What’s with the scrutiny?
Anyone that has undergone any sort of audit knows that your Vendor Management process is going to come up. Why do these pesky auditors keep asking these questions? What does it matter what sort of monitoring we perform? Why do we need a formal process to review contracts for specific clauses?
Traditionally, Organizations would run most of their systems in-house, and any services that were hosted by a third party were typically ancillary systems used by a select few people. These systems were not mission critical, and did not contain regulatory restricted or sensitive data. The balance has shifted and more Organizations are outsourcing many, if not most, of their critical technologies. This is especially true in the Financial Industry.
The Office of Inspector General (OIG) saw this shift in hosting locations, including the concentration of data in these Service Bureaus. The OIG had concerns on the level of oversight being performed by these Financial Institutions, and conducted a study to ensure these arrangements were governed by contracts that appropriately protected the security and confidentiality of the FI’s customers’ nonpublic personal information (NPPI). In February 2017, a report citing some interesting findings, as well as recommendations, was released. There is a very good chance you will be asked questions related to these if you are an FDIC-supervised Financial Institution.
Findings
From the report:
“Although results varied widely, we did not see evidence, in the form of risk assessments or contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs and their subcontractors could have on the FI’s ability to manage its own business continuity planning and incident response and reporting operations.”
Some of the statistics listed really drive this point home:
“Eight (42 percent) completed both a TSP risk assessment matrix and a due diligence review, as recommended by supervisory guidance.”
The above stood out because less than half of the FIs reviewed were following guidance that is already in place. Even though the population for this study was small (19 FIs), there are serious implications for the industry if this is a common approach to vendor management.
“Contracts associated with 18 of the 19 FIs that we reviewed (95 percent) allowed service providers to subcontract assigned work. However, only 4 of 19 FIs documented consideration of subcontractor use within their TSP due diligence and risk assessment matrices.”
This statistic shows that the FIs did not have a true understanding of where their data was, and who was responsible for protecting the data. Even if these institutions were reviewing the controls in place at the Service Provider, they had no insight into the controls actually covering their data at this sub-contractor’s location.
Both of these statistics are directly related to Business Continuity and Incident Response processes. You need to know where your data “lives”, who has access to the data, and who has responsibilities for physical and logical protections of that data. You need assurance that either the Service Provider, or any of their Subcontractors, are maintaining an appropriate Business Continuity Plan and Incident Response Program. These plans should, at a minimum, meet your legal requirements. Ideally, you will identify clear performance standards that will also apply to recovery efforts. If either these BCP or IR standards are not met, there should be clear remedies defined.
A final parting thought:
“FIs may not be sufficiently engaged in writing and negotiating contracts to ensure their rights and TSP responsibilities are clearly defined. TSPs appear to be drafting the contracts and ensuring that their rights are protected more than the FIs.”
You may need to really push back on the Service Providers for this level of detail in agreements, but this effort is truly needed. There is hope! These Service Providers know you work in a heavily regulated industry, so put those regulations to work for you! Appendix 6 of the report lists a number of FDIC and FFIEC initiatives related to these efforts. Review these items and then turn the lens on your Service Providers.
The full report can be found here.
The Personal Blog of Sean Goodwin 