Tag: vendor risk management

  • Home
  • vendor risk management
10 Jul 2014
Hot Topics Tom Hinkel 0 comment

Cybersecurity – Part 1

Cybersecurity has gotten a lot of attention from regulators lately, and with assessments already underway it promises to be a regulatory focus for the foreseeable future.  But exactly what are they expecting from you, and how does that differ from what you may be doing already?  More importantly, how should you demonstrate that you are cybersecurity compliant?

First of all it’s important to understand that, at least initially, regulators  will be data gathering only.  They may offer verbal feedback, but don’t expect any written examination findings or recommendation at this time.  What they will be doing is assessing the overall posture of cybersecurity.  It would appear that the regulators are following the NIST cybersecurity framework that came out earlier this year in response to the Presidential Executive Order that came out in February of 2013.  The  NIST framework provides a common mechanism for organizations to:

  1. Describe their current cybersecurity posture;
  2. Describe their target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state; and
  5. Communicate among internal and external stakeholders about cybersecurity risk.

It would appear that financial regulators are currently on step 1; gathering information in order to describe the current state of cybersecurity across the financial industry.  Of course once the current state has been established, I expect that the “target state” for cybersecurity (step #2) will involve additional regulatory expectations.

So what do you need to do now?  Well, if you’ve kept your information security, business continuity, and vendor management policies and procedures up-to-date, probably not much.  Cybersecurity is simply a subset of each of those existing policies.  In most cases, ‘cyber’ refers to either the source or nature of the attack or the vulnerability.  Your InfoSec  policies (including incident response) should already address this, and so should your business continuity plan.  In other words, you should already have procedures in place to secure customer and confidential data and recovery critical business processes regardless of  the source or nature of the threat.  Your policies should all be impact-based, not threat-based.

Your risk assessments, however, may need to be adjusted if they don’t specifically account for cyber threats.  For example, critical vendors should be assessed for their exposure to, and protection from, cyber threats…with your controls adjusted accordingly (i.e. audit reports, PEN tests, etc.).  Your BCP risk assessment should account for the impact and probability of cyber, as well as traditional, fraud, theft and blackmail.  All that said, regulators will likely be looking for specific references to ‘cyber’, so it won’t hurt to make sure your policies include the term as well.

For me, the biggest takeaway from the flurry of cybersecurity activity (the 2013 Presidential Directive, the 2013 FFIEC working group, the 2014 NIST Cybersecurity Framework, the recent FFIEC statements on ATM Hacking and Heartbleed and DDoS attacks, as well as the recent FDIC’s C-level cybersecurity webinar) is this; for the vast majority of outsourced financial institutions, cybersecurity readiness means A). managing your vendors, and B). having a proven plan in place to detect and recover if a cyber-attack occurs.  

According to the FDIC, here are the required elements of a cybersecurity risk management program …notice the last two:

  • Governance – risk management and oversight
  • Threat intelligence and collaboration – Internal & External Resources
  • Third -party service provider and vendor risk management
  • Incident response and resilience

I’ve covered vendor management and incident response before.  In Part 2 I’ll break down each of the four elements in greater detail, and tell you what you’ll need to do to demonstrate compliance.

05 Nov 2013
Hot Topics Tom Hinkel 0 comment

The OCC Sets a New Standard for Vendor Management…

…but will it become the new standard for institutions with other regulators?  UPDATE – The answer is yes, at least for the Federal Reserve Readers of this blog know that I’ve been predicting an increase in vendor management program scrutiny since early 2010.  And although the FFIEC has been very active in this area, issuing multiple updates to outsourcing guidance in the past 2 years, it appears that the OCC is the first primary federal regulator (PFR) to formalize it into a prescriptive methodology.

So if you are a national bank or S&L regulated by the OCC, what you’ll want to know is “what changed”?  They’ve been looking at your vendor management program for years as part of your safety & soundness exams, exactly what changes will they expect you to make going forward?  The last time the OCC updated their vendor management guidance was back in 2001, so chances are you haven’t made many substantial changes in a while.  That will change.

