Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Similar documents
Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Outsourcing Technology Services A Management Decision

Any business relationship between a bank and another entity, by contract or otherwise

Risk Management of Outsourced Technology Services. November 28, 2000

Vendor Management Compliance Top 10 Things Regulators Expect

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Vendor Management. Outsourcing Technology Services

Vendor Management Compliance Top 10 Things Regulators Expect

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Vendor Management Best Practices

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Technology Outsourcing. Tools to Manage Technology Providers Performance Risk: Service Level Agreements

Identifying and Managing Third Party Data Security Risk

White Paper on Financial Institution Vendor Management

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Credit Union Liability with Third-Party Processors

To: Our Clients and Friends March 25, 2014

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Management Best Practices

VENDORINSIGHTU P D A T E

FinTech Webinar Series: Vendor Management Principles

Outsourcing Technology Services OT

Technology Outsourcing. Effective Practices for Selecting a Service Provider

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC)

SECURITY AND EXTERNAL SERVICE PROVIDERS

Are your business partners watching your back when you are watching your front?

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship

Technology Outsourcing. Techniques for Managing Multiple Service Providers

Third Party Relationships

Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

Third-Party Risk Management: Busting Myths and Telling Truths

Statement of Guidance: Outsourcing All Regulated Entities

Managing Outsourcing Arrangements

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

Presenters: Pam Bishop, Mutual of Omaha Insurance Companies Kurt Swan, Connecticut Insurance Department Cynthia Wood, Risk & Regulatory Consulting,

Outsourcing has become a critical component of financial institutions management

Third Party Risk Management 12 April 2012

Identifying Key Risk Indicator

Information Technology

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective

Navigating Vendor Management Issues in Today s Regulatory Environment

Instructions for Completing the Information Technology Officer s Questionnaire

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Risk Management of Remote Deposit Capture

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

T31: Before, During and After Outsourcing David Fong, BlackRock

3 rd Party Vendor Risk Management

Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Validating Third Party Software Erica M. Torres, CRCM

Vendor Risk Management Financial Organizations

Forensic Services. Third Party Risks. March 2013

VII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

VENDOR MANAGEMENT. General Overview

OCC BULLETIN OCC

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

Logging In: Auditing Cybersecurity in an Unsecure World

FFIEC Cybersecurity Assessment Tool

CFPB Readiness Series: Compliant Vendor Management Overview

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Cybersecurity: What CFO s Need to Know

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services

Cloud Computing: Legal Risks and Best Practices

Office of Inspector General

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose

A Crisis Response, Information Sharing View of FFIEC Appendix J?

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Objective and key requirements of this Prudential Standard

Outsourcing Risk Guidance Note for Banks

Putting the Management Back in Vendor Management February 20, 2014

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Managing General Agents (MGAs) Guideline

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Vendor Risk Management (Banks and Financial Institutions)

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Board Responsibility. A bank can outsource a task, but it cannot outsource the responsibility.

OCC 98-3 OCC BULLETIN

Key Considerations of Regulatory Compliance in the Public Cloud

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

Refresher on cloud computing

VENDOR MANAGEMENT Presented By:

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

What Directors need to know about Cybersecurity?

Transcription:

Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1

Risk Management Guidance 2

3

Appendix J: 4 - Key Elements Third Party Management Third Party Capacity Testing with Third Party TSPs Cyber Resilience

Risk Management Program 5

Life Cycle 6

Risk management process through out the life cycle of relationship includes: Plan outlining bank s strategy, inherent risks; how select, assess, and oversee 3rd parties. Proper selection due diligence Contracts outlining roles and responsibilities Ongoing monitoring of activities and performance Termination contingency plans Roles/responsibilities for overseeing the relationship and risk management process Documentation and reporting - oversight, accountability, monitoring, risk management Management reviews to ensure alignment with strategic goals and objectives of the bank 7

More comprehensive and rigorous oversight and management of relationships that involve critical activities such as: Significant bank functions (payments, clearing, settlements) Significant shared services (information technology) Activities that create significant risk if 3rd party fails to meet expectations, Could have significant customer impact Require significant investment in resources to implement and manage the 3rd party Could have major impact on operations if have to find alternate 3rd party or bring in-house 8

Oversight and Accountability Board Senior Management Employees managing relationships 9

Board and Sr. Mgmt Board Establish and approve policies governing use. Establish risk management program Senior Mgmt Ensure policies execution Oversee development and implementation of program Report to Board 10

A bank s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution. - OCC and CFPB 11

FDIC FIL 44-2008: An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships to the same extent as if the activity were handled within the institution. 12

