Companies are becoming increasingly dependent on third-party vendors for delivering services and managing computer infrastructures. Many of these are cloud vendors that provide cost-effective and scalable solutions. Unfortunately, data breaches of third-party service providers are commonly in the news, as these arrangements often become weak links in an organization’s security program. It’s no wonder that regulatory agencies continue to focus on vendor management as a critical component to the information security program. For financial institutions, risk-based supervisory programs are governed under the interagency guidelines published by the Federal Financial Institutions Examination Council (FFIEC), which has published IT examination handbooks and procedures, including the Outsourcing Technology Services IT Handbook and the Supervision of Technology Service Providers IT Handbook.
According to the FFIEC guidance, in choosing service providers, management should exercise appropriate due diligence to ensure the protection of both financial institution and customer assets. Before entering into an outsourcing contract, and throughout the life of the relationship, an institution should ensure the service provider’s physical and data security standards meet or exceed the standards required by the institution. Institutions should also implement adequate protections to ensure service providers and vendors are only given access to the information and systems that they need to perform their function. Management should restrict access to financial institution systems, and appropriate access controls and monitoring should be in place between the service provider’s systems and the institution.
Key elements of a vendor management program need to be clearly defined in a vendor management policy. The policy needs to cover the organization’s requirements for acquiring new vendor services, as well as the ongoing maintenance of the organization’s existing vendors. The policy should define the specific areas that should be addressed when seeking new vendor services:
- Defining functional and technical requirements
- Evaluating internal capabilities
- Budgeting for acquisition and possible hidden costs
- Defining minimum vendor requirements
- Selecting vendors that will receive the request for proposal
- Issuing a request for proposal
- Evaluating vendor proposals
- Selecting the vendor and contracting with that organization
The vendor management policy should also spell out the elements to consider when contracting or renewing services with a vendor. These include the following:
- Scope of services
- Performance standards
- Financial and control reporting
- Right to audit
- Ownership of data and programs
- Confidentiality and security
- Regulatory compliance
- Limitation of liability
- Dispute resolution
- Contract duration
- Restrictions on, or prior approval for, subcontractors
- Termination and assignment, including timely return of data in a machine-readable format
- Insurance coverage
- Prevailing jurisdiction (where applicable)
- Choice of law (foreign outsourcing arrangements)
- Regulatory access to data and information necessary for supervision
- Business continuity management
The vendor management policy also needs to define the responsibility and requirements for overseeing the organization’s existing vendors. A key aspect of the vendor management program is performing an annual risk assessment of all vendors to identify their criticality to the organization in terms of strategic, financial, operational, and security risk. An overall risk rating should be assigned to each vendor, and the ratings should directly translate into the oversight requirements within the vendor management policy as to the frequency and scope of the reviews. For example, a vendor that holds confidential information of the institution, but does not otherwise perform a critical business function for the institution, might only need to have its SOC report reviewed on an annual basis. Critical vendors may require a more extensive review performed annually depending on the services provided. For critical service providers, generally the following areas should be reviewed annually:
- Performance against key service-level agreements and contract provisions
- Financial condition of the service provider
- General control environment of the service provider through the receipt and review of audit reports and other internal control reviews, including vendor SOC reports or other third-party assessments, the institution’s responses to the SOC Complimentary User Entity Controls, and disaster recovery test results for outsourced services
- Potential changes due to the external environment
Also, vendors rated as noncritical may be reviewed on a less frequent basis than critical vendors. This should all be spelled out clearly in the vendor management policy, and management should ensure these requirements are followed and documented.
One often overlooked aspect of vendor management is the evaluation of fourth-party arrangements, also known as subservice organizations. With the advent of the SSAE 18 standard in 2017, SOC reports now require inclusion of Complementary Subservice Organization Controls for service delivery that has been outsourced to another vendor. An organization’s third-party vendor must identify subservice providers used to deliver products or services within their SOC report. First, management must determine whether any of the critical services provided to an organization are outsourced to a subservice provider. Second, management needs to determine whether the subservice’s controls are covered within the SOC report or are carved out. If critical subservice arrangements are carved out of the report, then it is management’s responsibility to evaluate these controls.
A recent trend has been that institutions increasingly utilize vendor cloud solutions. Cloud arrangements pose some additional challenges to organizations, including regulatory compliance, data privacy, data jurisdiction, and data retention. Before engaging in a cloud arrangement, management should understand the service and deployment model being used by the vendor to deliver the service. It is also important to clearly identify the types of data being deployed to the cloud (social security numbers, account numbers, IP addresses, etc.) and ensure the required level of controls, based upon the organization’s data classification policy, are in place.
There are many third-party systems that can assist in facilitating and organizing vendor management reviews. Whether or not a system is utilized, it is important that the conclusions of each element of the review are clearly documented, including the supporting documentation utilized to reach those conclusions. Any deviations from acceptable performance levels should be noted with an action plan or risk acceptance for these areas. Also, for vendors that do not provide the required documentation elements for the review, management should document the potential risk this poses to the organization.
Governance is another important aspect of the overall vendor management program. The results of the vendor reviews should include an overall assessment conclusion and recommendation that are reviewed with senior management and the Board of Directors. Decisions to accept risks uncovered during the vendor reviews need to include a mitigation plan and/or risk acceptance agreement. Where the vendor poses unacceptable risk to an organization, a plan should be developed to replace those services with another vendor. Under the Gramm-Leach-Bliley Act, the vendor management program should be included in the annual security program report to the Board. Even if the vendor program is covered separately with the Board, it is advisable to also summarize these conclusions in the annual security program report. A strong vendor management program is a critical component to help minimize the risk of vendors becoming weak links in an organization’s security program.