Vendor Due Diligence

Third Party Vendors

Even if your firm has the most robust security program in place, your firm’s data is only as secure as the weakest vendor with access to your data.

The vendors outside your walls also have access to your data, therefore it is critical to ensure their cybersecurity practices meet yours and industry standards. Drawbridge Partners will assist your firm with this process.

U.S. federal regulators are more aware of cybersecurity risks than ever and various agencies have issued cybersecurity guidelines and standards.

With data security having become a hot button topic for regulators and investors, oversight of your third parties who have access to your sensitive data is no longer simply best practice but rather expected.  Extensive due diligence of third parties is no longer optional; it is required.

Drawbbridge Partners

will help you develop a thorough vendor due diligence program for your firm

Data Mapping Exercises

To create a due diligence program, Drawbridge Partners must first understand who has access to your firm’s data.  A thorough data flow analysis to determine how your vendors access data, who specifically has access to your data, and for what purpose the data is being consumed are all critical components of a due diligence program.

In conducting our data flow analysis, our team occasionally discovers that Firms share more sensitive data with vendors than they had anticipated and/or share sensitive data with more parties than just the contracted vendor. Either situation presents a cybersecurity risk for your firm.

This data mapping exercise is critical to uncovering data flows that your firm may be missing.


Once a data mapping exercise is completed, Drawbridge Partners will conduct an analysis of each of your firm’s vendors. Drawbridge Partners’ proprietary due diligence method suggests a minimum baseline security level be set for all vendors your firm engages with, regardless of the vendor’s size or service provided to your firm. Setting a standard security level assures cybersecurity conformity across your vendor engagements.

Our review process will culminate with a Third-Party Risk Assessment which we will provide to your firm. The Third-Party Risk Assessment identifies the scope, methodology used, which vendors were reviewed, and any vulnerabilities found with the vendor which should be addressed. The Third-Party Risk Assessment provided by Drawbridge Partners is delivered in a format that firms can present and deliver to board members, regulators, and investors.


Learn More

Give Us a Call