Vendor Management – Compliance Guru

16 Jun 2022

Quick Bytes The Safe Systems Compliance Team 0 comment

FFIEC Cancels E-Banking Handbook

On May 13, 2022, the FFIEC very quietly rescinded the FFIEC Information Technology Examination Handbook (IT Handbook) booklet entitled E-Banking. The original booklet was released in 2003 and was accompanied by a flurry of activity by financial institutions to come up with a separate E-banking policy and risk assessment. In effect, the FFIEC is now declaring (admitting?) that these are no longer necessary because all the basic risk management principles that apply to E-Banking are already addressed in other Handbooks. Operational risk is addressed in the Business Continuity Management Handbook, information security risk is addressed in the Information Security Handbook, cyber risk is assessed in the Cybersecurity Assessment Tool, and third-party risk is addressed here, here, and here.

We agree with this approach, and have long held that separately addressing each new emerging or evolving technology was cumbersome, duplicative, and unnecessary. In our opinion, shifting the focus of the handbooks to basic risk management principles and best practices that can apply to all business processes makes more sense and is long overdue. Could the Wholesale and Retail Payment Systems handbooks be phased out next? How about the Cybersecurity Assessment Tool? Since cybersecurity is simply a subset of information security more broadly, could we see a phase-out of a separate cyber assessment? Or even better, could we see the Information Security Handbook include a standardized risks and controls questionnaire that includes cyber?

Admittedly this is only one less policy and one less risk assessment, but we’ll be watching this trend with great interest. Anything that can help ease the burden on overworked compliance folks is a welcome change!

29 Mar 2022

Ask the Guru, Vlog Tom Hinkel 0 comment

Vlog: Are Bank Regulators Considered Vendors?

In this special vlog installment of Ask the Guru, Tom Hinkel answers a question asked by an OCC bank examiner, “Are regulators considered vendors for banks?” Watch the video below to hear Tom’s thoughts on the matter.

10 Feb 2015

Hot Topics Tom Hinkel 1 Comment

FFIEC Issues Update to Business Continuity Guidance

The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship between the two.

The following excerpt summarizes the intent of the update pretty succinctly:

A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP (technology service provider) for all types of adverse events (e.g., natural disaster, infrastructure failure, technology failure, availability of staff, or cyber attack).

The appendix is focused on third-party Technology Service Providers (TSP’s), and organized in four sections (with associated sub-sections):

Third-party management
- Due Diligence
- Contracts
- Ongoing Monitoring
Third-party capacity
- Significant TSP Continuity Scenarios
- TSP Alternatives
Testing with third-party TSP’s
- Testing Scenarios
- Testing Complexity
Cyber resilience

Assuming that you already have a relatively compliant* business continuity plan, I see several areas that may need immediate attention:

Vendor management. Expect expanded vendor pre-contract due diligence and on-going oversight, including a detailed understanding of how the vendor manages their subcontractors. The guidance also introduces the concept of “concentration risk”, which is the increased use of, and over-reliance on, one or more key service providers.
Contracts. Expect increased contract requirements, including provisions related to subcontracting (see above), the right-to-audit, data ownership and handling, and how the servicer plans to respond to new guidance and regulations.
Testing. Expect an expanded testing section, including participation in critical vendor testing.
Cyber security. Cyber events should be factored into all aspects of your BCP, with emphasis on responding effectively to a cyber attack. Expect your incident response planning and testing to get increased scrutiny as well.

There is one more element of the guidance that may prove to be the most challenging of all for outsourced institutions. In the past, manual procedures were always the primary alternative to automation, but because of the increased dependence on outsourcing, it may no longer be feasible for an institution to operate manually for any length of time. In those situations the guidance suggests that you have an alternative service provider identified to assume operations, or that you consider the possibility of moving the operations in-house. Since the guidance admits that the latter option is likely not a valid one, that really only leaves the alternate provider as a possible solution. Of course any institution that has converted their core system to a new provider knows that process is fraught with challenges even when the conversion is anticipated and carefully planned. Undertaking the process after a sudden disruptive event is almost unthinkable, but the guidance expects you to going forward.

* A compliant BCP is built around a business impact analysis which identifies all critical business processes and their interdependencies, establishes clearly defined recovery time and recovery point objectives (RTO’s & RPO’s) for each process, specifies recovery procedures sufficient to restore process functionality within RTO’s, and then validates all procedures via testing.

02 Dec 2014

Hot Topics Tom Hinkel 0 comment

Vendor Management in 3 Parts. Part 3 – Risk Management (or, “can we or can’t we?”)

