As in, if $VENDOR gets hacked and we did no due diligence, we are definitely liable for $VENDOR's incompetence. If we can prove we attempted some form of due diligence, with a paper trail, we might have a fighting chance.
Totally agree with you. However, in my head it was, "hey lawyer, what should we do to protect ourselves against breaches by our vendors?" Lawyer thinks, well, we do due diligence for M&A, financings etc. etc. so why not for onboarding vendors. Course, now this process is codified into law.
Probably the lawyers asked for it.
As in, if $VENDOR gets hacked and we did no due diligence, we are definitely liable for $VENDOR's incompetence. If we can prove we attempted some form of due diligence, with a paper trail, we might have a fighting chance.