vendor management challenges and expectations an open ......outlined a general framework for third...
TRANSCRIPT
Practical solutions driving tangible results
1
Vendor Management
Challenges and Expectations
An Open Discussion
April 13, 2017
Practical solutions driving tangible results
Agenda
Common Themes Discussion
Expectations
Overcoming Obstacles
Common Comments
Cybersecurity Assessment Tool Expectations
Reviewing Control Reports
Additional Information
2
Practical solutions driving tangible results
Regulatory Focus Continues
FIL-44-2008 Guidance for Managing Third Party Risk
FIL-127-2008 Guidance on Payment Processor Relationships
FIL-3-2012 Revised Guidance on Payment Processor Relationships
CFPB 2012-3 Bulletin on Service Providers
FFIEC IT Exam Handbook – Outsourcing – added Appendix D Managed Security
Service Providers (MSSP)
FFIEC Statement July 2012 - Outsourced Cloud Computing
FFIEC Administrative Guidelines (Oct 2012) – Supervision of Technology
Service Providers
FDIC Compliance Manual (July 2013) Abusive Practices-Third Party Procedures
OCC 2013-29 Third Party Relationships: Risk Management Guidance
FFIEC Joint Statement (Oct 2013) on End of Microsoft Support for XP Support
FRB SR 13-19/CA 13-21 Guidance on Managing Outsourcing Risk
3
Practical solutions driving tangible results
Volunteers?
This is a Fun and
Exciting System
Who is Responsible?
Management Appreciates
the Effort
4
Practical solutions driving tangible results
Not My Job
Inconsistent
Documentation
Inconsistent
Risk Assessments
Limited Final Reviews
5
Practical solutions driving tangible results
But Paperwork Doesn’t Fix Anything
It just slows down the
process
We need it now
Marketing already signed
the contract
But we know these guys,
we have had them for years
There is nobody else
We are stuck with them
6
Practical solutions driving tangible results
Know Your Vendors
7
Practical solutions driving tangible results
PLANNING FOR NEW RELATIONSHIPS
Aligning the Level of Oversight with Regulatory Expectations
8
Practical solutions driving tangible results
Prior to Entering Into a Significant New Third Party Relationship
Need a formal plan to manage this
Identify and document all the risks associated with the
significant activity being outsourced
Plan for mitigation of those risks proactively
Ensure it aligns with strategic direction as well as management
and the Board’s risk appetite
Require Board approval
Develop contingency plans
9
Practical solutions driving tangible results
Due Diligence ReviewOCC and FRB Changing the Playing Field
We’ve talked about a lot of this before… now it is in writing
and very specific!
Strategies and Goals
Legal and Regulatory Compliance
Financial Condition
Business Experience and Reputation
Fee Structure and Incentives
Qualification, background and reputation of company principals
Risk Management
10
Practical solutions driving tangible results
Due Diligence For Significant Relationships (cont.)
Information Security
Management of Information Systems
Resilience
Incident Reporting and Management Oversight
Physical Security
Human Resource Management
Reliance on Subcontractors
Insurance Coverage
Conflicting Contractual Arrangements with Other Parties
11
Practical solutions driving tangible results
Common Comments
Overall Vendor Management Program
Documentation Not On Hand / Not Reviewed
Continuous Cyclical Process
Dependent on Vendor’s
Documentation and
Control Cycles
12
Practical solutions driving tangible results
Common Comments
Customer Information Risk
Unaccounted for
Critical Vendor versus
High Risk Vendors
Due Diligence Requirements
Based on Risk and
Criticality Levels
13
Practical solutions driving tangible results
Best Practice
Double check to be sure you have accurately identified all your
critical/significant vendors:
Review the significant/critical criteria and run through your vendor
list (not suppliers, actual vendors/service providers) to see if any
are missing
Review the various types of vendor risk and run through list again
to identify all vendors with significant compliance/legal risk, then all
vendors with significant transaction risk, reputation risk, operations
risk, and strategic risk, etc.
