September 3, 2018
Manage Vendors to Manage Risk
By Terry Ammons, Systems Partner, Porter Keadle Moore
Banking at its core is the business of managing risk for others. From deposit accounts to payment options and loan products, the entire culture of an institution is centered on identifying, controlling and responding to risk. Despite this, however, one area where the financial services industry is still struggling to succeed is vendor risk management.
Today, third-party vendors are ubiquitous within modern businesses, and financial institutions are no different. Working with technology partners requires institutions to accept a certain level of risk that must be managed both internally and externally. While regulatory, compliance and security issues still resound as top priorities for bankers, when choosing to work with new tech providers, the best approach to risk management is not avoidance, but a deeper understanding that helps the institution identify, prioritize, control and respond to any event that may cause a business interruption.
The hard truth is that responding to risk after a breach or incident has occurred is potentially more expensive – to the bottom line and to reputational brand equity – than implementing the necessary steps to safeguard the institution from the beginning.
Not All Vendors Are Created Equal
While regulatory compliance is not specific to banking, compared to most other industries, banks and credit unions have a much higher bar to reach when developing internal risk management programs. Federal regulators are closely evaluating the institutions they are charged with overseeing, and bankers must be vigilant in holding risk management programs to the highest level of scrutiny. Since a disaster in one area of the bank or credit union can affect the entire institution, risk management is an enterprise-wide concern and should be dealt with as such. This includes incorporating risk management efforts into the institution’s culture, organization, processes, technologies, personnel and physical infrastructure.
The first step toward creating a successful vendor management program is to categorize risk on a sliding scale of priority. Some institutions mistakenly apply the same level of risk to each of their vendors – regardless of the service provided, the level of access granted or the type of data shared. This can be a time-consuming and oftentimes damaging approach, as some vendors pose a larger threat to an institution than others. For example, some vendors will pull more sensitive information from a bank, which naturally necessitates a higher level of scrutiny on the bank’s part. By categorizing vendors based on risks, institutions can help focus their efforts and better ensure that nothing slips through the cracks.
Build Your Safety Net
While an institution may lack direct control over its vendor and their systems, it is nevertheless the institution’s responsibility to ensure that proper safeguards are in place to protect itself, its customers’ information and the integrity of the institution/vendor relationship. After evaluating and determining the risk profile of each vendor, the institution must conduct its own due diligence to ensure that the vendor is upholding its end of the contract.
The vendor bears some responsibility here as well. Regardless of risk assignment, a vendor must provide documentation that demonstrates its security arrangements and controls. While this usually occurs in the beginning of a vendor relationship, institutions should require their partners to provide quarterly and annual reports and analysis of their systems to satisfy not only the institution’s requirements, but its regulators as well.
Ideally, evaluation will be an ongoing effort that does not impede day-to-day operations. After all, even if everything is in place in the beginning of the relationship, those same controls may not necessarily be sufficient in the future. Specialized access to consumer information not only requires protections to be in place, but also to evolve with the changing cybersecurity landscape.
The relationship between vendor and banker needs to be a symbiotic one. For example, banks and vendors alike should work closely to outline the steps necessary to ensure services are restored in the event of an outage, with both organizations assuming responsibility for their part of the equation. To create a comprehensive due diligence program, vendors should provide their own internal and external IT audits to validate the controls they have in place. While this is the ideal, it is too rarely the reality.
With an extensive range of risk touch points for financial institutions, even seemingly innocuous events such as missing a patch or an employee clicking a malicious email link can lead to enterprise-wide threats. Thus, a bank or credit union’s risk management strategy must also include steps for how to mitigate damage once a breach has occurred. Even with a robust due diligence process and regular audits to ensure compliance, an event can occur – hackers, unfortunately, are still very good at their jobs.
There are a few options to deal with an interruption once it has occurred: remediation, mitigation and acceptance. With an effective risk management and vendor management program in place, these attacks will be limited in scope and occurrence, but still may cause an inconvenience for the institution at the least and a breach of sensitive data in the most severe instances. It is at this point that an institution can learn firsthand where any missteps may have occurred, and if the vulnerability was previously unknown. Of course, every institution wants to avoid this situation, but when and if it does occur, it is certainly better to emerge with more robust controls and an example to assist other institutions in protecting themselves.
There is a balancing act between evolving business requirements and meeting the latest security standards – one that provides little room for error. Integrity of data must be ensured on the vendor’s side, with the institution setting expectations early on in the relationship, and then reevaluating those expectations throughout the life of that partnership. There is no finish line in reaching and maintaining compliance – it is an ever-moving target that requires constant monitoring.
Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the Financial Managers Society.
About the Author
Terry Ammons, CPA, CISA, CTPRP is Systems Partner at Porter Keadle Moore (PKM), an Atlanta-based accounting and advisory firm serving public and private organizations in the financial services, insurance and technology industries.