Almost a quarter (19%) of data breaches last year occurred due to a compromise of a business partner or third party. As reliance on these third parties increases and risk domains expand to include different categories, organizations will have to broaden their toolset to evaluate different types of risks. While due diligence and security questionnaires are both tools organizations can use to evaluate the risk of entering into a business agreement with a particular vendor, security questionnaires are essential for evaluating third-party risk.
What is a Due Diligence Questionnaire (DDQ)?
A due diligence questionnaire, often referred to as a DDQ, is a comprehensive set of questions and requests for information that a company sends to its vendor to evaluate how it complies with industry standards, regulations, the company’s own policies, and how the vendor manages its cybersecurity strategy to defend against a data breach. It is a type of vendor risk assessment tool used as a company makes critical decisions in their business strategy, such as when it is considering new vendor relationships or partnerships.
Why are Due Diligence Questionnaires Important?
A due diligence questionnaire helps determine the potential risk involved in that business decision by asking questions about issues such as the company’s security and compliance policies, financial investments, current legal and business contracts. Due diligence questionnaires can be an essential tool for ensuring that details aren’t overlooked so that your company makes the right decisions for its business.
Since they need to be detailed, many DDQs can quickly become incomprehensible or filled with technical jargon. To prevent this, many companies have developed standardized DDQs templates for different category-focused DDQs. The list below is only a sample of the different types, in reality, hundreds of DDQs exist.
9 Different Types of Due Diligence Questionnaires
Regardless of the specific type of due diligence questionnaire, they should all gather information related to the vendor’s cybersecurity posture, data and information security and network management in addition to its business recovery and disaster recovery plans. Questions should include whether or not the vendor has ever participated in a vendor assessment, the ability of their IT team to handle security incidents such as data breaches and attacks. They should also assess how detailed and realistic disaster recovery plans are and if they are sufficient in the event of an attack or security incident.
Different types of DDQs include:
An operational DDQ examines a company’s operational processes, supply chain, technology infrastructure and performance metrics. It helps assess the company’s ability to meet its goals and obligations. Questions could be related to identifying critical dependencies in the supply chain, how business relationships with suppliers are managed, and detailing the IT infrastructure of the company.
The FCPA, or Financial Corrupt Practices Act questionnaire seeks to determine whether a company is complying with the federal law prohibiting the payment of bribes to foreign officials. It is relevant during mergers and acquisitions or other investment opportunities. Questions focus on areas such as compliance, third-party relationships, employee anti-corruption training programs and corruption practices.
3. Legal DDQs
Legal issues can be a deal-breaker, and it’s best to inform oneself about them before entering into a new business relationship. A Legal DDQ seeks information on past or pending litigation, intellectual property rights, contracts, and compliance to understand any potential legal risks posed by the business relationship. It may also include questions about corporate structure, including partners, subsidiaries and affiliates.
4. Compliance DDQ
If you’re doing business with a company, they must adhere to the same compliance and regulations as you do. A compliance DDQ investigates whether a company adheres to those specific industry regulations and legal requirements that may pose high risk if the company in question doesn’t take the same regulations seriously. Organizations conduct this at key points in their business investment, such as mergers or acquisitions.
5. Human Resources
A Human Resources DDQ assesses the workforce, including employee contracts, compensation, and any pending HR-related legal issues to assess potential liabilities, adherence to current regulations and evaluate current employee policies, contracts and procedures.
6. ILPA Limited Partners
The Institutional Limited Partners Association (ILPA) DDQ gathers questions from other DDQs in the industry, standardizing the due diligence process for private equity fund managers. Its overarching goal is to align businesses on issues regarding interest, transparency and governance while eliminating the need for each company to develop their own custom questionnaire. For example, the ILPA due diligence DDQ includes questions related to equity.
Insurance due diligence questionnaires evaluate the procedures and processing for filing insurance claims, the financial position of the insurance company, details about the company’s policy and coverage and the criteria used for the underwriting process. The goal of an insurance due diligence questionnaire is for an organization to have the information it needs to determine if the insurance company suits their needs and risk management policies.
Cybersecurity due diligence questionnaires evaluate the security posture of a business in a comprehensive manner. Questions include those related to the size, structure and skill of their cybersecurity team, information security management best practices and assessing current protocols to determine if they must be adjusted. Cybersecurity due diligence questionnaires can be used both at the beginning of a business relationship and continually to assess and strengthen the cybersecurity posture of the business in question.
9. Business Relationship
This DDQ takes a better look at the potential business partnership with a particular vendor. Questions include examining the vendor’s financial statements, issues with regards to ethics, legal compliance and the operations and practices of the business in question to determine the risk posed to your business.
How Due Diligence Questionnaires Differ from Security Questionnaires
Although both due diligence questionnaires and security questionnaires are conducted before entering into a potential business relationship, they are fundamentally different in nature. Security questionnaires are also highly technical documents that can easily be standardized whereas due diligence questionnaires leave more room for interpretation.
Other key differences include:
- The industry. DDQs are more common in the financial industry whereas security questionnaires are more common in technology industries.
- The scope. Due diligence questionnaires cover a brand range of topics, whereas security questionnaires focus on compliance and evaluate the efficiency of the security controls and best practices used to protect the company against cyberattacks and data breaches.
- The process. Since they are broader in scope, DDQs can be conducted regularly throughout the customer lifecycle as the company seeks out new business opportunities and partnerships.
How Panorays Security Questionnaires Help You Minimize Third-Party Risk
While vendor due diligence questionnaires are an important tool for your organization to have in its arsenal to assess vendor risk, security questionnaires focus on evaluating third-party risk. By combining customizable security questionnaires with external attack surface assessments, Panorays automates your third party risk management, delivering you visibility into your third, fourth, and n-th party vendors and giving you a cyber risk rating based on your assessment. With understanding of how your vendors are complying with regulations like GDPR, CCPA, and NYDFS, you’ll be able to proactively guard against third-party threats across your entire digital supply chain.
A due diligence questionnaire is a tool an organization uses before entering a business relationship to evaluate vendor risks related to issues with compliance, cybersecurity, new types of investment opportunities, past and current lawsuits, human resources, etc. There are many different types of due diligence questionnaires that evaluate risk from different angles.
A due diligence questionnaire (DDQ) and a security questionnaire are fundamentally different in their scope and process. DDQs are typically broader in their scope, whereas security questionnaires focus on evaluating the security controls and best practices used to protect the company against cyberattacks and data breaches. While both are used when entering into new vendor relationships, DDQs are typically used at regular intervals throughout the vendor relationship.
A simple example of due diligence is if a company is looking to merge with another and needs to hire and eliminate different departments within both companies. A HR DDQ would assess the different workplace policies, corporate structure as well as any compliance and legal issues to minimize any risks posed to the company.