14
Practical solutions driving tangible results
Should you work with a vendor that will not or cannot comply? The OCC explicitly spells it out - if the due diligence results do not meet
expectations, management should recommend:
That the third party make appropriate changes to comply with expectations,
Supplement the third party’s resources or strengthen controls to properly manage
the risks
Find an alternate third party,
Conduct the activity in-house, or
Discontinue the activity altogether!
Third-party relationships that involve critical activities:
Management should present results of due diligence to the Board
Issues raised in due diligence must be thoroughly reviewed, discussed, analyzed,
documented, and the risk mitigated to the Board’s satisfaction before the financial
institution enters into a contract
15
Practical solutions driving tangible results
FFIEC Cybersecurity Assessment Tool Contracts – Baseline Level
Risk-based due diligence is performed on
prospective third parties before contracts are
signed, including reviews of their background,
reputation, financial condition, stability, and
security controls.
A list of third-party service providers is
maintained.
A risk assessment is conducted to identify
criticality of service providers.
Formal contracts that address relevant security and privacy
requirements are in place for all third parties that process, store, or
transmit confidential data or provide critical services.
Contracts acknowledge that the third party is responsible for the
security of the institution’s confidential data that it possesses, stores,
processes, or transmits.
16
Practical solutions driving tangible results
FFIEC Cybersecurity Assessment Tool Contracts – Baseline Level
and these…
Contracts stipulate that the third-party security controls are
regularly reviewed and validated by an independent party.
Contracts identify the recourse available to the institution
should the third party fail to meet defined
security requirements.
Contracts establish responsibilities for
responding to security incidents.
Contracts specify the security requirements
for the return or destruction of data upon
contract termination.
17
Practical solutions driving tangible results
FFIEC Cybersecurity Assessment Tool Due Diligence and Monitoring – Baseline
these too. . .
Due Diligence:
Risk-based due diligence is performed on prospective third parties before
contracts are signed, including reviews of their background, reputation,
financial condition, stability, and security controls.
A list of third-party service providers is maintained.
A risk assessment is conducted to identify criticality of service providers.
Monitoring:
The third-party risk assessment is updated regularly.
Audits, assessments, and operational performance reports are obtained
and reviewed regularly validating security controls for critical third parties.
Ongoing monitoring practices include reviewing critical third-parties’
resilience plans.
18
Practical solutions driving tangible results
FFIEC Cybersecurity Assessment Tool Contracts – Evolving Level
Responsibilities for managing devices (e.g., firewalls, routers)
that secure connections with third parties are formally
documented in the contract.
Responsibility for notification of direct and indirect security
incidents and vulnerabilities is documented in contracts or
service-level agreements (SLAs).
Contracts stipulate geographic
limits on where data can be stored
or transmitted.
19
Practical solutions driving tangible results
FFIEC Cybersecurity Assessment Tool Due Diligence and Monitoring – Evolving Level
Due Diligence
A formal process exists to analyze assessments of third-party cybersecurity
controls.
The board or an appropriate board committee reviews a summary of due diligence
results including management’s recommendations to use third parties that will
affect the institution’s inherent risk profile.
Monitoring
A process to identify new third-party relationships is in place, including identifying
new relationships that were established without formal approval.
A formal program assigns responsibility for ongoing oversight of third-party access.
Monitoring of third parties is scaled, in terms of depth and frequency, according to
the risk of the third parties.
Automated reminders or ticklers are in place to identify when required third-party
information needs to be obtained or analyzed.
20
Practical solutions driving tangible results
SSAE16 / SOC Reviews
Report of Controls
SOC 1 or SOC 2
Ensure the Function is Covered
Note the Date of the Review
Review the Scope
Check for Qualified Opinions
Document the User Entity Controls Requirements
Note and Analyze Exceptions Noted
Maintain Responsibility and Accountability for the Reviews
by Third Parties
21
Practical solutions driving tangible results
Best in Class Systems
Due Diligence Complete Prior to Contracts Being Signed
Automated Triggers for Periodic Reviews on the Full List
of Vendors
Automated Document Requirements Based on Risk
and Criticality Levels
Evaluations of GLBA / Red Flag
Documented Review of Materials
Documents are Retained
22
Practical solutions driving tangible results
Questions?
