Hacker News new | past | comments | ask | show | jobs | submit login

> I don’t have any idea how they caught on.

Probably the lawyers asked for it.

As in, if $VENDOR gets hacked and we did no due diligence, we are definitely liable for $VENDOR's incompetence. If we can prove we attempted some form of due diligence, with a paper trail, we might have a fighting chance.




The thing is, lawyers aren’t asking for these. It’s mostly security bureaucrats who approve software purchases or SaaS agreements.

Someone will say, how are we making sure that we can trust our vendors?

Someone else will say, lets hire someone to put in charge of making sure we buy the right things. Someone who claims to be a security expert.

A “security expert” says, we will ask them for their audit reports. As an expert, I will read them and tell you if they are secure.

It’s just paper pushing.


Totally agree with you. However, in my head it was, "hey lawyer, what should we do to protect ourselves against breaches by our vendors?" Lawyer thinks, well, we do due diligence for M&A, financings etc. etc. so why not for onboarding vendors. Course, now this process is codified into law.

I have an idea for a better way... :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: