by Deena Coffman
It’s important for banks to know how to evaluate and mitigate external partners’ risk points.
Many banks rely on vendors to support ongoing operations and critical-path projects, from administering employee benefit plans to reducing energy usage across the portfolio of branches. But as we’ve seen in several recent data breaches, vendors can sometimes inadvertently provide cyber criminals an easy access point into a financial institution’s network.
To protect your bank’s information from exposure, you must be mindful of the potential risks your vendors may pose to data security. Once you’ve built a solid understanding of where risk points exist, you can then work with key vendors to implement additional safeguards to ensure sensitive data is properly protected.
Step one: Review existing vendors
First, it’s important to assess which vendors present a risk. Begin by reviewing the vendor list to identify external parties that have access to systems containing protected information or that take possession of sensitive data sets on media such as backup tapes. These are the vendors who should be the focus of your risk evaluation efforts.
If the list is extensive, your team can further categorize each vendor by priority based on the level and frequency of access it has to your network and/or your protected data. Those external suppliers with greater access or more autonomy in their ability to access your systems merit a more in-depth review than vendors with limited access, or those who conduct their duties under significant direct oversight by a member of your team. By prioritizing vendors in this way, your FI can apply resources to the most pressing risk points first.
Next, ask each vendor to provide you with the results from its most recent security assessment performed by a third-party. Self-assessments are far less reliable, since they lack objectivity. Ask for documentation on remediation actions that resulted from vulnerabilities identified in the security audit. Consider the safeguards you would expect the vendors to have in place, and ask specifically whether these are in place, maintained, and audited.
Ask how often a vendor’s security program is reviewed and how frequently it conducts employee training. Ask to see the security incident response plan. Consider the lack of a security incident response plan or the lack of an annual external security assessment as a red flag.
It is impossible for management to “see” security. Heavy reliance is placed on reporting from the Information Security team, which holds responsibility for the activities being reported. This creates a conflict that can be addressed with outside audits, much like those conducted on accounting departments that report financials over which they have control. An outside review of security will verify the efficacy of a security program for executives ultimately responsible for securing member, shareholder, or cardholder data, but who lack visibility into day-to-day security operations.
Your due diligence also should include inquiring about the potential vendor’s privacy practices and training programs. Ask which employees are required to participate in data privacy education and how frequently they must take refresher courses. Because external suppliers may be processing a subset of your bank’s data within their own systems, it’s crucial that their workers know how to handle protected data safely.
Step two: Review and update contracts
Existing contracts with vendors are unlikely to be able to be changed until they are up for renewal. But new and renewing contracts can be reviewed so that provisions are added for financial responsibility in the event of a security incident or data breach, for notification in the event the vendor has a security incident, and for any specific security measures you want to ensure the vendor has and maintains for your data.
Remember to look at any relationships the potential vendor may have with subcontractors or with marketing or cloud services likely to mine data, even if it belongs to the supplier or to the supplier’s customer (i.e., your FI). If the vendor is new to the banking industry, be especially diligent in your vetting, since it may not be familiar with the security requirements surrounding financial data. Its practices might require significant modifications to ensure appropriate security around your data.
You will also want to provide for the prompt notification of your bank’s risk officer in the event the vendor suspects a security incident has occurred. Set requirements that ensure all outside parties will enable a quick response if an exposure happens.
It is also prudent to stipulate that vendors carry data breach and cyber liability insurance. Consider contractual language that specifies insurance requirements such as minimum coverages for both data breach and cyber liability. Cyber coverage differs widely across policies, and it would be wise to verify that the supplier’s insurance covers your data under circumstances likely to occur, given your industry and business processes.