Committee Not a regulatory requirement but a good practice. 13

Committee End user management Compliance officer Risk officer Technology officer Audit - liaison Legal - liaison 14

Planning Discuss inherent risks Outline strategic purposes Assess complexity Cost vs. benefit Affect on strategic initiative Impact to dual employees Customer interaction Security Contingency plans Laws and regulations Selection aligns with bank policies and practices Detail selection, assessment, and oversight of compliance with contract Presented and approved by BOD 15

Strategic Planning Integration with overall strategic objectives Identify the role of the relationship in conjunction with the business strategy and objectives Identify Need/purpose Benefits Costs Legal issues 16

Risk Assessment Identify all third party relationships Identify the risk Identify risk mitigations strategies Risk rate and rank 17

HR/ Payroll processor Operations (wires, ACH, ATM Core) IT Trust Cash Management Enterprise-wide Law Firms Marketing Accounting Lending Facilities/ Security Company 18

Classification Factors Mission critical Access to NPI Information controlled by the third party Volume of transactions Concentration of $ New activity New relationship Market products or services High risk activities Cloud computing Subcontracting/Foreign based contractors Foreign based company 19

Types of Risk Reputation - risk arising from negative publicity or public opinion. Strategic - risk arising from adverse business decisions or failure to implement appropriate business decisions or to make invalid assumptions. Transactional - risk arising from problems with service or product delivery 20

Types of Risk Operation - risk from inadequate or failed internal processes, people, systems, or an external event. Credit - risk that those necessary to the relationship are unable to meet the terms of the contractual arrangement or perform as agreed financially. 21

Types of Risk Compliance/legal - risk arising from violations of law, rules, regulations or noncompliance with internal policies and procedures. Concentration - arises when outsourced services or products are provided by a limited number of providers or are concentrated in limited geographic locations. 22

Potential Risk Interest rate Liquidity Market Foreign currency translation Country risk Pricing 23

Foreign Based Background Country risk/ability to prosecute Compliance risk US Laws Embargo Sanctions OFAC 24

Specific Risk with Technology Reliability Security Scalability Compatibility 25

Failure to Manage/Mitigate Regulatory action Financial loss Reputation issues Legal actions Impact ability to establish new or continue current customer relationships 26

Written Program Elements Overview of program Responsibilities Risk management process Needs assessment Due diligence and selection Contracting Oversight and Monitoring How monitor/manage problems with 3rd party How monitor performance with SLA Termination Contingency Approval process 27

Needs Assessment Function/activity Purpose/need served Alignment with strategic plan Budgeted amount Minimum standards/ expectations Minimum acceptable characteristics Security/control Oversight reports BCP Conversion/Training Contract requirements 28

Due Diligence/Selection Conduct on all potential 3rd parties prior to selection Don t rely solely on prior knowledge or experience Should be commensurate with level of risk and complexity of relationship onsite visits may be useful for full understanding of operations and capacity Broaden scope as necessary 29

Due Diligence/Selection Financial status Strategies and goals References Legal/regulatory compliance issues Resilience: BCP/Pandemic preparedness/incident Response Risk management/information security Qualifications, background, reputation of principals Employee background checks Insurance coverage Experience and reputation 30

Due Diligence/Selection Internal controls Facilities management Training Security of systems Privacy/confidentiality Maintenance and retention of records Use of subcontractors Physical security Systems development Technology/system specs Service support/delivery Resource management Fee Structure Conflicting contract arrangement with others 31

Business Resiliency Ensure third party service provider has a third party risk management program Third Party Service Provider s ability: To provide critical services to all its clients Meet stated RTOs and RPOs 32

Lack of resilience/failure of TSP Financial Institution clients take over operations Convert New TSP takes over existing operations Bring in-house 33

Financial Performance and Condition Most recent financials Sustainability FI relationship on SP financial condition SP commitment to contracted services SP review of financial condition of any subcontractor Other current issues SP may be facing that may affect future financial performance Insurance coverage 34

Contract Elements Scope of service Performance Standards/ Benchmarks Security/Confidentiality GLBA/Confidentiality Compliance with Laws, Regulation, Guidance Security/Controls Change management Incident response BCP/DR Right to Audit and Remediation MIS Oversight reports 35

Contracts Responsibilities for providing, receiving, retaining information Cost and compensation Ownership and license Indemnification Dispute Resolution Limits on liability Default and termination Subcontracting Foreign based 3rd parties Duration Assignment of contract 36

OCC Contracts: Stipulate performance of activities by external parties subject to OCC examination oversight including access to all work papers, drafts, and other materials. OCC generally has authority to examine and regulate functions/operations provided by 3rd parties to same extent as bank. 37

