Third-Party Cyber Due Diligence

The vendors, partners, business associates, and software developers that most organizations depend on for much of their outsourced operations and support ironically can represent a company’s most challenging, least visible, and most difficult security vulnerabilities to correct. Every cybersecurity framework and regulation focus significant guidance and enforcement effort on companies’ policies and processes to set requirements, audit, and validate risk remediation throughout their data supply chains.
Ankura helps clients design and establish third-party cyber and privacy risk management programs, and we staff project offices with experts who go into the field to help clients gain visibility into the cyber risk posed by their vendors and business associates to help them correct material shortcomings.

Solutions include:

• 23 NYCRR Part 500 third-party risk management policies and programs under Sections 500.03 and 500.08
• Assessments required under HIPAA around the privacy and security risk posed by business associates
• Procurement frameworks that specify security expectations for bidders and for purchasing staff, including language suitable for RFPs, RFQs, RFIs, and contractual SLAs
• Third-party due diligence in the merger and acquisition process for buy-side clients and private equity firms