How Well Do You Know Your Third-Party Vendor?
How Well Do You Know Your Third-Party Vendor?
The risks of involvement with third-party vendors are increasing with news of data breaches from Equifax, Verifone, FAFSA, Docusign, and many more in 2017 alone. No matter the size of your bank, these cyber risks are a concern that need to be addressed. Federal regulators are looking closer at what steps banks are taking to protect consumers, employees, and the overall safety of the organization. Ask yourself these questions:
- How well do we know our third-party vendors?
- What monitoring, and management practices are being utilized?
- Are the bank’s current risk assessment procedures adequate?
- What safeguards do the third-party vendors have in place to prevent a data breach?
While companies continue to experience data breaches with vendors, the number of vendors with confidential information rises and creates higher risks. More than half of organizations that interact with vendors cannot show proof of what policies or safeguards the vendor has in place to protect information that poses a risk. The first step in knowing your vendor, is creating a Vendor Management Policy that outlines a risk assessment process, how vendors will be selected, due diligence steps, board oversight, and a rating scale for vendors with evaluation processes based on level. Once a thorough policy is in place, make a list of all active vendors and determine how involved the bank is with these vendors. A survey can be utilized that covers various questions, for example:
- Does the vendor have access to confidential or financial information of customers or employees?
- Are there any known breaches with this vendor?
- Does the vendor have a risk management policy or process in place?
- Is the vendor using appropriate access controls (user ID’s, passwords)?
After covering vendor questions, rate the vendor using a scale (i.e. – 3 being high risk, 2 as moderate risk, and 1 being low risk). Would the bank recover in a short or long period of time if business could no longer be transacted with this vendor? Another important area to review when working with vendors, is the contract. Review contracts in detail and challenge the vendor with questions when an area of the contract is not detailed enough.
These are some great steps to get your risk assessment process going to evaluate the relationship between you and the third-party vendor. Ultimately, do what fits best with your organization, but know it is the bank’s responsibility to protect the consumers, employees, and organization against risks.
Article compiled by Nicole Flemmens, for additional information please visit our contact us page.
Nicole Flemmens | Third Party Risk | Vendor Management