White Paper on Financial Institution Vendor Management

Transcription

1 White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety of ways, including by providing products and services that require them to have access to sensitive information maintained by the organizations they serve. Financial institutions are no exception, with banks increasingly outsourcing certain functions wholesale (such as tax, legal, audit, or information technology operations). Certain vendors may become so deeply involved in a financial institution s inner workings that the vendor s role is as essential to the bank s operations as any other internal constituency. These vendors remain outside parties, however, and as such they present a constant potential source of privacy, security, reputational, and compliance risk. The task of managing these risks in the context of ever-evolving security threats can be daunting. Regulators expect financial institutions to practice effective risk management with respect to all of their operations, including activities carried out by vendors and other third parties on the financial institution s behalf. Specifically, the Safeguards Rule issued pursuant to the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to oversee vendors by (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) contractually requiring service providers to implement and maintain such safeguards. 1 What constitutes reasonableness with respect to these steps will vary depending on the size of the financial institution, as well as the type and volume of information it maintains, its general risk profile, and how it uses vendors in the processing of customer information. As part of its overall information security and governance program, every financial institution must develop and implement a tailored plan for the effective management of privacy and security risks associated with third-party vendors. In October 2013, the Office of the Comptroller of the Currency ( OCC ) issued a bulletin offering guidance to help financial institutions develop assessment and risk management processes that are commensurate with the level and complexity of their third-party relationships. 2 More comprehensive and rigorous oversight must be applied to vendors that are involved in critical activities, such as payments, clearing, settlements, custody, information technology, or any other services that could create a significant impact on the financial institution s operations or its customers. The OCC s guidance details a risk management life cycle with respect to vendor management, as illustrated below. Effective vendor management is a continuous process that involves five key elements: (1) pre-planning; (2) due diligence in the vendor selection process; (3) negotiating for contractual protections; (4) monitoring vendors for compliance; and (5) managing termination of the vendor relationship. This paper summarizes each phase of the vendor risk management life cycle and provides guidance on how financial institutions should approach privacy and data security considerations in the context of vendor relationships C.F.R (d). 2 See Third-Party Relationships: Risk Management Guidance, OFFICE OF THE COMPTROLLER OF THE CURRENCY, Oct. 30, 2013, available at

2 I. Planning Financial institutions must consider privacy and data security issues even before they begin the process of soliciting vendors to conduct activities on their behalf. Business units within financial institutions should not assume that it will be appropriate or advisable to use a third party for an activity without first considering the ramifications of outsourcing the proposed functions. The planning phase of the life cycle contemplates a careful consideration of the potential risks involved with a proposed activity and identifying possible areas of concern prior to examining specific vendor candidates. The financial institution should develop a plan to manage the relationship that is commensurate with the level of risk associated with the proposed activity, as well as the complexity of the proposed vendor relationship. Proper planning should include steps such as: Creating an inventory of all potential privacy and security risks inherent in the activity the vendor will carry out; Evaluating potential information security implications, including those associated with allowing a vendor access to the financial institution s systems and confidential information; Conducting a cost/benefit analysis to weigh the costs associated with controlling the identified risks against the anticipated benefits to the organization; Assessing the complexity of the arrangement from the outset by considering factors such as whether the outsourced activity will require cross-border data transfers, the potential role of subcontractors in conducting the activity, and whether technology modifications or upgrades may be required; Considering the nature of customer interaction with the vendor, including whether customer information will be used for marketing purposes;

3 Detailing all potential information security implications of the vendor relationship, including the extent to which the vendor will have access to the financial institution s systems and confidential information; Mapping out how the financial institution will select, assess, and oversee the vendor, including procedures for monitoring the vendor s compliance with the contract. II. Due Diligence and Vendor Selection Once the financial institution has developed a plan to proceed with a vendor engagement, but prior to entering into the contract negotiation phase, each potential vendor should be subject to extensive review and a thorough due diligence process to assess the vendor s posture with respect to privacy and data security issues. Again, the amount and depth of diligence should be commensurate with the level of risk and complexity associated with the vendor relationship, with more extensive due diligence applicable to vendors that will be performing critical bank functions. Below we list some of the key considerations that should factor into the due diligence process: Legal and Regulatory Compliance: To the extent the vendor is subject to specific legal or regulatory requirements, verify that the vendor is not under investigation and has not been targeted for enforcement actions by its regulator(s), and that it is not otherwise out of compliance with its obligations. Verify that the vendor is capable of complying with all applicable domestic and international laws and regulations relevant to the proposed activity. Operational Qualifications: Verify that the vendor has the necessary licenses to operate and the expertise, processes, and controls required to service financial institutions such that the vendor can comply with all industry-specific domestic and international laws and regulations. Information Security Posture: Assess the vendor s information security program, including by reviewing its information security policies and procedures. Request copies of recent third-party assessments of the vendor s security profile and compliance posture. Evaluate the vendor s infrastructure and network security, and interview key security personnel who will be responsible for implementing security measures applicable to the financial institution s data. Management of Information Systems: Evaluate the vendor s business processes and discuss the technology that will be used to support the proposed activity. Consider all potential gaps in service-level expectations and technology, paying special mind to possible interoperability issues. Assess the vendor s processes for inventorying its information assets and how the vendor manages its relationships with its subcontractors. Resilience: Assess the vendor s policies and processes in place to respond to service disruptions or other interruptions resulting from natural disasters, human error, or malicious attacks (including cyber attacks). Review the vendor s disaster recovery and business

