News & Commentary

09:26 AM
Tom Hinkel, Safe Systems
Tom Hinkel, Safe Systems
Commentary
50%
50%

Does Your Vendor Management Program Prevent or Promote Cyber Attacks?

With cyber attacks a growing concern for financial institutions, here are some steps banks can take to ensure security against such attacks in their vendor chain.

Because most financial institutions rely on third-party service providers, risk management and vendor management are inextricably linked. In an age where cyber attacks, increased regulatory scrutiny, and reputation risk are high on the list of banker’s concerns, properly managing vendors has become a high priority. Here are a few strategic practices an institution can follow to prevent, detect, and/or mitigate a breach or malicious attack at a service provider.

1. Know what data you share with the vendor, where it is stored and secured, how it gets there, and who has access to it. This is particularly true for cloud-based providers. Both the biggest strength and the biggest weakness of cloud computing is in the redundant and distributed nature of data storage. Having data stored multiple times in multiple locations throughout the country is great for high availability, but makes it almost impossible to ensure compliance with your internal policies for proper retention and destruction of information. Use data-flow diagrams and data classification rules to understand the location and sensitivity of shared data. And if your data is transmitted, stored or processed outside the U.S., you’ll need to understand the rules and regulations of the hosting country as well.

2. Obtain and review any third-party audit reports prior to engagement, and periodically throughout the relationship. Just as with the older SAS 70, third-party audit reports such as the SOC 1 (or SSAE 16) and the SOC 2 (or AT 101) will still be the best way for you to ensure that your vendor’s processes and practices are compliant. And make sure you insist on a Type II report, which adds an all-important testing component to the audit.

3. Make sure all on-line passwords comply with your internal password policy (length, complexity, periodic changes, etc.), and don’t share passwords among sites. Online services may have different authentication capabilities, but if they store or process sensitive or protected information they should still adhere to your policies for accessing internal systems. Use a different set of authentication credentials for online services than you use internally, that way if the vendor experiences a breach it will be contained to that site.

4. Understand the incident response capabilities, as well as the contractual responsibilities, of your vendor. Guidance requires that all financial institutions clearly define the support to be provided by the vendor during and after a cyber-event. Make sure your contract with the vendor requires notification of any cyber-events whether or not they affect you. Ask to be included in any future incident response testing.

Tom Hinkel is the director of compliance for Safe Systems, a compliance-centric IT solutions provider exclusively to the financial industry.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tom Hinkel
50%
50%
Tom Hinkel,
User Rank: Apprentice
4/5/2013 | 5:55:05 PM
re: Does Your Vendor Management Program Prevent or Promote Cyber Attacks?
I completely agree Jonathan. Consider the most recent guidance updates from the FFIEC...Outsourcing, Supervision of Technology Service Providers, Cloud Computing...all directly related to vendor management. So the guidance is out there now, increased regulator focus is coming!
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
4/5/2013 | 4:54:13 PM
re: Does Your Vendor Management Program Prevent or Promote Cyber Attacks?
I think this is definitely an area of risk that regulators need to consider as they focus in on the cyber attacks hitting the industry. I wouldn't be surprised to see more guidelines and regulations coming out that cover this topic.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video
Bank Systems & Technology Radio