How Third-Party Risk Management Teams Evaluate E-Signature Solutions

Third-party vendor risk management is top of mind for many companies—and for good reason. Relationships with third-party vendors can increase a company’s threat profile and put them at risk of becoming the latest front-page headline. So, it should come as no surprise that third-party risk management teams conduct thorough due diligence before onboarding a new solution provider.

But how can you help the process along when it comes to selecting an e-signature solution provider? What are the critical elements to consider from a third-party risk perspective? It’s all about classification and compliance. 

While each third-party risk management team has its own tiering process for classifying vendors, most large organizations consider e-signature providers to be tier-one vendors due to the highly sensitive nature of the information that flows through the solution. With tier-one vendors, the scrutiny is more intense and assessments more frequent. 

And that’s where a good security and compliance program comes into play. ISO, SOC and other certifications have rigorous requirements in place that, if met, address the concerns that third-party risk management teams have when it comes to selecting an e-signature solution. 

But what are those concerns, and how can you do a little pre-screening to help ensure you pick a vendor that will meet their criteria? The concerns can be broken out across eight topic areas for you to evaluate an e-signature solution provider against for potential risk, each focused on a different area of security, privacy and legal compliance. 

1. Information classification

How a vendor classifies the information that flows through the e-signature solution is critical and sets the stage for how effective they are in the next three topics. 

Why is this important?

Third-party risk management teams want to know that the information flowing through the e-signature tool is protected and how. You want a solution that is analogous to a traditional courier service delivering an envelope. The service tracks when the envelope is picked up, its delivery progress and the final delivery. At no point in the process does the courier see the information insider the envelope, and all parties have access to the tracking information throughout the process. 

What should you look for?

  • How they classify data
  • What data is considered public and what isn’t
  • Whether they differentiate between different types of internal data and how
  • Who can see what type of data

2. Information storage and encryption (in transit and at rest)

Appetite for risk security varies from organization to organization and is dependent on both how the industry operates and the corresponding legal and regulatory requirements. But no matter the industry, security is a central concern for all third-party risk management teams, and how data is handled is central to maximizing protection. 

Why is this important?

The key thing to remember when assessing a vendor in this area is whether that data is protected in motion and at rest. At no point do you want to risk your data being exposed.  

What should you look for?

  • A minimum of 256-bit encryption 
  • The security protocols they employ, e.g., HTTPS, SSL, SSH, IPsec, SFTP
  • What data/documents they encrypt 
  • What cipher suites they support
  • Whether or not they provide non-repudiation for all generated and signed documents
  • If they have a data disposal and re-use policy
  • What processes they have in place for equipment management and secure media disposal

3. Data privacy

Third-party risk management teams come at privacy from three perspectives: 

  • How personal data is used
  • Whether users are given the option to opt-in or out of receiving information 
  • How private information, such as personally identifiable information (PII) and public health information (PHI), is handled

Why is this important?

As with classification, storage and encryption, it’s all about protecting users’ data. Does the e-signature solution provider have a privacy program in place, and will it pass the scrutiny necessary to meet the most highly regulated industries, like healthcare? And when you add in the transfer of data between countries, especially in and out of the European Union, then you need to ensure that the vendor is compliant with the General Data Protection Regulation (GDPR), the most important data protection regulation in over 20 years. 

What should you look for?

What data management and privacy practices do they have in place around: 

  • Data subject rights
  • Data deletion and retention
  • Data access
  • Data residency
  • Subprocessors
  • Privacy notices
  • Training and awareness
  • Governance and accountability
  • GDPR and other privacy regulations

4. Access controls

In this area, the focus is on whether the company controls who can access what type of data and when. 

Why is this important?

Third-party risk management teams want to make sure that employees and other individuals only have access to the information they need to do their jobs and nothing more, and that there are processes in place to remove that access when the employee changes jobs or leaves the company. And most importantly, they want to make sure that no one has access to the data in the envelope (the courier service analogy). 

What should you look for?

  • Customizable role-based access and authorization for vendor employees and customers
  • Centralized management system that controls access via multi-factor authentication
  • A network management system, complete with anti-virus software and malware detectors
  • A key management and encryption program 
  • Automatic processes for detecting potentially harmful code 

5. Sustainability

With sustainability, it’s all about carbon footprint and the impact the company is having on the environment. 

Why is this important?

Sustainability is a hot topic for everyone—with good reason—and no one wants to be associated with a company whose carelessness is doing harm to the environment, as it will reflect poorly on them. 

What should you look for?

  • Whether they’ve been fined for infractions
  • The amount of waste and emissions they generate, and the number of resources that are used across the supply chain and throughout the product lifecycle 
  • Whether they foster environmental responsibility with programs that help replenish the ecosystems

6. Ethical behavior 

Ethnical behavior includes forced labor, human trafficking and other similar actions. While the U.K. and Australia have Modern Slavery Acts, it’s importance from a third-party risk perspective extends beyond these geographies to countries like the U.S. as well. 

Why is this important?

Like with sustainability, and really any of the 8 categories, companies want to know the organizations they do business with are ethical. And being associated with a company that uses forced labor, for example, will most definitely tarnish your business’s reputation and increase your risk profile. 

What should you look for?

  • Whether there’s a policy in place, and how it’s enforced
  • What type of training is in place for employees
  • If the policy and training include the providers’ third-party vendors

7. Business continuity and disaster recovery

Stuff happens, and a business continuity and disaster recovery plan ensures that access to products and services will continue even during a global pandemic, natural disaster or similar catastrophic event. 

Why is this important?

Because the need for something doesn’t vanish just because the supply chain is disrupted. People still need toilet paper, and contracts still need to be signed, so you need to know there’s a plan in place to make sure business can recover and continue.  

What should you look for?

  • Whether there’s a plan in place, and does it cover pandemics
  • What the plan comprises, which should include: 
  • Annual testing of the plan (at minimum)
  • Built-in redundancy with geo-dispersed datacenters
  • Near real-time secure data replication 
  • Elimination of single points of failure 

8. Vendor risk management 

In this area, third-party risk looks at how the e-signature provider manages and holds accountable their third-party vendors. 

Why is this important?

You want to ensure that anyone touching your data has the proper protocols in place and is following them. 

What should you look for?

  • Whether vendors are required to follow the same protocols that the company has internally
  • If regular audits/assessments are done to ensure subprocessors are conforming to the e-signature provider’s internal protocols
  • If the provider is responsible for acts and omissions of its subcontractors 

Final thoughts

When it comes down to it, third-party vendor risk management is really about compliance and how thoroughly the e-signature solution provider meets national and international security standards for protecting data and ensuring privacy. 

A company that complies with regulatory and industry standards, like ISO 27001:2013, SOC 1 and SOC 2, Payment Card Industry Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program, to name a few, demonstrates they have the policies and procedures in place to protect the data they’re responsible for handling. 

And that’s the beauty of such certifications. They make it easier for you and your third-party risk management team to assess whether the e-signature solutions you’re evaluating can offer the level of protection that your company needs and your industry demands. 

For information on DocuSign’s security and privacy programs and how we meet and exceed standards worldwide, visit the DocuSign Trust Center

Published