By Emily Larkin
In a marketplace where data is shared and distributed at record speeds, third-party or vendor risk management is a challenge for most businesses. The banking industry is no stranger to this. The spotlight from federal and state regulators continues to shine on the use of third parties, and the pressure for those vendors to meet regulatory guidelines has greatly increased. This is especially challenging with cloud-based providers where cybersecurity concerns are even greater.
We are seeing banks moving to the cloud for a number of services ranging from core processing to lending. This movement to the cloud requires a robust vendor due diligence process and rigorous ongoing third party management that includes a focus on cybersecurity controls.
If your bank is considering partnering with a vendor, consider the following areas of cyber due diligence before signing a contract:
Establish a risk rating for your vendors. Just as risk ratings are a foundational element of sound lending decisions, creating a systematic approach to rate your prospective and current vendors based on the risk they pose to your business is essential for establishing the level of oversight they require. Ratings should be based on the risk they pose to the business. Helpful measures in determining that risk include the type of data you are sharing with the vendor, the ability to quickly replace that vendor, the vendor’s reputation in the market, and the amount of investment you are making with the vendor.
Understand the vendor’s financial stability. While this is not directly related to cybersecurity controls, it is imperative to acquire the necessary assurances that the vendor you are working with will be around in the long run. This is especially critical with cloud-based offerings, as they have control of the software or platform and if they go out of business, then your institution will not have the ability to run the solution internally.
Get it in writing. Whether it’s external audits, testing, or attestation, look for the vendor to provide external assurance regarding the state of their secure practices and governance. This includes system and organization controls, or SOC, reports, penetration/vulnerability assessments, and ISO certifications.
Know how many parties are involved. Just because you’re enlisting a third party doesn’t mean that’s where the parties end—there may be fourth and fifth parties involved. A number of solution providers build their environment within a cloud provider such as Amazon Web Services or Microsoft Azure and assume security is being managed. This is a big misconception. While AWS and Azure offer great options for businesses, they are not responsible for the security of the data. The vendor you are contracting with is responsible. Ensure that your vendors are layering the appropriate controls within their cloud provided solution and can share with you the steps they take to manage their cloud-based vendors. Vendors using AWS, Azure or other hosting providers should provide their own independent attestation of their security controls, not simply handing over an AWS or Azure SOC report.
Have transparency of internal controls. Banks should hold their vendors to the same level of regulatory guidance that they hold themselves. This means asking critical vendors to supply documentation affecting the security and protection of your data, including:
- Policy documentation
- Business continuity planning documentation
- Proof of insurance
- Details regarding their information security and cybersecurity programs
- Vulnerability detection and management.
Thoroughly assess your contract. Ensure the appropriate cyber protections and terms are noted in the contract. Look for the vendor to highlight their cyber controls and commitment to follow regulations and laws within the contract. Ensure they are willing to assume a reasonable amount of liability and provide the appropriate notification and incident management procedures in the event of a data breach. Also, depending upon the type of vendor and their risk rating, look for service-level agreements with financial implications if they are not met.
In addition to initial vendor due diligence, organizations are required to follow an ongoing systematic approach to managing their third-party relationship. For some, this may be a spreadsheet approach, for others, it may be a third-party governance package. Whatever your institution chooses to tackle it, ensure that your approach is consistent and aligns with your vendor management policy. Regulators look for your management of vendors to be appropriate for the size, scope and complexity of your organization. This is intentionally vague and requires institutions to be thoughtful and intentional in maintaining their vendor management program and adjusting it when there are changes to the size, scope, and complexity of the organization.
Because of the number of vendors that are entering and exist in the financial space and the amount of data we share across these vendors, organizations have started to carve out dedicated roles and job descriptions to manage the vendor burden. Regardless of whether banks manage it internally or outsource it, the regulatory burden lies with the institution. It is critical that banks stay current with regulatory expectations and potential risks.
Emily Larkin is chief information security officer at Abrigo.