Identifying and Managing Third Party Data Security Risk



Similar documents
Information Technology

White Paper on Financial Institution Vendor Management

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Cyber and Data Risk What Keeps You Up at Night?

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Cybersecurity Assessment

FFIEC Cybersecurity Assessment Tool

Navigating Vendor Management Issues in Today s Regulatory Environment

Any business relationship between a bank and another entity, by contract or otherwise

Logging In: Auditing Cybersecurity in an Unsecure World

Cybersecurity: What CFO s Need to Know

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

ICBA Summary of FFIEC Cybersecurity Assessment Tool

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness.

Vendor Management. Outsourcing Technology Services

Ed McMurray, CISA, CISSP, CTGA CoNetrix

FINRA Publishes its 2015 Report on Cybersecurity Practices

Attachment A. Identification of Risks/Cybersecurity Governance

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

Vendor Management Compliance Top 10 Things Regulators Expect

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Click to edit Master title style

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Vendor Risk Management Financial Organizations

DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

OCIE CYBERSECURITY INITIATIVE

Appendix J: Strengthening the Resilience of Outsourced Technology Services

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cybersecurity Issues for Community Banks

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Instructions for Completing the Information Technology Officer s Questionnaire

Outsourcing Technology Services A Management Decision

CFPB Readiness Series: Compliant Vendor Management Overview

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Vendor Management Compliance Top 10 Things Regulators Expect

Client Security Risk Assessment Questionnaire

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Third-Party Cybersecurity and Data Loss Prevention

Security Controls What Works. Southside Virginia Community College: Security Awareness

Past vs. Present: Third Party Risk

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

University of Pittsburgh Security Assessment Questionnaire (v1.5)

LEGAL ISSUES IN CLOUD COMPUTING

VENDOR MANAGEMENT An Update & Discussion

Cybercrime and Regulatory Priorities for Cybersecurity

FinTech Webinar Series: Vendor Management Principles

Cybersecurity The role of Internal Audit

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

NIST Cybersecurity Framework & A Tale of Two Criticalities

Italy. EY s Global Information Security Survey 2013

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

Data Breach Response Planning: Laying the Right Foundation

Department of Management Services. Request for Information

What is Management Responsible For?

Office of Inspector General

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Intel Enhanced Data Security Assessment Form

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

The Keys to the Cloud: The Essentials of Cloud Contracting

Data Security and Healthcare

Cyber Security. John Leek Chief Strategist

Five keys to a more secure data environment

Cybersecurity and Privacy Hot Topics 2015

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

New York State Department of Financial Services. Report on Cyber Security in the Banking Sector

VENDORINSIGHTU P D A T E

Third Party Security Guidelines. e-governance

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Intelligent Vendor Risk Management

Statement of the Office of the Comptroller of the Currency. Provided to the Subcommittee on Financial Institutions and Consumer Protection

White Paper on Financial Industry Regulatory Climate

SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

PCI Compliance for Cloud Applications

Supplier Security Assessment Questionnaire

Information Security Management System for Microsoft s Cloud Infrastructure

Into the cybersecurity breach

Domain 1 The Process of Auditing Information Systems

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Current Developments Concerning Cybersecurity. ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016

Transcription:

Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1

Introduction & Overview Today s discussion: What is third party risk? Why should companies care? How do companies assess it? What are the criteria used to develop a framework to manage the risk? How do you deal with residual risk? 2

Vendor Management: Popular with the Financial Regulators Since April 2012, the federal financial regulatory agencies have issued or taken: At least 15 enforcement or similar actions based at least in part on third party oversight At least 18 guidance documents addressing how financial institutions must manage third parties At least six notable other public statements on the obligation to oversee third parties 3

Evolving Regulatory Expectations OCC Bulletin 2013-29 (10/30/13) Updates and replaces OCC Bulletin 2001-47 Enhances and augments the previous Bulletin in many notable areas Most detail of any regulatory guidance Failure to have in place effective risk management process commensurate with risk and complexity of relationships may be an unsafe and unsound banking practice FRB Supervisory Release 13-19 (12/5/2013) Addresses risks from service providers Intended to build on the FFIEC Examination Handbook and be consistent with the OCC guidance 4

Securities and Exchange Commission Cybersecurity Examination Program in 2014 Several questions on third party oversight in cybersecurity Results announced in February 2015 Noted some findings relating to vendors 5

Some Primary Requirements in Privacy & Data Security The Gramm-Leach-Bliley Act HIPAA/HITECH State laws and regulations Massachusetts California Nevada 6

Service Providers A defined term in the context of privacy and data security In reality often read to be much broader Service Provider Vendor Third Party Does the terminology matter? OCC states: A third party relationship is any business arrangement between a bank and another entity by contract or otherwise. 7

Security Breaches & Vendor Management Notice requirements under the breach requirements Contractual requirements Aftermath of an incident 8

