Service provider oversight (aka vendor management) is undoubtedly the hottest hot-button item on the regulator’s agenda right now, and for good reason. For one thing, regulators know that the vast majority of financial institutions outsource at some point, in fact recent studies put the number of FI’s that either transmit, process or store information with third-parties at over 90%. They also know that most recent cyber security incidents affecting financial institutions involved third-party service providers. (The Chase breach is a notable exception.) And increased scrutiny of your vendor oversight program has been cited as a focal point for the ongoing regulatory cybersecurity assessments. Clearly a new vendor management standard is here, and a new expanded approach is required.
I’ve broken the vendor management process into 3 parts, and all areas must be expanded;
- Risk Identification
- Risk Assessment, and
- Risk Management
Again, all three areas have increased expectations. You are expected to manage the risks of third-party relationships the same way you manage internal risk, and step 1 is always to identify the source of the risk. This is relatively simple when all data is stored and processed in-house, but that doesn’t reflect the current outsourced model. So identifying the source of the risk means asking the following question about the third-party…“do they or don’t they have access to my information”?
“Access” means everything from incidental read-only (as in a piece of paper or computer screen), to full read & write. In other words, vendors that provide or support critical processes clearly must be assessed, but anyone that might be allowed in your facility could conceivably see something non-public or confidential. And the definition of “information” has evolved from strictly non-public customer information (NPI), to anything you consider confidential, such as Board reports, HR records, strategic plans, and unaudited financials.
But I think the biggest challenge for most financial institutions is in understanding exactly how to define a “service provider”. The traditional thinking was that only at a few key providers (like core) were defined that way, but the definition of “service provider” has definitely expanded. In fact the Federal Reserve issued a regulatory update in 2013 titled “Guidance on Managing Outsourcing Risk“. In it, they defined “service providers” as
“…all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities”.
The OCC defined it even more broadly, stating in their 2013 update “Risk Management Guidance on Third-party Relationships” that;
“…a third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise.” (Emphasis added.)
So expand your definition of “access”, and expand your list of providers to include all potential sources of risk… from your core provider to your cleaning crew, all third-party relationships with all levels of access should be assessed.
One more thing, don’t forget to assess vendors that may not have access to sensitive information, but have a high degree of criticality. More on that in my next post on Risk Assessment.