4 continuity plans and consider whether the vendor s time frames for resuming activities and recovering data are acceptable to the financial institution. III. Incident Management and Reporting: Review the vendor s incident reporting and management programs to ensure the vendor has established clearly-documented processes for identifying, reporting, investigating, and escalating actual and suspected security incidents that may affect the financial institution s data. Physical Security: Examine the physical and environmental controls the vendor has in place to protect the infrastructure that will house the financial institution s data, including how the vendor ensures the safety and security of its facilities, technology systems, and employees. Reliance on Subcontractors: Ask that the vendor describe the ways in which it may outsource certain functions that may affect the financial institution s data. Specifically, verify whether the data may be processed by subcontractors in jurisdictions outside the United States, and determine the data transfer mechanisms by which the vendor moves data across borders. Consider the vendor s ability to assess, monitor, and mitigate risks associated with its subcontractors activities, and ensure that the vendor imposes contractual requirements on its subcontractors to safeguard sensitive data. Note that in some cases it may be necessary to conduct separate diligence with respect to certain subcontractors, if those parties will have significant access to, or responsibility for, the financial institution s data. Insurance Coverage: Determine how the vendor protects against losses associated with data security breaches and cybersecurity incidents. In addition to the financial protection offered by such coverage, the fact that a vendor maintains insurance coverage often signifies a proactive corporate culture and a risk-averse approach to data security issues. The level of coverage should be commensurate with the level of risk associated with the vendor s operations. Contract Negotiation As discussed above, financial institutions subject to the GLBA are required to impose contractual obligations on their vendors to implement and maintain appropriate safeguards for customer information. The GLBA s requirements are not prescriptive and do not specify what would constitute appropriate safeguards for any given vendor. As always, financial institutions should consider the size and nature of their operations, how the vendor in question will access the institution s data, and the specific risks associated with the proposed vendor activity. The OCC s vendor management guidance offers suggestions for negotiating contracts with third party vendors. Below we outline some of the key privacy- and security-oriented provisions financial institutions should consider when outsourcing activities that will involve access to customer information. Disclosure/Access Restrictions: The contract should stipulate that the vendor will hold all information it receives from the financial institution in strict confidence and limit access to such information to personnel who have a need to access the information to perform their

5 job functions. Further, the vendor must immediately notify the financial institution of any subpoena or other legal order seeking access to or disclosure of the financial institution s information that is being maintained by the vendor. Data Security Safeguards: The contract should require that the vendor implement a written information security program that complies with applicable privacy and security laws and includes appropriate administrative, technical, and physical safeguards designed to protect against threats and hazards to the security or integrity of the financial institution s data, including protecting against any unauthorized access to such data. Notification of Security Breach: The contract should require the vendor to provide immediate notification to the financial institution in the event of an actual or suspected security breach affecting the financial institution s data, and should specify to whom such notification should be made and that the vendor is responsible for costs associated with responding to the breach incident. Audit Rights: Given that monitoring vendor compliance is a key part of the vendor risk management life cycle, the contract should include provisions allowing the financial institution to audit and otherwise monitor the vendor s information security procedures and safeguards, to verify that the vendor is adequately protecting the financial institution s data. Compliance with Applicable Laws and Regulations: This provision obligates the vendor to comply with privacy and data security laws and regulations as well as industry standards and best practices, including an illustrative list of the laws and regulations applicable in the financial services sector, including, but not limited to, the GLBA (including the Privacy Rule and the Safeguards Rule), security breach notification laws, Fair Credit Reporting Act requirements, and state financial privacy laws and regulations. Information Use: The contract should clearly state whether (or how) the vendor may use the financial institution s information, including customer information. Generally, the vendor should only access or use such information for purposes of fulfilling its obligations under the contract. A vendor may seek to use the information for other purposes (such as to improve its services or conduct analytics), but such activities may pose risks to the financial institution s information. Further, activities of that nature generally offer a benefit to the vendor that should be reflected in an offset of costs commensurate with the benefit (if the financial institution agrees to permit such uses at all). Business Continuity and Disaster Recovery: The contract should describe the vendor s obligations in the event of natural or mad-made disasters (including cyber attacks) affecting the vendor s ability to fulfill its obligations under the contract. With respect to information governance specifically, the contract should detail how the vendor will back up and otherwise protect customer information that it maintains on the financial institution s behalf. Indemnification: The financial institution may seek to obtain indemnification against claims resulting from violations of the privacy and data security provisions of the contract,