However if you are regulated by the FDIC or the Federal Reserve or the NCUA, so what?  Nothing has changed, right?  Well no…not yet anyway.  Except for a change adding a “Vendor Management and Service Provider Oversight” section in the IT Officer’s Questionnaire back in 2007, the FDIC hasn’t issued any new or updated guidance since 2001.  Similarly, the NCUA last issued guidance in 2007 but it was really a re-statement of existing guidance that was first issued in 2001.  So considering the proliferation of outsourcing in the last 10 years, I believe all of the other regulators are overdue for updates.  Furthermore, I believe the OCC did a very good job with this guidance, and all financial institutions regardless of regulator would be wise to take a close look.

So what’s changed?  I compared the original 2001 bulletin (OCC 2001-47) side-by-side with the new one (OCC 2013-29), and although most of the content was very similar, there were some significant differences.  Initially they both start out the same way; stating that banks are increasing both the number and the complexity of outsourced relationships.  But the updated guidance goes on to state that…

“The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.”

They specifically cited failure to assess the direct and indirect costs, failure to perform adequate due diligence and monitoring, and multiple contract issues, as troublesome trends.

Conceptually, the new guidance focuses around a 5-phase “life-cycle” process of risk management.  The life-cycle consists of:

  • Planning,
  • Due diligence and third-party selection,
  • Contract negotiation,
  • Ongoing monitoring, and
  • Termination

First of all, a “cycle” concept strongly suggests that a once-a-year approach to program updates is not sufficient.  Secondly, I think the planning, or pre-vendor, phase is potentially the most significant in terms of the changes that regulators will expect going forward.  For one thing, beginning the vendor management process BEFORE beginning the relationship (i.e. before the vendor becomes a vendor) seems like a contradiction in terms (although it is not entirely new to readers of this blog), so many institutions may have skipped this phase entirely.  But it is at this planning stage that elements like strategic justification and complexity and impact on existing customers are assessed.  Those are only a few of the considerations in the planning phase, the guidance lists 13 in all.

The due diligence and contract phases are clearly defined and also expanded, but fairly consistent with existing guidance*.  And although termination is now defined as a separate phase, the expectations really haven’t changed much there either.

On-going monitoring (the traditional oversight phase) has been greatly expanded however.  The original guidance had 3 oversight activities; the third party’s financial condition, its controls, and the quality of its service and support.  The new guidance still has those 3…and adds 11 more.  Everything from insurance coverage, to regulatory compliance, to business continuity and managing customer complaints.

But perhaps the biggest expansion of expectations in the new guidance is the banks’ responsibility to understand how the vendor manages their subcontractors.  Banks are expected to…

“Evaluate the third party’s ability to assess, monitor, and mitigate risks from its use of subcontractors and to ensure that the same level of quality and controls exists no matter where the subcontractors’ operations reside.” (Bold added)

Shorter version: “Know your vendor…and your vendor’s vendor”.  And this expectation impacts all phases of the risk management life-cycle.  Subcontractor concerns start in the planning stage, continue through due diligence and contract considerations, add control expectations to on-going monitoring, and even impact termination considerations.

In summary, everything expands.  Your pre-vendor & pre-contract due diligence expands, oversight requirements (and the associated controls) increase, and of course everything must be documented…which also expands!  The original guidance listed 5 items typically contained in proper documentation, the updated guidance lists 8 items. But it’s the very first item on the list that caught my attention because it would appear to actually re-define a vendor.  Originally the vendor listing was expected to consist of simply “a list of significant vendors or other third parties”, which, depending on the definition of “significant”, was a fairly short list for most institutions.  Now it must consist of “a current inventory of all third-party relationships”, which leaves nothing to interpretation and expands your vendor list considerably.**

So if you are regulated by the OCC you can expect these new requirements to be incorporated into the examination process fairly soon.  If not, use this as a wake-up call.  I think you can expect the other federal regulators to follow suit with their own revised guidance.  The OCC has just set the gold standard.  Use this opportunity to get ahead of your regulator by revisiting and enhancing your vendor management program now.

 

* Safe Systems customers can get updated due diligence and contract checklists from their account manager.

** All vendors on the list must be risk assessed, and although the risk categories didn’t change (operational, compliance, reputation, strategic and credit) some of the risk elements did.  Matt Gunn pointed out one of the more interesting changes in his recent TechComply post.  I’ll cover that and others in a future post.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy