Strengthening Your Vendor Management Program With Wolf & ITA Compliance

Due diligence and vendor monitoring programs should consider a wide range of factors, including the type of information shared, the nature of each vendor relationship, and the specific services being outsourced. Effective programs tailor both initial due diligence and ongoing monitoring to the organization’s unique risks, objectives, and operational needs.

Many organizations rely heavily on third‑party vendors but are not always confident that their vendor management practices would withstand regulatory scrutiny. Inconsistent due diligence, outdated policies, and limited ongoing monitoring can quickly become issues – especially when regulators begin asking questions.

Wolf helps organizations strengthen their vendor management programs in clear, practical, and realistic ways, while ITA provides independent testing to offer an objective view of what is working well and where gaps remain. Together, these services give you a more accurate picture of your vendor‑related risks and support you in building a program you can feel confident in – whether you are making incremental improvements or starting from scratch.

Reach out to Brian Shea or Nathan Jodat to explore practical ways to enhance your vendor oversight framework.