Financial institutions have followed an upward trend toward outsourcing critical applications and IT services for several years. Advances in technology and outsourced services allow institutions to provide their customers with a vast array of products and services that may have been previously out-of-reach. However, these outsourcing opportunities can also bring additional significant risk. How do you treat your vendors when it comes to performing due diligence? Do you review and audit vendors’ controls like they are part of your internal organization, or do you sign the contract and “hope for the best”?
Financial institutions continue to expand their use of outsourced services to help grow the business. There are undoubtedly many benefits to outsourcing, including lower costs, increased efficiency, and improved focus on the bank’s core business operations and objectives. Selection of solid, reputable third parties, and effective monitoring of their services, is critical for success. If vendors lack strong safeguards and controls, your institution may be exposed to significant financial, operational, regulatory and reputational risk. Particularly if a vendor is handling sensitive customer information or key transactions, any sort of catastrophe impacting the vendor will impact your business as if it is happening directly inside your building. Natural disasters, data breaches, cyberattacks and system outages are but a few of the incidents that could wreak havoc on your institution if they hit your service providers. Such vendor risks need to be managed just as if they could happen on your “home field” – your institution’s reputation depends on it.
When managing vendor risk, institutions must have an effective vendor management program in place, not only for selecting the right vendor for the job, but also for monitoring performance and controls on a regular basis. There are several questions you should be asking your service providers during the selection process, as well as periodically throughout the relationship:
- Security Policy: Do you have an information security policy in place? How is it communicated to all employees and contractors? Is it reviewed and updated on a regular basis?
- Employee Practices: Do you perform background checks on prospective employees who will be handling sensitive information? Are nondisclosure agreements in place?
- Physical Security: How secure is your data center? Do you have strict control around who has access to the servers that house your institution’s data? What kind of controls do you have around data loss prevention (DLP)? Have your uninterruptible power supply (UPS) batteries and backup generators been serviced and tested periodically? What are your procedures for wiping and destroying hardware components when they are retired?
- Network Infrastructure: What are your policies for managing and configuring firewalls? Do you allow remote access into your network from outside the data center? If so, how is this access controlled and monitored? What about wireless or mobile access?
- Logical Access: Do you have written procedures for granting/revoking access to the network and critical applications (i.e., your critical banking applications)? Is there an appropriate segregation of duties? Is access restricted on a need-to-know basis, especially for those with administrator accounts? How quickly is access revoked for terminated employees?
- Encryption: Does your information security policy dictate where and when encryption should be used? Do you encrypt data at rest (on servers/storage), in motion (moving across the network), and in process (while stored in memory)? Who is your certificate-issuing authority for website SSL certificates?
- Disaster Recovery and Backups: Do you have written policies and procedures defining actions to take in the event of disaster at your primary data center? Where is your backup data center located in relation to the primary? When was your disaster recovery plan last tested, and what were the results? Describe your process for conducting backups (e.g., full, incremental, continuous). How often are backups conducted? Do you encrypt backup media? Where/how is media stored when taken offsite?
- Information Security: Do you perform vulnerability scans and penetration testing periodically? Is anti-virus software in place, with regular updates of virus definition files? Do you have intrusion detection and monitoring measures in place? What events are captured in logs, and how do you review them?
This, of course, is just a small subset of the questions that should be asked. Effective due diligence and vendor monitoring activities can (and should) be risk-based, depending on the criticality of the vendor to the success of your business, and on the amount/sensitivity of your data that the vendor handles. For your most critical vendors, not only should you ask all of the pertinent security questions, but you may want to consider obtaining evidence of the controls that are in place. A well-written vendor contract should also include a “right-to-audit” clause, and you should consider invoking this right periodically for an on-site audit of selected vendors.
Speaking of contracts… When coming up with appropriate Service Level Agreement (SLA) metrics, most institutions are very good at defining performance-related metrics, such as system uptime, response rates and transactions per minute. But what about security metrics? Serious consideration should be given to requiring timely reporting in the event of a suspected data breach or security-related incident. Again, think of your service providers as if they were your own internal IT department, and write appropriate SLAs to demand the same level of security performance that you would expect internally.
Appropriate solutions can really vary when it comes to vendor management, and your procedures for initial vendor selection and oversight should be tailored to your institution’s specific risk appetite. Schneider Downs has industry specific experience to advise financial institutions on their third-party risk management programs, and we are standing by to assist.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.