The last step in the vendor management process is to manage, or control, the risk that was identified in step 1, and assessed (as inherent risk) in step 2. Controlling risk is defined as applying risk mitigation techniques (or “controls”) to reduce risk to acceptable levels It’s important to understand that risk can never be completely eliminated, particularly third-party risk. The goal of this last step is to understand the remaining risk, referred to as “residual risk”, and to decide if this residual risk level is acceptable to you. Everything that has been done thus far in the risk management process has been building up to this point. But you may not be done yet. If residual risk is not necessarily within the “acceptable” range, additional controls must be implemented to further reduce risk to an acceptable level. Think of step 3 as a cycle; apply controls, evaluate residual risk, if residual risk is not acceptable, apply additional controls. Repeat until residual risk is acceptable.

So the risk management process begins by asking a series of “can we or can’t we?” questions (all of which should be answered “yes”):

Can we or can’t we…assure ourselves that the vendor understands the unique regulatory environment of financial institutions?
Can we or can’t we…gain an in-depth understanding of what the vendor is doing to protect our information?
Can we or can’t we…trust the vendor’s description of their controls, both what they are, and how effective they are?
Can we or can’t we…accurately measure the residual risk level of this vendor relationship, and…
Can we or can’t we…come to the conclusion that the residual risk level of this vendor is acceptable?

The answer to the first 2 questions depends on A.) how familiar the vendor is with the regulatory requirements of financial institutions, and B.) how forthcoming the vendor is about their internal processes that relate to information security. As the FFIEC recently stated regarding outsourced cloud computing (but applying equally to all third-party providers):

Managing a cloud computing service provider may require additional controls if the servicer is unfamiliar with the financial industry and the financial institution’s legal and regulatory requirements for safeguarding customer information and other sensitive data. Additionally, the use of such a servicer may present risks that the institution is unable or unwilling to mitigate. One example of such risks would be if the servicer is not implementing changes to meet regulatory requirements. Under such circumstances, management may determine that the institution cannot employ the servicer.

So if you can’t answer “yes” to the first 2 questions about the vendor’s familiarity with financial institutions and whether they will be forthcoming about their controls, then the answer to the last question about acceptable risk is most likely “no”.

Regarding the third question about trust, third-party audit reports are the best way to gain assurance that vendor controls are both adequate and effective. SOC reports give third-party validation that financial reports (SOC 1) and information privacy, security, confidentiality, availability and integrity (SOC 2) are both adequate (Type 1) and effective (Type 2). Without this validation all you have is the assertion of the vendor, which is inadequate for high-risk vendors. For third-party providers that either process, transmit, or store customer data, a SOC 2 Type II report is essential.

One more thing about controls…you should do everything you can to match the control to the risk. For example, if there is a high degree of complexity in the service the vendor provides, identifying an alternate vendor is important. If the criticality is high (as defined by the recovery time objective of any interdependent services), then you should insist on a copy of the vendor’s business continuity plan and testing results. Audited financials are also important for all critical contracted services to assure that the vendor has the financial strength and stability to honor the terms of their contract. And as I mentioned previously, a SOC 2 report is essential if the vendor processes or stores customer NPI.

To summarize the entire 3-part vendor management process: First, you must identify the source of the risk. In other words, the vendors you utilize along with their associated products and services (more here). Second, each vendor must be assessed for risk…risk arising from access to customer NPI and confidential data, risk arising from vendor failure, risk arising from vendor criticality and complexity (more here). Finally, controls are applied to reduce risk down to an acceptable level. Follow this 3-part approach when you tackle vendor management internally… and demand it from your provider if you outsource the process.

[poll id=”9″]

18 Nov 2014

Hot Topics Tom Hinkel 5 Comments

Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)

In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases;

Identify the risk
Assess the risk, and
Control the risk

I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential data as well. Everyone from your technology providers to the office cleaning crew could have access to non-public or confidential data, and as a result must be included in Phase 2; the risk assessment. The good news is that even though all vendors must be assessed, only a handful will required significant follow-up in terms of controls reviews (phase 3).

So in this post I will discuss how the risk assessment of vendors has changed over the last few years. Traditionally assessing a vendor was limited to determining the extent to which the vendor had access to (and could possibly disclose) non-public customer information (NPI). This grew out of GLBA, specifically the privacy and security elements of the legislation. Today regulators expect a much broader assessment of third-party risk. In addition to NPI, you must also assess vendor access to confidential information, such as HR records, Board reports, strategic plans and unaudited financials. You should also understand how a failure of the vendor’s product might affect your ability to deliver critical products or services to your customers. Does the vendor provide interdependencies to critical products? If they failed, how many of your services would fail too? Additionally, how difficult (costly & time consuming) would it be to find an alternate vendor, should the need arise?

