The evolution of vendor risk management in financial institutions
The Financial Services industry has long been recognized as a leader in establishing many of the security and fraud detection practices that have influenced best practices in other sectors. In fact, the formation of the FS-ISAC in 1999 has inspired the growth of other industry related information sharing consortiums and has helped raised this strategy to the highest levels of our government.
In a recent executive order, President Obama called for more sharing between the private sector and government in order to combat cyber threats in real time. While the exact methods to achieve this mission are still being determined, it is the FS-ISAC that in many minds will serve as the model for data sharing and communication practices.
It is with little surprise, then, that we would again look to this sector to define best practices in vendor risk management, which was recognized in a 2014 Protiviti and Shared Assessments study as having a more mature vendor risk management practice than other industries. As we saw throughout 2013 and 2014, third party data breach is a clear and present danger to all sectors, with high profile breaches affecting healthcare, retail and others at increasing rates. PWC Researchers have warned that business partners, especially smaller organizations, are being targeted in order to gain a foothold in larger enterprises. The growth in outsourcing, both domestically and internationally, simply underscores the need for more comprehensive vendor risk management strategies.
A changing landscape
Ever since OCC guidance was updated in October 2013, vendor risk has also been a top concern for banks and regulators. We have seen more attention and oversight directed at financial institutions, with new assessment guidelines being issued from Benjamin Lawsky at the New York Department of Financial Services, to intense scrutiny from Elizabeth Warren and others on Capitol Hill.
Shifting from a model mainly focused on questionnaires and assessments, many institutions and regulators are moving away from these more subjective, trust based practices and looking for solutions that will allow organizations to monitor and verify the controls that are in place to guarantee security and privacy requirements are being met. Responsibility for vendor management has also moved from the domain of procurement and sourcing teams into the realm of IT and Risk Managers, in order to better integrate vendor risk management with broader enterprise risk management strategies. Additionally, board members and general counsels are being held responsible for their firms’ cyber performance, and as a result, more emphasis is being placed on communicating these risks beyond the c-suite and into their hands. This change is owed in part to findings of a recent New York Department of Financial Services Report on Cyber Security in the Banking Sector, which found that “73% of institutions reported that the Board of Directors received information security updates quarterly or annually”, a frequency which is hardly adequate to guarantee that risk and security were being properly addressed at the highest levels of the company.
The New Mantra of Vendor Risk Management: “Trust but Verify”
Financial institutions are seeking to not just trust but also verify the security practices of their critical vendors through a combination of traditional and more evidence based methodologies. Many organizations are requiring their vendors to adhere to SOC 2 standards. According to the AICPA, SOC 2 is a report based on management’s “description of a service organization’s system and the suitability of the design and operating effectiveness of controls.” A third party auditor verifies the results and assesses whether controls and policies are in place for items like incident management, software and patch management, system monitoring, log management, threat detection and more. The benefit of this assessment style is that there are predefined acceptable outcomes with little room for biased interpretation, giving vendors the advantage of knowing what is required of them to pass, and creating more of a standard across the industry as more and more banks adopt this measure.
Clearly, audits and questionnaires still serve their purpose in helping to establish that necessary standards and controls are in place, but they are also time and resource intensive, reflect a point in time only and as such do not provide ongoing visibility into third party security practices. For this reason, leading financial institutions are augmenting their audits with automated assessment solutions that also provide advantages in the selection and prioritization of new vendors, while offering the scalability that more manual methods lack.
Generated from a combination of different data sources, including security event information, network configuration details and information about user behaviors, many financial institutions are finding value in continuous security performance ratings that can be used to monitor a vendor’s network and alert them to changes in security posture and effectiveness. When issues are detected, vendors can be given access to forensic details that will help them remediate the security issues. These ratings are automatically generated on a daily basis and provide insight into performance trends over time, as well as context as to how one vendor may be performing relative to another and within its own industry. In addition to helping compare and select new vendors, security ratings enable companies to better delegate risk management resources for existing vendors when concerns arise.
Security ratings also provide performance metrics that can be shared with the board, executives, and other teams in order to communicate objectives and risk management principles on a more frequent basis. Leaders can ascertain if vendor risk management practices are in line with enterprise objectives and adapt accordingly when necessary. Furthermore, the ratings can be used to measure the performance of the enterprise itself, and in a fashion that security and business leaders may find more accessible — and actionable — than quarterly or annual internal audits.
As with the growth in membership and formations of industry ISAC’s, we can only expect that over time, as banks and service providers take a more focused effort to manage their vendor risk, this framework will become more commonplace. Right now it is in the arena of the titans and groundbreakers of the financial services industry, but with the due diligence required by regulators and lawmakers, other institutions will soon being seeking ways to conduct effective and repeatable vendor risk assessments and to communicate more productively with their boards. The industry adoption of SOC 2 and security performance ratings will help toward creating the foundations of confidence that financial institutions and their business partners are seeking through better risk management.