Vendr Management Federal Depsit Insurance Crpratin Divisin f Risk Management Supervisin Atlanta Reginal Office June 18, 2014 1
Agenda Intrductin Vendr Management Overview Regulatry Expectatins Bard and Management Respnsibilities Framewrk Guidelines Cntracts Business Cntinuity Plans 2
Cre Applicatin Item Prcessing IT Security Audit Fraud Analysis Website Management Card Prcessing Mrtgage Servicing Cmmn Outsurced Services 3
GLBA Oversee Service Prvider Arrangements. Each bank shall: 1. Exercise apprpriate due diligence in selecting its service prviders; 2. Require its service prviders by cntract t implement apprpriate measures designed t meet the bjectives f these Guidelines; and 3. Where indicated by the bank's risk assessment, mnitr its service prviders t cnfirm that they have satisfied their bligatins as required by paragraph D.2. As part f this mnitring, a bank shuld review audits, summaries f test results, r ther equivalent evaluatins f its service prviders. 4
Risk Cnsideratins Strategic Hw des this service prvider fit int institutin s gals and bjectives? Are the Directrs invlved in the prcess? Transactin/Operatins Service-level metrics Disaster recvery Security-related cntrls Credit Cash flw Subcntractrs 5
Reputatin Risk Cnsideratins (cnt.) Interactins nt cnsistent with Institutin plicies Vilatins f law and regulatins Security breaches disclsing sensitive infrmatin Cuntry Judicial prvidence Plitical cnsideratins Cmpliance Laws, regulatins Institutin s plicies Other Interest rate Price Legal Freign currency 6
Bard and Management Oversight Plicy Review and Apprval Key bard functin REVIEW, nt just Apprval Institute Repeatable Framewrk Invlve varius departments f institutin Cmpliance Legal Credit Operatins Assign business wner as spnsr f prgram Safeguard Sensitive Infrmatin Business Cntinuity Planning Reprting Annual reprt t Bard required by GLBA Significant vendrs identified 7
1. Institute Risk Assessments Risk Management Framewrk Include key persnnel and departments Assign and define risk ranges Identify time and diligence required at each categry 2. Identify, Quantify, and Reduce Risk Similar t yur enterprise risk assessment Cnsider qualitative analysis as well 3. Incrprate Reminder Capability Tickler 4. Prvide fr Onging Due Diligence 5. Keep It Simple and Intuitive Flwchart the prcess 8
Risk Management Framewrk (cnt.) 6. Use a Similar Prcess Fr All Vendrs Flexibility is key 7. Maintain Details f Current and Past Reviews Archival Histrical 8. Ensure Bard Reprting and Invlvement 9
Vendr Checklist Vendr Name and Service Nature f the Service Data Cmpany data (cnfidential) Custmer data (sensitive) Intangible prperty Usage Magnitude f Perfrmance Prblems Financial Reputatinal Operatinal Cntractual Details Date, term, and value f cntract 10
Vendr Checklist (cnt.) Interactin frequency with the third party Gegraphical (glbal) cnsideratins such as lcatin f third parties and number f physical lcatins (Business Cntinuity) Cmpliance with rules, regulatins, law, etc. ID primary relatinship wner within the rganizatin Annual spend Risk scring Audit reprts Right-t-audit clause 11
Cntracts (Fees and Csts) Legal Audit Examinatin Equipment Hardware Sftware Fee Calculatins Develpment Prgramming Cnversin Recurring Services Special Requests 12
Cntracts (Service Perfrmance Clause) Respnse Times System Availability Data Integrity Cre Reprt Availability Frequency Type Peripheral Reprts Cntrl/Audit Financial Security Business Cntinuity Quantity Frmat Archival 13
SOC Determinatin 1. Security 2. Availability 3. Prcessing Integrity 4. Cnfidentiality 5. Privacy f a System and Its Infrmatin 14
SOC Determinatin 15
Cntracts (NPPI) Nnpublic Persnally Identifiable Infrmatin data is any list, descriptin, r ther gruping f cnsumers (and publicly available infrmatin pertaining t them) derived using any persnally identifiable financial infrmatin that is nt publicly available. 16
