Author: Holly Hooks

28 Feb 2019
Ask the Guru Holly Hooks 0 comment

Ask the Guru: Do We Need to Perform a review on a New Vendor in a Foreign Country?

Hey Guru!

Our institution works with a third-party that has recently engaged with a company in a foreign county to begin assisting them in taking care of our institution’s IT matters. Do we need to perform a review on this new foreign third-party?

When evaluating this situation, the first step is to understand the parties involved:

  1. Your Financial Institution
  2. Your current provider (your institution’s third-party)
  3. The foreign company your provider outsources to (fourth-party to your institution)

Typically, your institution would manage your third-parties through your vendor management program, and your third-party is responsible for managing their providers. This works well when the third-party has had a SOC 2 using the SSAE 18 standard. There is a section in the SOC 2 called Complementary Subservice Organization Controls (CSOC), which describes how the provider manages their providers. If the third-party has a SOC 2 on their provider that follows the SSAE 18 standard, your institution should have the necessary assurances that your current provider is effectively managing their third-parties.

However, without this assurance, your institution is on its own to determine what risks are presented by the fourth-party, and how best to address them. When performing the risk assessment process, your institution should ask yourselves – Does the foreign fourth-party have any (even incidental) access to our customer or confidential information? In other words, is any of our customer or confidential information transmitted, stored, or processed outside the U.S.?

At this point, foreign providers present all the same risks as any other outsourced relationship, PLUS a whole additional layer of risks. The FFIEC states:

 

“…this practice raises country, compliance, contractual, reputation, operational (e.g., transactional), and strategic issues in addition to those presented by use of a domestic service provider. In managing these issues, management should conduct appropriate risk assessments and due diligence procedures and closely evaluate all contracts. Additionally, management should establish ongoing monitoring and oversight procedures.” (emphasis added)

So in addition to the risks you already consider for your other outsourced relationships, foreign providers may also include issues such as choice-of-law and jurisdictional considerations, as these parties may not fall under the jurisdiction of domestic laws and regulations. This could present regulatory problems complying with consumer protection, privacy (Section 501(b) of GLBA), and information security laws. They may also have other contractual concerns such as data-breach notification issues, if the third-party contract stipulates a procedure the fourth-party can’t (or won’t) comply with. Finally, there’s also this.

In short, third-party relationship management is challenging, and managing fourth-parties is even more so. Add a foreign provider (third or fourth) into the mix and the challenge goes way up. I would strongly recommend your institution try to obtain assurances (via the CSOC section of the SOC 2) that your third-party provider is adequately managing their relationships, but even with that (and certainly without it) you may want to establish increased ongoing monitoring of this relationship.

19 Oct 2016
Ask the Guru Holly Hooks 1 Comment

Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

Hey Guru!

Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC banks to complete the Assessment?

 The FFIEC issued a press release October 17, 2016, on the Cybersecurity Assessment Tool titled Frequently Asked Questions. This reiterated that the assessment is voluntary and an institution can choose to use either this assessment tool, or an alternate framework, to evaluate inherent cybersecurity risk and control maturity.

Since the tool was originally released in 2015, all the regulatory agencies have announced plans to incorporate the assessment into their examination procedures:

  • OCC Bulletin 2015-31 states “The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.”
  • Federal Reserve SR 15-9 states “Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”
  • FDIC FIL-28-2015 states “FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
  • NCUA states “FFIEC’s cybersecurity assessment tool is provided to help them assess their level of preparedness, and NCUA examiners will use the tool as a guide for assessing cybersecurity risks in credit unions. Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide.”

Even though the FFIEC format is officially voluntary, the institution still has to evaluate inherent risk and cybersecurity preparedness in some way. Therefore, unless you already have a robust assessment program in place, we strongly encourage all institutions to adopt the FFIEC Cybersecurity Assessment Tool format since this is what the examiners will use.

NOTE:  The FAQ also made it clear that the FFIEC does not intend to offer an automated version of the tool.  To address this, we have developed a full-featured cybersecurity service (RADAR) that includes an automated assessment, plus a gap analysis / action plan, cyber-incident response test, and several other components.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy