Cyber Complications for Vendor Risk Management

Emily Larkin
October 21, 2019
Read Time: min

In a marketplace where data is shared and distributed at record speeds, third-party or vendor risk management is a challenge for most businesses. The banking industry is no stranger to this. The spotlight from federal and state regulators continues to shine on the use of third parties, and the pressure for those vendors to meet regulatory guidelines has greatly increased. This is especially challenging with cloud-based providers where cybersecurity concerns are even greater.

We are seeing banks moving to the cloud for a number of services ranging from core processing to lending. This movement to the cloud requires a robust vendor due diligence process and rigorous ongoing third party management that includes a focus on cybersecurity controls.

If your bank is considering partnering with a vendor, consider the following areas of cyber due diligence before signing a contract:

Establish a risk rating for your vendors. Just as risk ratings are a foundational element of sound lending decisions, creating a systematic approach to rate your prospective and current vendors based on the risk they pose to your business is essential for establishing the level of oversight they require. Ratings should be based on the risk they pose to the business. Helpful measures in determining that risk include the type of data you are sharing with the vendor, the ability to quickly replace that vendor, the vendor’s reputation in the market, and the amount of investment you are making with the vendor.

Understand the vendor’s financial stability. While this is not directly related to cybersecurity controls, it is imperative to acquire the necessary assurances that the vendor you are working with will be around in the long run. This is especially critical with cloud-based offerings, as they have control of the software or platform and if they go out of business, then your institution will not have the ability to run the solution internally.

Get it in writing. Whether it’s external audits, testing, or attestation, look for the vendor to provide external assurance regarding the state of their secure practices and governance. This includes system and organization controls, or SOC, reports, penetration/vulnerability assessments, and ISO certifications.

Know how many parties are involved. Just because you’re enlisting a third party doesn’t mean that’s where the parties end—there may be fourth and fifth parties involved. A number of solution providers build their environment within a cloud provider such as Amazon Web Services or Microsoft Azure and assume security is being managed. This is a big misconception. While AWS and Azure offer great options for businesses, they are not responsible for the security of the data. The vendor you are contracting with is responsible. Ensure that your vendors are layering the appropriate controls within their cloud provided solution and can share with you the steps they take to manage their cloud-based vendors. Vendors using AWS, Azure or other hosting providers should provide their own independent attestation of their security controls, not simply handing over an AWS or Azure SOC report.

Have transparency of internal controls. Banks should hold their vendors to the same level of regulatory guidance that they hold themselves. This means asking critical vendors to supply documentation affecting the security and protection of your data, including:

  • Policy documentation
  • Business continuity planning documentation
  • Proof of insurance
  • Details regarding their information security and cybersecurity programs
  • Vulnerability detection and management.

Thoroughly assess your contract. Ensure the appropriate cyber protections and terms are noted in the contract. Look for the vendor to highlight their cyber controls and commitment to follow regulations and laws within the contract. Ensure they are willing to assume a reasonable amount of liability and provide the appropriate notification and incident management procedures in the event of a data breach. Also, depending upon the type of vendor and their risk rating, look for service-level agreements with financial implications if they are not met.

We don't just build great software. We support it with unmatched industry expertise.
learn more

Ongoing Vendor Management

In addition to initial vendor due diligence, organizations are required to follow an ongoing systematic approach to managing their third-party relationship. For some, this may be a spreadsheet approach, for others, it may be a third-party governance package. Whatever your institution chooses to tackle it, ensure that your approach is consistent and aligns with your vendor management policy. Regulators look for your management of vendors to be appropriate for the size, scope and complexity of your organization. This is intentionally vague and requires institutions to be thoughtful and intentional in maintaining their vendor management program and adjusting it when there are changes to the size, scope, and complexity of the organization.

Because of the number of vendors that are entering and exist in the financial space and the amount of data we share across these vendors, organizations have started to carve out dedicated roles and job descriptions to manage the vendor burden. Regardless of whether banks manage it internally or outsource it, the regulatory burden lies with the institution. It is critical that banks stay current with regulatory expectations and potential risks.

About the Author

Emily Larkin

Emily Larkin has over 20 years of experience in information technology and information security, all within financial services. She joined Sageworks in 2014 and brought to Abrigo an extensive background in enterprise security, data center management, disaster recovery/business continuity, IT regulatory compliance and examinations for financial institutions (FFIEC), and risk management. Prior to Abrigo, she led the IT and info security teams at Infosys McCamish for 18 years. Emily graduated with honors from Hobart and William Smith Colleges and is a frequent speaker and columnist on technology issues.  One of Emily’s favorite quotes is by Olympian Mia Hamm:
"There are always new, grander challenges to confront, and a true winner will embrace each one."
Emily says,
“To me this embodies our desire to win in all areas – servicing our customers, providing the best products, and creating an exciting and growing work environment."

Full Bio

About Abrigo

Abrigo is a leading technology provider of compliance, credit risk, and lending solutions that community financial institutions use to manage risk and drive growth. Our software automates key processes — from anti-money laundering to fraud detection to lending solutions — empowering our customers by addressing their Enterprise Risk Management needs.

Make Big Things Happen.

 

Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!