Christopher Nolan, CISA, CISM, CGEIT
Regional IT Audit Director – Risk and Compliance
207.230.7390
Practical solutions driving tangible results
Additional Detailed Information
Examiner Expectations and Guidance
Critical or Significant Vendors
Vendor Risk Assessment
Identifying the Risks for Each Critical/
Significant Vendor
Planning for New Relationships
Aligning Level of Initial Due Diligence and
On-Going Oversight with Regulatory Expectations
24
Practical solutions driving tangible results
FIL-44-2008 Guidance for Managing Third Party Risk
Outlined a general framework for third party risk management
Four Main Elements of Effective Vendor Risk Management
Programs:
Risk Assessment
Due Diligence in Selecting a Third Party
Contract Structuring and Review
Oversight
Introduced the concept of “Significant” Vendor Relationships –
not just Technology vendors
25
Practical solutions driving tangible results
FIL-44-2008 Guidance for Managing Third Party Risk
Identifying Significant Relationships
Significant Information Security Exposure
Product or Service is a New Activity
Critical to On-Going Operations
Not just a “high, medium, low” risk exercise
Assign Responsibility for Oversight to Senior Management and
Report to the Board
Identify and control risks to the same extent as if the activity
were handled within the institution
26
Practical solutions driving tangible results
OCC Bulletin 2013-29Third Party Relationships: Risk Management Guidance
The OCC is concerned that the quality of risk management over
third-party relationships may not be keeping pace with the level
of risk and complexity of these relationships
The OCC specifically cited failure to assess the direct and
indirect costs, failure to perform adequate due diligence and
monitoring, and multiple contract issues, as troublesome
trends.
27
Practical solutions driving tangible results
OCC Bulletin 2013-29: “Critical Activities”
Significant bank functions (such as payments, clearing,
settlements, and custody)
Significant shared services (such as information technology)
Other activities that could significantly impact customers,
require significant investment in resources to implement the
relationship and manage the risk, impose significant risk to the
bank if the third-party fails to meet expectations, or have a major
impact on bank operations if the bank has to find an alternate
vendor or service provider or if the outsourced activity has to be
brought in-house.
Similar to FDIC “significant” third party relationship concept
28
Practical solutions driving tangible results
OCC Bulletin 2013-29
Life Cycle Focus
Much more emphasis on “planning” and ensuring proper due
diligence before any contract is signed with a third party
Very specific recommendations:
Legal and Regulatory Compliance
Information Security
Contingency Plans
Independent Reviews
Board Oversight
Subcontractors (oversight for the vendor’s vendors)
29
Practical solutions driving tangible results
OCC Bulletin 2013-29
Due Diligence and Selection of Third Party
Similar to previous 2001 guidance but adds the
following specific areas for review:
Legal and Regulatory Compliance
Information and Physical Security
Fee Structure and Incentives
Incident Reporting and Management Oversight
Conflicting Contractual Arrangements with Subcontractors or other
parties where the risk may be transferred to the financial institution
30
Practical solutions driving tangible results
OCC Bulletin 2013-29
Contract Negotiation
On-going Monitoring
Termination
New Phase in the Life Cycle
Contingency Plans for
Data retention and destruction
Handling of joint intellectual property
Mitigation of reputational risks
Continued compliance with laws and regulations
31
Practical solutions driving tangible results
Contract Considerations** The Board should formally approve all contracts for critical vendors
before the contract is executed **
Guidance Includes Very Detailed Due Diligence and Contract Considerations
on a multitude of topics, for example:
Verify that the third party has fidelity bond coverage to insure against losses
attributable to dishonest acts, liability coverage for losses attributable to negligent
acts, and hazard insurance covering fire, loss of data, and protection of documents.
Determine whether the third party has insurance coverage for its intellectual
property rights, as such coverage may not be available under a general commercial
policy. The amounts of such coverage should be commensurate with the level of
risk involved with the third party’s operations and the type of activities to be
provided.
