Skip to main content

Cyber Complications for Vendor Risk Management

Emily Larkin
October 21, 2019
Read Time: 0 min

In a marketplace where data is shared and distributed at record speeds, third-party or vendor risk management is a challenge for most businesses. The banking industry is no stranger to this. The spotlight from federal and state regulators continues to shine on the use of third parties, and the pressure for those vendors to meet regulatory guidelines has greatly increased. This is especially challenging with cloud-based providers where cybersecurity concerns are even greater.

We are seeing banks moving to the cloud for a number of services ranging from core processing to lending. This movement to the cloud requires a robust vendor due diligence process and rigorous ongoing third party management that includes a focus on cybersecurity controls.

If your bank is considering partnering with a vendor, consider the following areas of cyber due diligence before signing a contract:

Establish a risk rating for your vendors. Just as risk ratings are a foundational element of sound lending decisions, creating a systematic approach to rate your prospective and current vendors based on the risk they pose to your business is essential for establishing the level of oversight they require. Ratings should be based on the risk they pose to the business. Helpful measures in determining that risk include the type of data you are sharing with the vendor, the ability to quickly replace that vendor, the vendor’s reputation in the market, and the amount of investment you are making with the vendor.

Understand the vendor’s financial stability. While this is not directly related to cybersecurity controls, it is imperative to acquire the necessary assurances that the vendor you are working with will be around in the long run. This is especially critical with cloud-based offerings, as they have control of the software or platform and if they go out of business, then your institution will not have the ability to run the solution internally.

Get it in writing. Whether it’s external audits, testing, or attestation, look for the vendor to provide external assurance regarding the state of their secure practices and governance. This includes system and organization controls, or SOC, reports, penetration/vulnerability assessments, and ISO certifications.

Know how many parties are involved. Just because you’re enlisting a third party doesn’t mean that’s where the parties end—there may be fourth and fifth parties involved. A number of solution providers build their environment within a cloud provider such as Amazon Web Services or Microsoft Azure and assume security is being managed. This is a big misconception. While AWS and Azure offer great options for businesses, they are not responsible for the security of the data. The vendor you are contracting with is responsible. Ensure that your vendors are layering the appropriate controls within their cloud provided solution and can share with you the steps they take to manage their cloud-based vendors. Vendors using AWS, Azure or other hosting providers should provide their own independent attestation of their security controls, not simply handing over an AWS or Azure SOC report.

Have transparency of internal controls. Banks should hold their vendors to the same level of regulatory guidance that they hold themselves. This means asking critical vendors to supply documentation affecting the security and protection of your data, including:

  • Policy documentation
  • Business continuity planning documentation
  • Proof of insurance
  • Details regarding their information security and cybersecurity programs
  • Vulnerability detection and management.

Thoroughly assess your contract. Ensure the appropriate cyber protections and terms are noted in the contract. Look for the vendor to highlight their cyber controls and commitment to follow regulations and laws within the contract. Ensure they are willing to assume a reasonable amount of liability and provide the appropriate notification and incident management procedures in the event of a data breach. Also, depending upon the type of vendor and their risk rating, look for service-level agreements with financial implications if they are not met.

We don't just build great software. We support it with unmatched industry expertise.

learn more

Ongoing Vendor Management

In addition to initial vendor due diligence, organizations are required to follow an ongoing systematic approach to managing their third-party relationship. For some, this may be a spreadsheet approach, for others, it may be a third-party governance package. Whatever your institution chooses to tackle it, ensure that your approach is consistent and aligns with your vendor management policy. Regulators look for your management of vendors to be appropriate for the size, scope and complexity of your organization. This is intentionally vague and requires institutions to be thoughtful and intentional in maintaining their vendor management program and adjusting it when there are changes to the size, scope, and complexity of the organization. Because of the number of vendors that are entering and exist in the financial space and the amount of data we share across these vendors, organizations have started to carve out dedicated roles and job descriptions to manage the vendor burden. Regardless of whether banks manage it internally or outsource it, the regulatory burden lies with the institution. It is critical that banks stay current with regulatory expectations and potential risks.
This article was first published in ABA Banking Journal on October 17, 2019.
About the Author

Emily Larkin

Chief Information Security Officer
Emily Larkin, Chief Information Security Officer of Abrigo, has over 25 years of experience in financial services information technology and information security. Her extensive background includes enterprise security and risk management, data center operations, disaster recovery/business continuity, IT regulatory compliance, and examinations for financial institutions (FFIEC). A frequent speaker, Emily

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.


Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!

Looking for MainStreet Technologies? You are in the Right Place!

MainStreet Technologies is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the contact us button here, or the link in the top navigation, to reach product support for your MST products.

Make yourself at home!

Looking for Sageworks? You are in the Right Place!

Sageworks is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to your Sageworks products.

Make yourself at home!

Looking for Farin? You are in the Right Place!

Farin is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to your Farin client portal.

Make yourself at home!

Abrigo acquires construction loan management solutions

Coupled with our lending suite, Construct and +Pay from BankLabs enable end-to-end automated residential/commercial construction loans.

Read the press announcement

BankLabs Logo Abrigo Logo