The last step in the vendor management process is to manage, or control, the risk that was identified in step 1, and assessed (as inherent risk) in step 2. Controlling risk is defined as applying risk mitigation techniques (or “controls”) to reduce risk to acceptable levels It’s important to understand that risk can never be completely eliminated, particularly third-party risk. The goal of this last step is to understand the remaining risk, referred to as “residual risk”, and to decide if this residual risk level is acceptable to you. Everything that has been done thus far in the risk management process has been building up to this point. But you may not be done yet. If residual risk is not necessarily within the “acceptable” range, additional controls must be implemented to further reduce risk to an acceptable level. Think of step 3 as a cycle; apply controls, evaluate residual risk, if residual risk is not acceptable, apply additional controls. Repeat until residual risk is acceptable.
So the risk management process begins by asking a series of “can we or can’t we?” questions (all of which should be answered “yes”):
- Can we or can’t we…assure ourselves that the vendor understands the unique regulatory environment of financial institutions?
- Can we or can’t we…gain an in-depth understanding of what the vendor is doing to protect our information?
- Can we or can’t we…trust the vendor’s description of their controls, both what they are, and how effective they are?
- Can we or can’t we…accurately measure the residual risk level of this vendor relationship, and…
- Can we or can’t we…come to the conclusion that the residual risk level of this vendor is acceptable?
The answer to the first 2 questions depends on A.) how familiar the vendor is with the regulatory requirements of financial institutions, and B.) how forthcoming the vendor is about their internal processes that relate to information security. As the FFIEC recently stated regarding outsourced cloud computing (but applying equally to all third-party providers):
Managing a cloud computing service provider may require additional controls if the servicer is unfamiliar with the financial industry and the financial institution’s legal and regulatory requirements for safeguarding customer information and other sensitive data. Additionally, the use of such a servicer may present risks that the institution is unable or unwilling to mitigate. One example of such risks would be if the servicer is not implementing changes to meet regulatory requirements. Under such circumstances, management may determine that the institution cannot employ the servicer.
So if you can’t answer “yes” to the first 2 questions about the vendor’s familiarity with financial institutions and whether they will be forthcoming about their controls, then the answer to the last question about acceptable risk is most likely “no”.
Regarding the third question about trust, third-party audit reports are the best way to gain assurance that vendor controls are both adequate and effective. SOC reports give third-party validation that financial reports (SOC 1) and information privacy, security, confidentiality, availability and integrity (SOC 2) are both adequate (Type 1) and effective (Type 2). Without this validation all you have is the assertion of the vendor, which is inadequate for high-risk vendors. For third-party providers that either process, transmit, or store customer data, a SOC 2 Type II report is essential.
One more thing about controls…you should do everything you can to match the control to the risk. For example, if there is a high degree of complexity in the service the vendor provides, identifying an alternate vendor is important. If the criticality is high (as defined by the recovery time objective of any interdependent services), then you should insist on a copy of the vendor’s business continuity plan and testing results. Audited financials are also important for all critical contracted services to assure that the vendor has the financial strength and stability to honor the terms of their contract. And as I mentioned previously, a SOC 2 report is essential if the vendor processes or stores customer NPI.
To summarize the entire 3-part vendor management process: First, you must identify the source of the risk. In other words, the vendors you utilize along with their associated products and services (more here). Second, each vendor must be assessed for risk…risk arising from access to customer NPI and confidential data, risk arising from vendor failure, risk arising from vendor criticality and complexity (more here). Finally, controls are applied to reduce risk down to an acceptable level. Follow this 3-part approach when you tackle vendor management internally… and demand it from your provider if you outsource the process.