White paper: Nine Simple Steps to Vendor Management

Size: px

Start display at page:

Download "White paper: Nine Simple Steps to Vendor Management"

Chad Shelton
8 years ago
Views:

1 White paper: Nine Simple Steps to Vendor Management March 2014

2 White Paper: Nine Simple Steps to Vendor Management Using a third-party vendor naturally subjects an institution to risks outside its control. From a data breach to an unexpected shutdown, banks and credit unions are subject to a variety of vendor-related events that could lead to loss of revenue, loss of service or reputation damage. That s why FFIEC stands for vendor management are a significant part of regulatory examinations. Examiners now put a stronger focus on the guidelines, pushing organizations to better prepare themselves for the unexpected. Notably, outsourcing does not remove an institution from liability should vendor fail to meet information security requirements. An effective vendor management program protects an institution by ensuring its vendors are making all necessary efforts to safeguard information and helps prepare for regulatory compliance examinations. Don t Sweat the Small Stuff Vendor management can seem like a tall order, especially when you consider that many banks and credit unions work with more than 100 outside vendors. But oftentimes, institutions make the process harder than it actually is by tackling too many vendor reviews and collecting too much information. The regulations ask you to look at vendors who have access to customer information or processing systems and those that potentially pose critical risks. For most institutions, that s usually no more than a dozen vendors. Focus your attention there. Examiners only expect you to concentrate on those relationships that pose critical risks. Additionally, if you skip this step you potentially appear as if you don t understand the requirements and may open yourself to more questioning. Step-by-Step We ve analyzed the FFIEC vendor due diligence guidelines and consulted examiners to break the process down into nine simple steps. Here s how to get started Step 1: Start with a list of your vendors. List anyone you re doing business with anyone you outsource to in some function, whether it s mowing the lawn, cleaning, credit card processing, public relations, or IT. Step 2: Rate each vendor on criticality Ask yourself, If this vendor stops providing this service tomorrow, what will it do to my organization. If you ll have to shut your doors or stop providing a service, the vendor is critical. If you might not even notice for a while (gosh that grass is getting long), then that s a low criticality vendor. Step 3: Rate each vendor on confidentiality Identify what each vendor has access to in terms of customer information account numbers, names, addresses, account info. As with criticality, rank this access high, medium or low.

That s why FFIEC stands for vendor management are a significant part of regulatory examinations.

3 Step 4: Sort the vendors by rank Sort your list of vendors by both criticality and confidentiality. A high ranking in either category means you need to pay attention to that vendor. Naturally, 12 to 20 vendors will float to the top in either category. If you have more than two dozen in either group, you ve scored them too heavily. Step 5: Normalize your rankings This is a cross check of sorts. Take a look at all your rankings collectively and make sure they make sense as a group. Is it logical that your high risk vendors are really more critical than the ones below? You ll often find minor adjustments when you take a high level overview. Step 6: Identify risks for high ranking vendors According to the regulations, you need to rate all your vendors. But once that s done, you only need to focus on the high criticality and high confidentiality providers. Remember these should be relatively short lists. Identify what risk each of the vendors may pose and what controls they should have in place to temper those risks. For example: This vendor is critical to my operations. What if there s a fire, flood, or power outage? Do they have a disaster recovery plan? A business continuity plan? What happens if they make an error? Do they have liability insurance? They have access to customer information. What security measures are they taking? What is their response plan if a data breach occurs? Does it work with my response plan? Identify the controls (i.e. risk mitigation efforts) they should have in place to a) secure information and b) minimize the impact on your organization. Evaluating Specialist Providers You may feel overwhelmed when it comes to evaluating an IT firm, credit card processor or other complex service provider. Don t be intimidated. The examiners don t expect Herculean review efforts. You don t need to send in your own security testing team. What you do need is assurance the vendor is following industry best practices. When an examiner asks why you feel comfortable with a certain vendor, provide a rational argument and documentation demonstrating you ve done your due diligence. You might request the following: SAS 70 audit report (credit card processors) PCI compliance (credit card processors) Third party certifications Staff experience & education Customer recommendations You don t have to understand the intricacies of a vendor s business. You can secure reasonable proof of quality by relying on third party certifications and other logical evaluation measures. Scout includes recommended due diligence requests for standard financial institution vendors.

Step 5: Normalize your rankings This is a cross check of sorts. Take a look at all your rankings collectively and make sure they make sense as a group.

4 Step 7: Begin your due diligence Start collecting evidence of those control and risk mitigation processes. Create a file. You want to verify the vendor has a plan in place. See if it meshes with your plan and sounds reasonable. Get a copy of their disaster recovery plan and liability policy. Ask for pertinent staff profiles to determine if they have qualified personnel. Check references and be sure other clients report satisfaction. Step 8: Request improvements or switch vendors If the vendor doesn t have adequate controls in place, you need to have a dialogue and convince them to meet your standards. If you can t find resolution, you may need to select a different vendor. Step 9: Reevaluate Annually, go through your list of vendors and decide if their risk rating needs to be changed. Also, reevaluate your high risk vendors to make sure their controls are appropriate for the current risk environment. Has your relationship changed in the last year? Have security threats evolved? Are their certifications up-to-date and contracts current? Continue to manage your risks and relationships. Prepare for the Unexpected The vendor management process helps your organization plan for the unexpected. As you identify the risks, you need to make sure controls and protocols are in place so that should something happen, neither you nor your vendor has a disastrous outcome. Understand the relationship up front, and make plans to deal with any damaging events. The last thing you want to do in a crisis is spend time figuring out what to do next. And when it comes to public relations, any crisis is better contained when you can show that due diligence was both thorough and thoughtful. Simply put, you don t want to fail because you forgot to plan. Scout for Vendor Management The Vendor Manager module in the Scout suite manages the vendor environment in much the same way Information Manager tracks your organization s risk assessment process. Use Vendor Manager to: Rank vendor criticality, confidentially and performance. Schedule and be reminded of due diligence reviews based on risks and FFIEC guidelines. Attach supporting documents. Right from initial use, Scout automates and simplifies vendor management. It guides users through the process, including prompts to request relevant information and conduct reviews. Scout s vendor management module was built using FFIEC guidance and includes the agency s recommended due diligence considerations. Institutions can customize the application, adding their own due diligence criteria. Users report that consistency and organization improve dramatically with Scout. It helps institutions set consistent review criteria and provides a central storage system for contracts, insurance policies and other essential documentation. Scout is a risk management dashboard that also includes modules for GBLA, Red Flags, BSA, ACH, ERM, Controls Audit and Task Management.

Check references and be sure other clients report satisfaction.

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion: