Tag: Vendor management in 3 parts

02 Dec 2014

Vendor Management in 3 Parts. Part 3 – Risk Management (or, “can we or can’t we?”)

The last step in the vendor management process is to manage, or control, the risk that was identified in step 1, and assessed (as inherent risk) in step 2.  Controlling risk is defined as applying risk mitigation techniques (or “controls”) to reduce risk to acceptable levels  It’s important to understand that risk can never be completely eliminated, particularly third-party risk.  The goal of this last step is to understand the remaining risk, referred to as “residual risk”, and to decide if this residual risk level is acceptable to you.  Everything that has been done thus far in the risk management process has been building up to this point.  But you may not be done yet.  If residual risk is not necessarily within the “acceptable” range, additional controls must be implemented to further reduce risk to an acceptable level.  Think of step 3 as a cycle; apply controls, evaluate residual risk, if residual risk is not acceptable, apply additional controls.  Repeat until residual risk is acceptable.

So the risk management process begins by asking a series of “can we or can’t we?” questions (all of which should be answered “yes”):

  • Can we or can’t we…assure ourselves that the vendor understands the unique regulatory environment of financial institutions?
  • Can we or can’t we…gain an in-depth understanding of what the vendor is doing to protect our information?
  • Can we or can’t we…trust the vendor’s description of their controls, both what they are, and how effective they are?
  • Can we or can’t we…accurately measure the residual risk level of this vendor relationship, and…
  • Can we or can’t we…come to the conclusion that the residual risk level of this vendor is acceptable?

The answer to the first 2 questions depends on A.) how familiar the vendor is with the regulatory requirements of financial institutions, and B.) how forthcoming the vendor is about their internal processes that relate to information security.  As the FFIEC recently stated regarding outsourced cloud computing (but applying equally to all third-party providers):

Managing a cloud computing service provider may require additional controls if the servicer is unfamiliar with the financial industry and the financial institution’s legal and regulatory requirements for safeguarding customer information and other sensitive data. Additionally, the use of such a servicer may present risks that the institution is unable or unwilling to mitigate. One example of such risks would be if the servicer is not implementing changes to meet regulatory requirements. Under such circumstances, management may determine that the institution cannot employ the servicer.

 So if you can’t answer “yes” to the first 2 questions about the vendor’s familiarity with financial institutions and whether they will be forthcoming about their controls, then the answer to the last question about acceptable risk is most likely “no”.

Regarding the third question about trust, third-party audit reports are the best way to gain assurance that vendor controls are both adequate and effective.  SOC reports give third-party validation that financial reports (SOC 1) and information privacy, security, confidentiality, availability and integrity (SOC 2) are both adequate (Type 1) and effective (Type 2).  Without this validation all you have is the assertion of the vendor, which is inadequate for high-risk vendors.  For third-party providers that either process, transmit, or store customer data, a SOC 2 Type II report is essential.

One more thing about controls…you should do everything you can to match the control to the risk.  For example, if there is a high degree of complexity in the service the vendor provides, identifying an alternate vendor is important.  If the criticality is high (as defined by the recovery time objective of any interdependent services), then you should insist on a copy of the vendor’s business continuity plan and testing results.  Audited financials are also important for all critical contracted services to assure that the vendor has the financial strength and stability to honor the terms of their contract.  And as I mentioned previously, a SOC 2 report is essential if the vendor processes or stores customer NPI.

To summarize the entire 3-part vendor management process:  First, you must identify the source of the risk.  In other words, the vendors you utilize along with their associated products and services (more here).  Second, each vendor must be assessed for risk…risk arising from access to customer NPI and confidential data, risk arising from vendor failure, risk arising from vendor criticality and complexity (more here).  Finally, controls are applied to reduce risk down to an acceptable level.  Follow this 3-part approach when you tackle vendor management internally… and demand it from your provider if you outsource the process.

 


 

[poll id=”9″]

18 Nov 2014

Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)

In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases;

  1. Identify the risk
  2. Assess the risk, and
  3. Control the risk

I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential data as well.  Everyone from your technology providers to the office cleaning crew could have access to non-public or confidential data, and as a result must be included in Phase 2; the risk assessment.  The good news is that even though all vendors must be assessed, only a handful will required significant follow-up in terms of controls reviews (phase 3).

