Growing cyber threats have made real-time monitoring of vendors an increasingly important element of a vendor management program.
I sat down with Sam Lisker, ABA’s senior vice president of innovation in the office of member engagement, at the 2019 ABA Risk Management Conference in Austin, to talk about this evolving technology and how it can improve vendor risk management at financial institutions.
What did I tell him?
Vendor cyber monitoring can reduce risk.
Vendor cyber monitoring allows bankers to mange vendors’ cybersecurity in real-time. Financial institutions (FIs) can find out if vendor websites are up-to-date with the latest security, if they are certified, and if a vendor has been mentioned on the dark web, signaling a pending attack, among other things.
A vendor cyber monitoring program needs three key elements.
They are the ability to:
Monitor what vendors are doing. Most forms of vendor monitoring tell us what’s happened in the past. This is important, but neglects what’s going on in the present day. Vendor cyber monitoring keeps us abreast of current threats.
Provide actionable alerts. It’s not enough for a problem to be recognized. The right people need to find out what’s going on so that it can be fixed. Vendor cyber monitoring should be designed to alert the correct staff so they can take action.
Supply enough information to allow a vendor to resolve its issues. There needs to be enough information coming in from the monitoring to be able to explain the vulnerability to the vendor so that it can be addressed to prevent cyber breach. It’s an additional layer of assurance.
Vendor cyber monitoring connects with risk appetite, risk tolerance, and residual risk.
An FI’s vendor management program is part of its enterprise risk management (ERM). Vendor management can’t be done in a vacuum.
Every FI needs to determine its overall risk appetite for a vendor breach and data loss. Chances are, that tolerance is very low or even zero. That means the FI needs a vendor management program that will allow the FI to understand its residual risk after controls are in place.
If an FI has a program that only looks at historical data, it may have a gap in its vendor management controls. The real-time information from vendor cyber monitoring can allow the FI to be more proactive in vendor management and lower its overall residual risk.