Service Level Agreement Identify significant elements of service Processing error rates System uptime/downtime Speed Performance Availability/timeliness of service Confidentiality/integrity of data Change control Help desk 38

Ongoing Monitoring Compliance with legal and regulatory requirements Insurance coverage Key personnel knowledge Ability to effectively manage risk Confidentiality/integrity of systems/ information Adequacy of training Process for adjusting policies, procedures, controls in response to change threats/vulnerabilities/breaches Information technology used/ management of information systems Business continuity/dr Subcontracting Consumer complaints and remediation 39

Ongoing Monitoring Ensure customer base is segregated from other clients (especially cloud provider) Internal controls Assess adequacy of control environment SSAE 16, SOC 2 FFIEC Examination Security incidents Onsite visits as needed/ Escalation of oversight activities when fail to meet: Performance Compliance Control Viability expectations 40

Ongoing Monitoring Types of reports Financial Patch management Pen testing Security assessments Audits Incident response BCP/pandemic 41

SSAE 16 SOC 1 - Internal controls over financial reporting (ICFR) SOC 2 - Specifically designed for data centers, MSSPs, SAS vendors, cloud computing and technology providers 42

SOC 2 Trusted Service Principles Security of systems Availability of systems Processing integrity Confidentiality of information Privacy of information 43

Independent Review Senior management should ensure periodic independent reviews are conducted on 3rd party risk management processes, especially critical activities. Internal audit or independent audit Report to Board 44

FRB - BCP Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 45

Appendix J: Business Resiliency Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 46

Termination Contingency Plan Management should ensure relationships terminate in an efficient manner. Have a plan to bring service in-house if no alternate 3rd parties 47

Appendix D: MSSP 2012 update to FFIEC Outsourcing Technology Service Handbook Reliance increases risk 39

MSSP Services Network boundary protection IDS/IPS Event log management/ alerting AV and Web content filtering services Email hosting Patch management Security software management Incident response management DLP Information security consulting services 40

MSSP Management Regular risk management program plus Contract with SLA Strategies for transparency/accountability Communications Review of MSSP processes, infrastructure, control environment 41

MSSP Management Risk Assessment: Due Diligence, Ongoing Risk Elements Business Processes Info Security Infrastructure Access Management and Control Data handling BCP/DRP Incident Response Awareness and Training Application Development/ Systems Integration Malware protection 51

MSSP Management Education/Awareness Training content/frequency Financial institution understanding of reports, audits, security testing 42

Cyber Security Risk Assessment Tool Domain 4 - External Dependency Management Connections Relationship Management

Document and Report Current inventory/risk assessment Approved plans to use 3rd party Due diligence results Analysis of costs Regular reports to Board on internal control testing and monitoring Audits, security reviews, compliance with SLA Regular reports to Board on overall risk management process Executed contract Regular risk management and performance reports from 3rd party 54

Bank Service Company Act FDIC supervised institutions Section 7(c)(2) Notification of Performance of Bank Services New servicing relationships by 3rd parties 45

Technology Outsourcing: Informational Tools for Community Bankers Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers FDIC 30

Effective Practices for Selecting a Service Provider Resource in addressing specific challenges Not an exam procedure or official guidance Informational tool 31

Effective Practices Objectives in the Selection Process Evaluation and Selection Negotiating the Contract 32

Contracts Exit clause that allows FI to cancel for reasons such as failure to perform SLA should be stated Clear understanding of current and anticipated future requirements of service Obtain list of all key personnel and any subcontractors, consultants or third parties on which service delivery depends 33

Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers. 34

Tools to Manage Risk: SLA SLA key component in structuring successful outsourcing contract Service category (system availability or response time) Acceptable range of service quality Definition of what is being measured Formula for calculating the measure Credit/penal,es for achieving/ failing performance targets Frequency and interval of measurement 35

Measure service activity results against defined service levels Examine measured results to identify problems or determine causes Take appropriate action to correct failed activities, functions, or processes Continuously guide service providers through feedback sessions based on objectively measured performance metrics 36

Successful SLA Identify performance and risk factors that are most crucial Make sure metrics measure what you want Focus on your goals Be specific, ensure everyone understands the terms and that terms are clear measured Measure performance provided to you not aggregate to all clients 37

Techniques for Managing Multiple SPs Use a lead contractor who is responsible for establishing subcontracts with other providers and managing their performance Use Inter-provider Operating Agreements 38

Thank You Susan Orr www.susanorrconsulting.com susan@susanorrconsulting.com 630.499.0276 65

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information