New York State Department of Financial Services on Third Party Risk May 2014 Reported survey results of 150 banking organizations that highlighted the industry s reliance on third party service providers for critical banking functions as a continuing challenge December 2014 Announced new examination procedures focused on cybersecurity and included examination procedures and questions on: Third party provider management Third party service provider vetting, selecting, monitoring & due diligence April 15, 2015 Published an update on Cybersecurity in the Banking Sector: Third Party Service Providers 95% of banking organizations conduct specific information security risk assessments of at least their high-risk vendors While nearly all have policies that require reviews of information security practices both during vendor selection and periodically, only 46% required pre-contract on-site assessments and only 35% required periodic on-site assessment of at least high-risk third party vendors While most institutions require vendors to represent they have established minimum security requirements, only 36% require those security requirements be extended to subcontractors 68% of the surveyed institutions (78% of large institutions) carry insurance to cover cybersecurity incidents. However only 47% reported having cyber insurance that explicitly cover information security failures by a third-party vendors. 9

Key Steps in Any Third Party Security Risk Process Understand the business and its environment Industry Legal & regulatory Marketplace Geography Identify the inherent data security risks (e.g. risk catalogue), the controls necessary to mitigate those risks, and the level of acceptable residual risk Evaluate the nature of the relationship with the third party Business process, service performed, product provided Data asset access, use, share, cross-border transfer Technology - level of integration, outsourcing Perform an assessment to determine: The ability of the third party to comply with requirements (governance, controls, skill-sets) Classification of risk the third party poses to the company (high, medium, low) Determine the risk level of the third party provider Identify additional controls necessary to reduce risk to an acceptable level or determine if an exception and risk acceptance process is applicable Incorporate controls and requirements in contracts and agreements (e.g. right to audit) Assess periodically to determine: Compliance with contract and agreement Any changes that would impact the risk profile 10

Third Party Risks: Types of Risks When assessing third party security risks it is important to consider the impact on the financial, operational, regulatory, market and reputational risk of the business. Areas of potential risk in pre- and post contract security assessments include: Governance HR/Skillsets Vulnerability Incident Mgmt Physical Security BYOD Board Involvement Sr. Management Tone at the Top Awareness /Leadership Background checks Skill-Set Levels Appropriate Authority Access to Leadership CISO or CISO Equivalent Intrusion Detection Patch Management Attack & Penetration Testing Perimeter Clean Desk Policy Secure Disposal Techniques Credential/Access Monitoring BYOD Initiatives Encryption Remote Wipe Data custodianship & Sharing Enterprise Program Breach Response Outsourcing Risks Logging and Monitoring Resilience Governance Structure Policies, Procedures Security Program Privacy Program Funding Common definitions Established response plan Communication Protocols Response Tming Availability Compliance & Enforcement Location Access & Data Sharing Architecture Retention Aggregation Anomaly Recognition Periodic Review Availability Disaster Recovery Business Continuity On-Going Assessing Change Management Data Assets Fourth-party Risks Cloud / Virtual Encryption M&A / Spin-off Classification/Sensitivity Sharing & Use Cross-border Transfer Onward Transfer Re-Identification Sub-contractors - Serial Complexity Location Availability Communication Cloud Architectures Cloud Providers Viability Control Responsibility Multi-Tenancy Environment Availability & Accessibility Enterprise Strategy Key Management Storage & Transit Data Ownership Custodianship Privacy Policy Co-Mingling 11

Assessments & Assurance Initial security risk assessment: May involve the use of a questionnaire, and on-site review or both A scoring mechanism may be used to score individual questions or security and privacy control areas Scores may be aggregated and ranked in a scorecard indicating high, medium, or low risk Periodic security risk assessments: May be correlated to risk ranking of the third party or the criticality of the business process or data asset involved High risk third parties may be required to obtain third party audits (e.g. SOC-2) Third parties with access to credit card data may be required to undergo PCI audited Medium or lower risk entities may be assessed through as part of the internal audit rotation or a self-assessment process The frequency of the audit/assessment process may also reflect the risk ranking Risk Level Assessment Type Time Period HIGH Third Party Audits: PCI SSAE 16 - SOC-2, SOC-3 Annually MEDIUM Internal Audit + Self assessment 2-3 year rotation Annual LOW Self Assessment Annual or bi-annual 12

Risk Factors Some factors that may be considered in risk ranking : Specific regulatory or industry requirements Critical infrastructure status Sensitivity or criticality of data assets Financial value of transaction or services Volume of data or transaction level Complexity of the business model of the third party Maturity of the program or control environment Geographical location, cross border data transfer History of breach Highly integrated architecture with broad access High degree of publicly facing websites/access Serial outsourcing (4th party) or ecosystem ( nth party) environment 13

Cyber: Practical Steps Revise policies, procedures, and training materials Assess response plans in light of industry trends and recent incidents Planning and conducting of breach preparedness exercises Revising breach-related provisions in vendor agreements (including cloud services agreements) Have (and possibly employ) a right to audit Conducting an on-site Breach Day including one or more of the above items 14

Contact Information Margo H.K. Tank Partner 202.349.8050 mtank@buckleysandler.com Rena Mears Managing Director 202.349.7977 rmears@buckleysandler.com James T. Shreve Associate 202.461.2994 jshreve@buckleysandler.com 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information