Because most financial institutions rely on third-party service providers, risk management and vendor management are inextricably linked. In an age where cyber attacks, increased regulatory scrutiny, and reputation risk are high on the list of banker’s concerns, properly managing vendors has become a high priority. Here are a few strategic practices an institution can follow to prevent, detect, and/or mitigate a breach or malicious attack at a service provider.
1. Know what data you share with the vendor, where it is stored and secured, how it gets there, and who has access to it. This is particularly true for cloud-based providers. Both the biggest strength and the biggest weakness of cloud computing is in the redundant and distributed nature of data storage. Having data stored multiple times in multiple locations throughout the country is great for high availability, but makes it almost impossible to ensure compliance with your internal policies for proper retention and destruction of information. Use data-flow diagrams and data classification rules to understand the location and sensitivity of shared data. And if your data is transmitted, stored or processed outside the U.S., you’ll need to understand the rules and regulations of the hosting country as well.
2. Obtain and review any third-party audit reports prior to engagement, and periodically throughout the relationship. Just as with the older SAS 70, third-party audit reports such as the SOC 1 (or SSAE 16) and the SOC 2 (or AT 101) will still be the best way for you to ensure that your vendor’s processes and practices are compliant. And make sure you insist on a Type II report, which adds an all-important testing component to the audit.
3. Make sure all on-line passwords comply with your internal password policy (length, complexity, periodic changes, etc.), and don’t share passwords among sites. Online services may have different authentication capabilities, but if they store or process sensitive or protected information they should still adhere to your policies for accessing internal systems. Use a different set of authentication credentials for online services than you use internally, that way if the vendor experiences a breach it will be contained to that site.
4. Understand the incident response capabilities, as well as the contractual responsibilities, of your vendor. Guidance requires that all financial institutions clearly define the support to be provided by the vendor during and after a cyber-event. Make sure your contract with the vendor requires notification of any cyber-events whether or not they affect you. Ask to be included in any future incident response testing.
Tom Hinkel is the director of compliance for Safe Systems, a compliance-centric IT solutions provider exclusively to the financial industry.