Forget about your favorite Halloween horror movie. If you really want a scare, take a look at how poor vendor management has come back to haunt Morgan Stanley to the tune of $60 million.
In 2016 Morgan Stanley closed two data centers. The bank hired a vendor to remove its data from the decommissioned computer equipment. Morgan Stanley later learned that some of the machines still contained some unencrypted data—a fact the Office of the Comptroller of the Currency (OCC) made the bank share with customers in a letter earlier this summer.
Now Morgan Stanley is on the hook for a $60 million civil money penalty from the OCC for vendor management that potentially exposed sensitive customer data.
The bank also faces seven class-action lawsuits accusing it of negligence.
What Went Wrong?
The OCC says Morgan Stanley failed to oversee the decommissioning process, neglecting many steps of the vendor management lifecycle. More specifically, the bank failed to:
- Effectively assess or address the risks associated with the decommissioning of its hardware
- Adequately assess the risk of using third-party vendors, including subcontractors
- Maintain an appropriate inventory of customer data stored on the devices
- Exercise adequate due diligence in selecting the third-party vendor
- Adequately monitor the vendor’s performance
If that weren’t enough, Morgan Stanley did it again. In 2019 the bank “experienced similar vendor management control deficiencies” when decommissioning devices, the OCC says.
Breakdowns in the Vendor Management Lifecycle
Let’s take a closer look at where the vendor management lifecycle broke down.
Bankers know they need to identify critical vendors. These are vendors that present a high level of risk because they have access to sensitive data or could have a major impact on consumers or bank operations if it failed.
But what Morgan Stanley forgot is that it’s also required to identify and assess the risks of outsourcing an activity before selecting a vendor. A financial institution needs to know its risk appetite and assess whether the costs, benefits, and risks of outsourcing an activity align with its overall strategic goals and objectives. It’s basic enterprise risk management (ERM). In this case, the activity outsourced involves protected data, making it a high-risk activity.
It’s also a question of resources. A financial institution needs to assess whether it has the systems and staffing in place to ensure appropriate oversight of vendor relationships. In the case of Morgan Stanley, its large size and deep pockets might have given it a false sense of security. Despite its vast resources, its vendor management failed.
Is the third-party vendor you’re considering hiring capable of doing the job safely and reliably while remaining compliant with all applicable laws, regulations, and policies? These are the questions due diligence should answer. The more risk a vendor presents (i.e. critical vendors), the deeper the diligence should go.
Areas to review include the vendor’s financials, experience, legal and regulatory knowledge, reputation, operations, and internal controls. The results should be reported to the board to inform their decision making.
While Morgan Stanley’s consent order doesn’t go into great detail on what happened, it’s clear that the third-party vendor they hired to help with the decommissioning had less-than-satisfactory internal controls. Maintaining an inventory of machines in their custody and ensuring all data was a basic duty. This means the mistake was not a small oversight. It’s a fundamental flaw.
Contracts should outline the rights and responsibilities of both the vendor and the financial institution, yet the consent order suggests at least one key area of contract management was overlooked: outsourcing.
Unless a contract specifically prohibits outsourcing or requires the vendor to inform the financial institution of any outsourcing arrangements, vendors are free to outsource to other vendors. The fact that the OCC specifically calls out Morgan Stanley for not assessing the risk of using third-party vendors, including subcontractors, suggests that this problem may have stemmed from a fourth-party vendor.
A contract should also include specific information about reporting, including audits and performance. Failure to include these may have led to problems with vendor oversight and ongoing monitoring.
Initial due diligence is not enough. Financial institutions must also engage in ongoing monitoring. This includes the strength of the vendor’s internal controls, complying with legal and regulatory requirements, and fulfilling service-level agreements, performance metrics, and other contractual terms. Controls should be regularly tested and significant findings should be documented and reported. Critical vendors should be risk assessed at least annually.
The OCC says Morgan Stanley failed to adequately monitor the vendor’s performance.
The vendor management lifecycle is supposed to ensure strong vendor management. When conducted properly, it provides many opportunities to uncover and mitigate risk. Yet it appears no one was watching this vendor. No one used a vendor management process. Instead, this task was handled carelessly—as though the bank were taking out last week’s leftovers instead of disposing of critical data.
How strong is your financial institution’s vendor management program? Do you have a centralized approach to vendor management? Is your staff—including IT and operations—aware that hiring a vendor is about more than cost and that there is a process to follow to ensure the safety of your institution?
Don’t wait for an examiner to uncover vendor management deficiencies. Make sure your financial institution is consistently applying vendor management across your institution.