ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Cyber Complications for Vendor Risk Management

October 17, 2019
Reading Time: 3 mins read

By Emily Larkin

In a marketplace where data is shared and distributed at record speeds, third-party or vendor risk management is a challenge for most businesses. The banking industry is no stranger to this. The spotlight from federal and state regulators continues to shine on the use of third parties, and the pressure for those vendors to meet regulatory guidelines has greatly increased. This is especially challenging with cloud-based providers where cybersecurity concerns are even greater.

We are seeing banks moving to the cloud for a number of services ranging from core processing to lending. This movement to the cloud requires a robust vendor due diligence process and rigorous ongoing third party management that includes a focus on cybersecurity controls.

If your bank is considering partnering with a vendor, consider the following areas of cyber due diligence before signing a contract:

Establish a risk rating for your vendors. Just as risk ratings are a foundational element of sound lending decisions, creating a systematic approach to rate your prospective and current vendors based on the risk they pose to your business is essential for establishing the level of oversight they require. Ratings should be based on the risk they pose to the business. Helpful measures in determining that risk include the type of data you are sharing with the vendor, the ability to quickly replace that vendor, the vendor’s reputation in the market, and the amount of investment you are making with the vendor.

Understand the vendor’s financial stability. While this is not directly related to cybersecurity controls, it is imperative to acquire the necessary assurances that the vendor you are working with will be around in the long run. This is especially critical with cloud-based offerings, as they have control of the software or platform and if they go out of business, then your institution will not have the ability to run the solution internally.

Get it in writing. Whether it’s external audits, testing, or attestation, look for the vendor to provide external assurance regarding the state of their secure practices and governance. This includes system and organization controls, or SOC, reports, penetration/vulnerability assessments, and ISO certifications.

Know how many parties are involved. Just because you’re enlisting a third party doesn’t mean that’s where the parties end—there may be fourth and fifth parties involved. A number of solution providers build their environment within a cloud provider such as Amazon Web Services or Microsoft Azure and assume security is being managed. This is a big misconception. While AWS and Azure offer great options for businesses, they are not responsible for the security of the data. The vendor you are contracting with is responsible. Ensure that your vendors are layering the appropriate controls within their cloud provided solution and can share with you the steps they take to manage their cloud-based vendors. Vendors using AWS, Azure or other hosting providers should provide their own independent attestation of their security controls, not simply handing over an AWS or Azure SOC report.

Have transparency of internal controls. Banks should hold their vendors to the same level of regulatory guidance that they hold themselves. This means asking critical vendors to supply documentation affecting the security and protection of your data, including:

  • Policy documentation
  • Business continuity planning documentation
  • Proof of insurance
  • Details regarding their information security and cybersecurity programs
  • Vulnerability detection and management.

Thoroughly assess your contract. Ensure the appropriate cyber protections and terms are noted in the contract. Look for the vendor to highlight their cyber controls and commitment to follow regulations and laws within the contract. Ensure they are willing to assume a reasonable amount of liability and provide the appropriate notification and incident management procedures in the event of a data breach. Also, depending upon the type of vendor and their risk rating, look for service-level agreements with financial implications if they are not met.

In addition to initial vendor due diligence, organizations are required to follow an ongoing systematic approach to managing their third-party relationship. For some, this may be a spreadsheet approach, for others, it may be a third-party governance package. Whatever your institution chooses to tackle it, ensure that your approach is consistent and aligns with your vendor management policy. Regulators look for your management of vendors to be appropriate for the size, scope and complexity of your organization. This is intentionally vague and requires institutions to be thoughtful and intentional in maintaining their vendor management program and adjusting it when there are changes to the size, scope, and complexity of the organization.

Because of the number of vendors that are entering and exist in the financial space and the amount of data we share across these vendors, organizations have started to carve out dedicated roles and job descriptions to manage the vendor burden. Regardless of whether banks manage it internally or outsource it, the regulatory burden lies with the institution. It is critical that banks stay current with regulatory expectations and potential risks.

Emily Larkin is chief information security officer at Abrigo.

ADVERTISEMENT
Tags: CybersecurityRisk managementThird-party risk
ShareTweetPin

Related Posts

ABA donates to Texas flood relief efforts, urges bankers to contribute

FDIC issues regulatory relief guidance for Texas

Compliance and Risk
July 11, 2025

The FDIC released guidance with steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas of Texas recently affected by severe storms and flooding.

BIS drafts guidance for central banks on AI adoption

BIS releases report on connections between banks and nonbanks

Compliance and Risk
July 11, 2025

Differences between regulations for banks and those for nonbank financial intermediaries may have created incentives to shift business activities to the NBFI sector, so bank supervisors should apply “close scrutiny” to such interactions, according to the report.

Regulators take issue with discrimination definition in proposed appraisal standards

HUD reverses Biden-era policies on appraisal review

Compliance and Risk
July 11, 2025

HUD eliminated several of the core policies adopted by the Property Appraisal and Valuation Equity task force, an interagency group of 13 federal agencies formed during the Biden administration to address alleged discrimination in the appraisal process.

Fed releases agenda for upcoming conference on large bank capital requirements

Fed seeks public input on large bank rating system revision

Compliance and Risk
July 10, 2025

The Federal Reserve requested comment on a proposal to revise its supervisory rating framework for large bank holding companies to address the "well managed" status of the firms.

FinCEN, IRS-CI launch series to help banks combat fentanyl trafficking

FinCEN extends compliance dates for fentanyl orders

Compliance and Risk
July 9, 2025

FinCEN has extended by more than a month the effective dates for orders involving three Mexico-based financial institutions with alleged ties to fentanyl trafficking, according to an agency statement.

ABA Regulatory Policy and Compliance Inbox: Must banks disclose all co-branding relationships?

ABA Regulatory Policy and Compliance Inbox: Just what is reportable under CRA?

Compliance and Risk
July 9, 2025

What about refinances and renewals for small business, small farm and community development loans? And: Understanding risk-based pricing notices.

NEWSBYTES

ABA, associations seek clarity about Fannie, Freddie credit scoring change

July 11, 2025

ABA DataBank: Copper prices rise on tariff announcement

July 11, 2025

FDIC issues regulatory relief guidance for Texas

July 11, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

Breaking down the bank-related provisions in the big budget bill

July 10, 2025

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.