6 in particular with respect to claims stemming from data breach incidents caused by the vendor. IV. Insurance: The vendor may be required to maintain adequate data security breach and cybersecurity insurance, to notify the bank of material changes to coverage, and to provide evidence of coverage where appropriate. Default and Termination: The contract should stipulate that a breach by the vendor of the contractual requirements relevant to privacy and data security will constitute a breach of contract giving the financial institution termination rights. Specifically, a security breach should be deemed a breach of contract for contract termination purposes. Return or Destruction of Data at Termination: The contract should specify that, promptly upon the expiration or earlier termination of the contract, the vendor must either return or securely destroy (as specified by the financial institution) all data it maintains on behalf of the financial institution, and provide proof of such secure destruction in the form of an Officer s Certificate or other similar certification. Subcontracting: The contract should detail the circumstances under which the vendor must notify the financial institution of its intent to use a subcontractor, specify any activities that cannot be subcontracted, and (as appropriate or as required by law) prohibit the transfer of the financial institution s data to certain foreign jurisdictions. Ongoing Monitoring As discussed above, risk management with respect to vendor security practices is an ongoing process and financial institutions must remain vigilant throughout the life of the relationship. Regular monitoring is essential, with heightened attention to vendors that perform critical functions or handle personal information. Given that vendor relationships may evolve over time, financial institutions should periodically assess existing vendor relationships to determine whether a given vendor s access or responsibilities have changed such that the vendor requires additional monitoring or updated contract provisions. Some key components of the ongoing monitoring function include: Allocating personnel who have the appropriate expertise to oversee and monitor vendors; Setting schedules and establishing metrics for monitoring activities to ensure monitoring is conducted regularly and in a systematic fashion; Conducting on-site visits to evaluate the vendor s ability to meet its contractual obligations (such visits may be particularly useful for assessing physical safeguards); Reviewing audit reports produced by the vendor and/or by third parties the vendor engages to audit its security processes (as stipulated in the contract); and

7 Escalating identified concerns appropriately so that senior management is apprised of potential risks associated with the vendor relationship and can act to modify or terminate the relationship as necessary and appropriate. V. Termination Vendor relationships may expire naturally as set forth in a service agreement, or they may be terminated prior to expiration by either party for a variety of reasons. Although termination may arise out of contentious circumstances, it also may result from a business decision to bring certain activities in-house, or a desire to switch vendors for a better financial arrangement or broader product offerings. Regardless of the reason for the termination, financial institutions must prepare for the end of the vendor relationship and manage the separation in an efficient and organized fashion. Developing a plan ahead of time to manage the termination process is essential, particularly in cases that involve a breach of contract or other event that necessitates an abrupt end to the relationship. Generally, the termination plan should include: VI. Estimates regarding which personnel and resources will be necessary to manage the termination and transition process; A timeline and/or checklist detailing the process for unwinding the vendor relationship (and establishing a new vendor relationship) in a manner that complies with applicable laws and regulations and minimizes any impact on customer service; An overview of the risks associated with data retention and destruction issues that arise when severing ties with a vendor that has had access to and/or maintained the financial institution s data, and a list of steps the financial institution may take to mitigate such risks; A plan for moving the services in-house until a new vendor can be properly vetted and a contract negotiated (or, if no new vendor can be identified, a permanent move in-house); Proposals for managing potential reputational harm that may result if the termination is contentious or is caused by a data security breach or similarly high-profile failure by the vendor that may be attributed to the financial institution. Conclusion Virtually all financial institutions engage some, if not many, third-party vendors to assist with a variety of internal functions. As these vendors become more intertwined and essential to key processes within financial institutions, the potential risks posed by their access to personal data and internal systems grow apace. Financial institutions can help mitigate some of these risks by carefully reviewing guidance issued by regulatory authorities such as the OCC, and taking a measured, conscientious approach to the evaluation, selection, retention, and ongoing surveillance of their vendors.