In my first post in this series I discussed training (employee and customer) as a good candidate for increased regulatory scrutiny in 2012. Although these posts are in no particular order, I had initially intended to list “Management” as the next trend. However a comment made to me by a banker at a recent conference leads me to believe that vendor management has already started to emerge as an area of increased regulator focus, so I am making this trend #2.
I’ve already posted numerous times on the importance of vendor management…most recently when risk assessing on-line backup vendors, and how the phase-out of the SAS 70 will affect vendor management (here and here), and I even selected it as a potential trend for 2011. And all the existing reasons still apply, but a couple of fairly recent developments are pushing this issue up the priority list:
- The increased popularity and adoption of new and emerging technologies, such as cloud computing,
- New risks and new guidance in electronic banking,
- The SAS 70 phase-out
- Examiners are hearing these three words more and more; “…they handle that…“.
All these really go together. Think about this…is there a critical product or service you offer that doesn’t involve a third-party relationship? I’ve asked that question at a number of meetings and conferences this year and have yet to have anyone come up with an example. And to further underscore the point, how many of your vendors have vendors of their own?
So more reliance on outsourcing means that examiners are hearing the phrase “they handle that” more often when they ask about data security. But as we all know…
Management is responsible for ensuring the protection of institution and customer data, even when that data is transmitted, processed, stored, or disposed of by a service provider.1
In the past, saying “they handle that” to an auditor or examiner was usually followed up with “OK, let’s see the SAS 70 and financials on that vendor”. You would produce the reports, and that was pretty much the end of that conversation, and indeed often the extent of your vendor management responsibility. I believe this will change, and I’ve already gotten some validation on that.
Going forward expect examiners to ask to see your entire vendor management program, not just the third-party reviews and financials, and not just on select vendors. Any vendor that could have access (even incidental access) to non-public information (yours or your customers) must be risk-ranked by your vendor management program. And the process of evaluating vendors starts well before they become a vendor, when you are still in the pre-implementation stage.
Here are some of the essential, and yet often missing, elements of a vendor management program:
- Have you conducted due diligence prior to vendor selection?
- Have you documented that the product or service is in alignment with the goals and objectives of your strategic plan?
- Is a BSCA filing required?
- Are the vendor’s disaster recovery capabilities adequate to support your recovery time objectives?
- Are vendor performance standards (SLA’s) clearly defined?
- In addition to vendor access to NPI/PII, have you risk-ranked your vendors based on:
- Access to other confidential (i.e. proprietary) information?
- Criticality of the product/service they provide?
- Complexity of the product/service?
Additionally, the new electronic banking guidance will force financial institutions to take a closer look at their Internet banking providers in order to conduct the required (starting in January) risk assessments. When the examiner asks for your electronic banking risk assessment, and wants to know what layered controls have been implemented, you can not say “our provider handles that”. The whole point of a risk assessment is to assure that you know, and are comfortable with, the residual risk.
And finally, the third-party report that will likely replace the SAS 70 for most service providers will be the SOC 2, and unlike the SAS 70 the SOC 2 is designed to be a deep dive into the control environment of the service provider. Also unlike the SAS 70, financial institutions will have to actually review the SOC 2 document to assure themselves that there are no exclusions or other qualifications in the report, and to review the results of control testing (for a Type II). And unless the service provider specifically excludes it from the report, you will also have a high degree of confidence that any sub-service organizations (providers to your provider) have an adequate control environment as well.
So for all these reasons, expect vendor management to be an increased regulatory priority in 2012.