I have a challange from our 2nd line function that they believe our current supplier cyber security control is deficient as we do not continue to conduct reviewers of suppliers where those suppliers retain information gained during the supplier relationship (e.g. any records the supplier are themselves mandated to retain by regulation etc).
I'm not sure I fully understand the scenario, but the time to address this is before you give them the information. For example, agreements covering non-disclosure, data retention, secure destruction, etc. should be part of the supplier agreement. I suppose part of that could also be that you as a former customer are entitled to review the supplier during and after termination of your relationship, but what recourse do you have if the supplier doesn't or can't cooperate?
I had a situation, maybe not quite on par with yours, where a vendor from several years prior had intellectual property belonging to a company. That vendor had been acquired by a larger company, and then eventually that company had been acquired by a global giant. It became impossible to figure out what they still had.
One way of addressing something like this would be through some digital rights utility where you can revoke the key necessary to access the data. That said, you'd still want all those other agreements to guard against screenshots, etc
For compliance to suggest an ongoing review of a former supplier seems really awkward. If anything it may increase liability because it says you're OK with them holding onto this information or at least that it is your job to confirm that it is gone.