In a recent speech to a community bankers group, Thomas J. Curry (current FFIEC chairman and Comptroller of the Currency) stated:

“While they have important benefits and are in many ways an essential part of business, it can be easy for financial institutions to become overly dependent upon third parties and overly-trusting. But just because these contractors have long client lists and hard-to-duplicate expertise doesn’t mean they are infallible.”

So vendor risk assessments really come down to determining “will they or won’t they?”:

Will they or won’t they…disclose customer NPI?
Will they or won’t they…disclose confidential information?
Will they or won’t they…fail?
Will they or won’t they…meet the terms of the contract?
Will they or won’t they…continue to meet our strategic objectives?
Will they or won’t they…properly manage their third-party relationships?

Once these questions have been addressed (i.e. asked and answered) you have a good idea of the raw, or inherent, risk level. Now you are expected to…

“…have risk management practices in place that are commensurate with that risk.”

Asking the right “will they or won’t they” questions are the key to accurately assessing inherent risk. The next step is to manage (i.e. control) the risk at acceptable levels. More on that in Part 3.

[poll id=”9″]

11 Nov 2014

From the Field Tom Hinkel 1 Comment

Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments

(NOTE: Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.)

In this edition:

The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC is also the Chairman of the FFIEC. I comment on 3 recent OCC pronouncements.
The FFIEC has completed the cybersecurity risk assessments, and issued some observations.

First up, the OCC recently updated their guidance on Matters Requiring Attention, or MRA’s. Classified generally as examination “findings”, MRA’s are the most severe type of findings, as they require the immediate attention of senior management and timely (i.e. rapid) corrective action. While it’s good to see this process standardized (at least among OCC examiners, other agencies have yet to follow suit), what struck me was how the “open” items (those items that have yet to be corrected) were classified. Particularly one that I haven’t seen before…”Self-identified”. A “Self-identified” MRA is defined as:

“A significant unresolved concern that the bank initially discovered. A bank’s action to self-identify concerns is an important consideration when the OCC assesses the adequacy of the bank’s risk management system.“

So in other words, you discovered a deficiency first, and then either brought it to the attention of the regulator or they found it. Instead of counting against you. this actually strengthens the regulator’s view of your risk management system. Essentially this is an MRA that has a positive impact on your institution! I’ve discussed this “control self-assessment” process before. Don’t be afraid of finding problems, it’s much better that you find them then the regulator!

Next up from the OCC, the Chairman (Thomas J. Curry) gave a speech on cybersecurity to the 10th Annual Community Bankers Symposium recently. Here are a few of my observations:

Smaller institutions may be more at risk from cybercrime because of their lack of internal resources compared to larger institutions, so collaboration with information sharing organizations is particularly important.
Management is encouraged to incorporate cyber-incident scenarios into their business continuity and incident response planning.
It’s “extremely important” for management to understand their risk exposure to cyber-threats and vulnerabilities.
Because of the high degree of connectedness among institutions and their third-party providers, managing those relationships is vital. Curry states that “third-party relationships have been a significant area of concern for years, and not just in the area of cybersecurity.” The agency has, and will continue to, play a role in watching over these providers, but they stress that their supervision “does not take the place of due diligence or ongoing monitoring” on your part.

Lastly from the OCC, could we see merchants held to the same security standards as financial institutions? Consider this statement from Chairman Curry in the same speech:

“…we need to level the playing field between financial institutions and merchants. The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

This is long overdue in my opinion, merchants are considered the weakest links in the cybersecurity chain. The challenge will be enforcing it. Until merchants are under the same regulatory burden as financial institutions, they will have no incentive to comply. PCI-DSS has been proven ineffective, after all both Target and Home Depot claimed to be PCI compliant prior to their breaches.

Finally, the FFIEC has concluded their cybersecurity assessments and issued some general observations. Summarizing:

Management must understand their own cybersecurity exposure (see OCC Chairman comments above).
Key to this understanding your cybersecurity status is understanding who connects to you, and how.
Manage your third-party relationships, and understand how your vendors are managing their third-parties.
Expand your disaster recovery and incident response processes to incorporate cyber incident scenarios (again, see Chairman Curry’s remarks above).

…and last but not least…

“As a result of the Cybersecurity Assessment, FFIEC members are reviewing and updating current guidance to align with changing cybersecurity risk.” In other words, new guidance is on the way!

12…8 Next →