The CFPB, FRB, FDIC and FFIEC have always acknowledged the need of financial institutions to rely on vendors and other third parties to outsource certain functions, products and services. However, the compliance and reputation risks of doing so are a top concern and come with consequences.
Nobody wants to expose consumers to security risks, particularly at the hands of a trusted vendor.
It’s up to financial institutions to manage their vendors and other suppliers, and to amend their arrangements as necessary, in order to protect their own interests and those of their account holders.
Vendor risk management presents its own challenges.
Here are just a few:
The time to identify and manage risk. Obviously, the sooner the better. Risks need to be identified ASAP so they can be managed and fixed before they become full-blown emergencies with catastrophic consequences for your account holders’ financial security and your institution’s reputation.
Prioritizing your response. In order to know what priority or severity to assign a situation or risk, you need accurate information. After all, your risk posture is only as strong as the data that underpins it. It’s vital that you conduct independent assessments of your vendors and not rely solely on their own internal security protocols, or procedures.
Unforeseen 4th party risks. It’s difficult enough to monitor your own and your vendors’ systems for vulnerabilities. But what about the partners and suppliers that your vendors use? What risks do they incur? Are they compliant with all of the rules and regulations of the financial industry? Does your monitoring and oversight activities include them? All these things need to be considered.
In this era of SaaS, plug-and-play, and other user-friendly technologies, each with its own potential vulnerability for data breach and other risks, it’s vital that you perform continuous vendor monitoring to ensure the necessary transparency and granular details to identify security gaps, not just of your vendors, but of your vendors’ suppliers.
This level of scrutiny allows for a tailored approach to each vendor, vs. a one-size-fits-all approach, which will lead to better information aligned to your operational resources to prioritize your response. This way you can proactively focus on the most pressing issues and not rely on routine surveys and questionnaires that look for the same issues over and over again.
It’s nearly impossible to conduct business today without the help of vendors and third party suppliers.
Whether it’s help with marketing, IT or even compliance and risk management – it’s imperative you do due diligence to ensure your vendors, and theirs, have strict protocols in place that protect you and your account holders from security risks.
We have heard this over and over but it’s worth repeating: “You can outsource a function, but not the responsibility for any mishaps.”