In reviewing recent security incidents at several New York City banks, an article in the October 21st New York Times1 focused on an ever recurring theme – the need to closely scrutinize how well a financial institution’s vendors provide IT security to protect access to data and systems. While the theme itself isn’t new, the article revealed that the Treasury Department is now engaged in a “sweeping effort”1 to require banks to increase their procedures for determining if vendors are adequately protecting their data and access to their systems.
Discussions about the need to improve vendor risk procedures began in earnest last fall when the OCC issued its latest guidance on third party risk (OCC Bulletin 2013-29). In that Bulletin the OCC introduced the concept of managing risk throughout the entire vendor lifecycle, and stressed the importance of senior management’s “proactive involvement” in all phases of the vendor lifecycle. Since many of the requirements detailed in OCC 2013-29 echo current best practices for vendor due diligence, it is reasonable to wonder why vendor risk continues to be such a highly visible issue.
Vendor Assessment Challenges
Perhaps the most compelling reason for the discussion is that following vendor due diligence best practices can be a very costly and resource intensive activity, one that only the largest financial institutions have the capacity to address. This leaves the majority of financial institutions in the position of being unable to adequately monitor and address vendor risk.
In addition, many companies don’t truly understand the breadth of their vendor population and the risks posed by those vendors. Until the Target breach it is safe to assume that few companies considered the ability of their HVAC vendors to pose a substantial risk to customer data and company systems.
Finally, as noted by the Times in Tuesday’s article, many companies rely on contract provisions requiring vendors to provide substantial IT security protection without performing the due diligence necessary to determine if the vendors can, in fact, provide the required level of protection. Unfortunately, many vendors lack the resources necessary to implement and maintain sophisticated IT security, leaving reliance on contract provisions a poor substitute for vendor assessments.
Improving Vendor Assessments
Fortunately there are ways that you can improve your vendor due diligence in spite of these challenges. Take as much of the manual effort out of the process by standardizing your due diligence and automating evidence collection and workflow/tasks. This improves the accuracy and speed at which assessments are performed, allowing the same number of staff to conduct substantially more assessments.
Make sure that you have an accurate and current inventory of your vendors including the data and systems they can access. Equally important – put in place procedures to insure that the list (and the information and systems accessed) are kept current.
Go beyond reliance on contract provisions to protect your data. Risk rate your vendors based on the activities they perform and then evaluate their ability to satisfy those contractual obligations through effective due diligence.