So in this post I will discuss how the risk assessment of vendors has changed over the last few years.  Traditionally assessing a vendor was limited to determining the extent to which the vendor had access to (and could possibly disclose) non-public customer information (NPI).  This grew out of GLBA, specifically the privacy and security elements of the legislation.  Today regulators expect a much broader assessment of third-party risk.  In addition to NPI, you must also assess vendor access to confidential information, such as HR records, Board reports, strategic plans and unaudited financials.  You should also understand how a failure of the vendor’s product might affect your ability to deliver critical products or services to your customers.  Does the vendor provide interdependencies to critical products?  If they failed, how many of your services would fail too?  Additionally, how difficult (costly & time consuming) would it be to find an alternate vendor, should the need arise?

In a recent speech to a community bankers group, Thomas J. Curry (current FFIEC chairman and Comptroller of the Currency) stated:

“While they have important benefits and are in many ways an essential part of business, it can be easy for financial institutions to become overly dependent upon third parties and overly-trusting. But just because these contractors have long client lists and hard-to-duplicate expertise doesn’t mean they are infallible.”

So vendor risk assessments really come down to determining “will they or won’t they?”:

  • Will they or won’t they…disclose customer NPI?
  • Will they or won’t they…disclose confidential information?
  • Will they or won’t they…fail?
  • Will they or won’t they…meet the terms of the contract?
  • Will they or won’t they…continue to meet our strategic objectives?
  • Will they or won’t they…properly manage their third-party relationships?

Once these questions have been addressed (i.e. asked and answered) you have a good idea of the raw, or inherent, risk level.  Now you are expected to…

“…have risk management practices in place that are commensurate with that risk.”  

Asking the right “will they or won’t they” questions are the key to accurately assessing inherent risk.  The next step is to manage (i.e. control) the risk at acceptable levels.  More on that in Part 3.


 

[poll id=”9″]

14 Oct 2014

Vendor Management in 3 Parts. Part 1 – Risk Identification (or, “do they or don’t they?”)

Service provider oversight (aka vendor management) is undoubtedly the hottest hot-button item on the regulator’s agenda right now, and for good reason.  For one thing, regulators know that the vast majority of financial institutions outsource at some point, in fact recent studies put the number of FI’s that either transmit, process or store information with third-parties at over 90%.  They also know that most recent cyber security incidents affecting financial institutions involved third-party service providers.  (The Chase breach is a notable exception.)  And increased scrutiny of your vendor oversight program has been cited as a focal point for the ongoing regulatory cybersecurity assessments.  Clearly a new vendor management standard is here, and a new expanded approach is required.

I’ve broken the vendor management process into 3 parts, and all areas must be expanded;

  1. Risk Identification
  2. Risk Assessment, and
  3. Risk Management

Again, all three areas have increased expectations.  You are expected to manage the risks of third-party relationships the same way you manage internal risk, and step 1 is always to identify the source of the risk.  This is relatively simple when all data is stored and processed in-house, but that doesn’t reflect the current outsourced model.  So identifying the source of the risk means asking the following question about the third-party…“do they or don’t they have access to my information”?

“Access” means everything from incidental read-only (as in a piece of paper or computer screen), to full read & write.  In other words, vendors that provide or support critical processes clearly must be assessed, but anyone that might be allowed in your facility could conceivably see something non-public or confidential.  And the definition of “information” has evolved from strictly non-public customer information (NPI), to anything you consider confidential, such as Board reports, HR records, strategic plans, and unaudited financials.

But I think the biggest challenge for most financial institutions is in understanding exactly how to define a “service provider”.  The traditional thinking was that only at a few key providers (like core) were defined that way, but the definition of “service provider” has definitely expanded.  In fact the Federal Reserve issued a regulatory update in 2013 titled “Guidance on Managing Outsourcing Risk“.  In it, they defined “service providers” as

“…all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities”.

The OCC defined it even more broadly, stating in their 2013 update “Risk Management Guidance on Third-party Relationships” that;

“…a third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise.” (Emphasis added.)

So expand your definition of “access”, and expand your list of providers to include all potential sources of risk… from your core provider to your cleaning crew, all third-party relationships with all levels of access should be assessed.

One more thing, don’t forget to assess vendors that may not have access to sensitive information, but have a high degree of criticality.  More on that in my next post on Risk Assessment.


 

[poll id=”9″]