Cntracts (Default and Terminatin Clause) Frce Majeure Mergers and Acquisitins Cnvenience Substantial Increase in Cst Repeated Failure t Meet Service Levels Failure t Prvide Critical Services Bankruptcy Inslvency 17
Cntracts (Ownership and License) Ownership Rights Surce Cde Access Intellectual Prperty Use f Institutin s Data Data Mining Marketing Use f Prcessing Hardware Use f Sftware Virtualizatin Operating System Applicatin Updates 18
Cntracts (Clud Cmputing) Three Mst Imprtant Cntract Cnsideratins Data Prtectin Data Security Jurisdictin Security Schedule Recmmendatins Institutin s data separated frm thers in Clud Restrictins n use f data Respnses t security breaches Use f security measures such as encryptin Access t Vulnerability and Penetratin tests Natural Cncerns Lss f cnfidentiality (unauthrized disclsure) Lss f integrity (crruptin) Lss f availability (deletin) End f Cntract Cncerns Access t data Deletin f data Applicatin Updates 19
Cntracts (Subcntracting) Primary Servicer Accuntable Must have visibility int subcntractrs. Define Services, Perfrmance Create metric table. Can be in frm f Dashbard. Peridically review perfrmance. Primary Servicer s Due Diligence Prcess Hw des the primary service prvider assess cntractrs? Apprval Prcess fr Change Institutin ntified? Institutin given chices? Freign Firms 20
Cntracts (Insurance) Wh is respnsible fr errrs r missins? What abut negligence? Will the service prvider cver any lsses f revenue? 21
BCP Vendr Checklist Ensure a disaster recvery and business cntinuity plan exists and is included in the cntract; Assess the adequacy and effectiveness f disaster recvery and business cntinuity plans and its alignment t yur wn plan; Dcument the rles and respnsibilities fr maintaining and testing the service prvider's business cntinuity and cntingency plans; Test the service prvider's business cntinuity and cntingency plans n a peridic basis; and, Maintain an exit strategy. 22
Custmer Ntice Standard fr Prviding Ntice Defining Custmer Infrmatin Affected Custmers Cntent f Custmer Ntice Delivery f Custmer Ntice 23
24
Thank Yu! Richard Snitzer IT Examinatin Specialist FDIC Atlanta Reginal Office 678.916.2224 rsnitzer@fdic.gov 25
Surces and References FFIEC Supplement t Authenticatin in an Internet Banking Envirnment (FIL-50-2011) FFIEC Retail Payment Systems Handbk (FIL-6-2010) Special Alert SA-147-2009: Fraudulent Electrnic Funds Transfers (August 2009) FFIEC Guidance n Risk Management f Remte Depsit Capture (FIL-4-2009) Identity Theft Red Flags, Address Discrepancies, and Change f Address Regulatins Examinatin Prcedures (FIL-105-2008) FFIEC Guidance: Authenticatin in an Internet Banking Envirnment (FIL-103-2005) 26
Surces and References (cnt.) Payment Prcessr Relatinships-Revised Guidance (FIL-3-2012) Guidance fr Managing Third-Party Risk (FIL-44-2008) FDIC Supervisry Insights Jurnal (Quarterly) Natinal Institute f Standards & Technlgy (NIST) Trade Assciatins (ABA, BITS) Part 364-B, FDIC Rules and Regulatins PCI Security Standards Cuncil US CERT 27
Surces and References (cnt.) Kitten, T. (2013, July 29). New Details n Glbal, Heartland Breaches. Http://www.bankinfsecurity.cm. Retrieved May 29, 2014. http://www.bankinfsecurity.cm/card-fraud-case-sheds-light-n-breachesa-5946. Vijayan, J. (2010, May 10). Heartland breach expenses pegged at $140M s far. Http://www.cmputerwrld.cm. Retrieved May 29, 2014. http://www.cmputerwrld.cm/s/article/9176507/heartland_breach_expens es_pegged_at_140m_s_far. Bradshaw, S., Millard, C., Walden, I. (2010, September 1). Cntracts fr Cluds: Cmparisn and Analysis f the Terms and Cnditins f Clud Cmputing Services. https://hq.ssrn.cm/. Retrieved May 28, 2014. http://papers.ssrn.cm/sl3/papers.cfm?abstract_id=1662374. 28