FS-ISAC: Third Parties “Still a Big Risk”
Financial institutions need to continue to pay close attention to third-party access points, control objectives, reporting, monitoring, and gap analysis for the foreseeable future, according to an article in the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) June Risk Summary Report.
The article examines the progress financial institutions have made in managing third-party risk over the past five years since regulators last issued updated guidance on the subject. FS-ISAC finds that while FIs have improved their management of third-party management, more work is needed.
Let’s take a look at the four areas mentioned:
Third-party access points
Everyone knows how the 2013 Target cyberattack was possible: Hackers accessed customer data through its HVAC vendor. That raises an important question. Why did an HVAC vendor have access to customer data?
The more people who have access to your institution’s data, the more vulnerable you are. Access to data should be limited to what’s essential for a vendor to perform its required tasks. Carefully review the needs of third-party vendors to understand the minimal amount of access a third-party vendor requires to perform its duties. It may seem easier to save time and just give everyone full access, but that’s the kind of short-sighted thinking that leads to expensive and time-consuming data breaches.
Internal controls are systematic process and system controls designed to ensure policies and procedures are performed accurately and efficiently. In short, they are the checks and balances that ensure everything is running as it should.
It’s not enough for a vendor to give assurances that its IT security is top notch. While it may not be able to reveal the specific details of its security plans, your vendor agreement should outline controls your vendor uses to ensure strong defenses against cyberattacks and other security issues. It should also provide provisions guaranteeing they will inform you of incidents in a timely manner. The more critical the vendor, the more guarantees and controls you should have.
This is an area where many financial institutions fall short. In a review of 48 contracts sampled across 19 institutions, less than half (42 percent) completed a vendor risk assessment that considered a vendor’s access to sensitive data and a due diligence review addressing risk management systems and performance, according to the FDIC’s Office of Inspector General’s (OIG) evaluation Technology Service Provider Contracts with FDIC-Supervised Institutions published last year.
Despite the frequent mentions of internal controls in guidance, the OIG review found more than a third of contracts didn’t address internal controls for business continuity while another 29 percent of contracts failed to address internal controls for incidence response.
The lack of contract provisions addressing internal controls is unsettling. Better provisions could give FIs greater confidence in data security, minimize fallout from breaches, and allow for quicker system restoration, the OIG notes.
Without internal controls, there is no way to effectively review vendor relationships, and there’s no process to ensure problems are flagged and reported up the chain.
Reporting and monitoring
Due diligence is an essential part of any vendor relationship. Proper oversight involves monitoring a vendor’s risk management practices on a regular basis, not just at the beginning of the relationship.
A strong vendor agreement will provide access to reports and audit results that help monitor the vendor’s internal controls, systems and data security, and privacy protections, as well as business resumption strategies and contingency plans.
But it’s not enough just to have a contract saying you’ll get the reports. You also have to ensure you’re receiving those reports when promised. If not, your institution needs to be proactive in asking for them. You can’t perform thorough due diligence without them.
Due diligence doesn’t end when reports and audit results are collected. They need to be reviewed as part of a gap analysis to determine whether the vendor is meeting its contractual expectations.
Look for weaknesses and take action to correct them. If you find out there was a breach you weren’t informed of or there were other shortfalls, they need to be addressed immediately. Either your vendor needs to give you assurances that the problem has been corrected, or you may need to find a new vendor. This process should be made easier by termination provisions in your contract that allow you to leave a vendor without penalty if they don’t meet the expectations of your service level agreement.
These four areas are a reminder of how vendor management is a proactive process that requires constant attention. Make sure you have processes in place to remind you of important due diligence milestones, like receiving and reviewing reports. Also make sure you’ve spent the time to evaluate critical vendors and ensure they face stronger internal controls.
A good vendor partner can make your institution, but a bad one can cause a whole lot of trouble.