Stipulate that the third party is required to maintain adequate insurance, notify the
bank of material changes to coverage, and provide evidence of coverage where
appropriate. Types of insurance coverage may include fidelity bond coverage,
liability coverage, hazard insurance, and intellectual property insurance.
32
Practical solutions driving tangible results
Federal Reserve – 12/5/13Guidance on Managing Outsourcing Risk
Introduces concept of “concentration risk”
Effective programs include the following:
Risk Assessments
Due Diligence and Selection of Service Providers
Contract Provisions and Considerations
Incentive Compensation Review
Oversight and Monitoring of Service Providers
Business Continuity and Contingency Plans
33
Practical solutions driving tangible results
FRB Incentive Compensation Review
Effective Review and Approval of any Incentive
Compensation Embedded in Service Provider
Contracts
Is the Servicer incented to take “imprudent risks”?
Inappropriate incentives may encourage selling of
services to customers that have higher margins and
not in their best interest
34
Practical solutions driving tangible results
FRB - Other Risks
Suspicious Activity Reporting Functions
Foreign Based Service Providers
Internal Audit
Specifically references SOX prohibition against external
account firm providing internal audit services
Outsourcing Risk Management Activities
35
Practical solutions driving tangible results
IDENTIFYING CRITICAL OR SIGNIFICANT VENDORS
Revisiting Vendor Risk Assessment
36
Practical solutions driving tangible results
Refining the Risk Assessment
Most Vendor Risk Assessments rank each third party
relationship (excluding suppliers) as high, medium,
or low risk
High risk vendors usually have information security
exposure or are critical to bank operations
But are all high risk vendors really critical and/or
significant - requiring Board level oversight?
37
Practical solutions driving tangible results
Critical or Significant Third Party Relationships Likely Require:
Extensive Planning and Due Diligence
Board Oversight and Approval
Clear Senior Management Responsibility
Cost/Benefit Analysis
Contingency Plan for Termination
Board Review of Management’s Monitoring Results
Extensive Contract Review and Monitoring for Performance
More than a simple vendor file that is updated each year with new documents!
38
Practical solutions driving tangible results
Characteristics of Critical or Significant Third Party Relationships
Significant Information Security Exposure
High Volume of Confidential Customer Information Stored by or
Accessible to the Third Party
Service is Critical to Maintaining the Institution’s Information
Security Program/Protection/Controls
Critical to Operations
Transaction Processing; Payments, Clearing, Settlement, Custody
Core Accounting and Account Maintenance
Disaster Recovery/Business Continuity Services in an in-house
data center environment
39
Practical solutions driving tangible results
Characteristics of Critical or Significant Third Party Relationships
Substantial Impact on Financial Condition
Potential for civil money penalties and fines
Credit risk associated with vendor activities
Risk of significant affect on earnings or capital
New Products or Services
Institution does not have experience or expertise
Management may not understand the risks
Material Compliance Risk
Third Party Markets Institution’s Products/Services
Activity Involves Subprime Lending or Card Payments
40
Practical solutions driving tangible results
IDENTIFYING THE RISKS FOR EACH CRITICAL OR SIGNIFICANT VENDOR
Customized review and documentation requirements
41
Practical solutions driving tangible results
Compliance Risk
Risk arising from violations of laws, rules, or
regulations or from noncompliance with the
institution’s policies, procedures, or business
standards
42
Practical solutions driving tangible results
Compliance Risk Examples
Third Party Payment Processors
Flood Determination Services
Reverse Mortgage Programs
Automobile Dealer Relationships
Subprime Lending Programs
Overdraft Programs
Outsourced Trust Operations
43
Practical solutions driving tangible results
Reputation Risk
Risk arising from negative public opinion
Dissatisfied customers
Unexpected customer financial loss
Inappropriate recommendations
Security breaches
Vendor insider fraud
Any negative publicity whether or not associated
directly with the third party
44
Practical solutions driving tangible results
Reputation Risk Examples
Core Application
Internet Banking
Any vendor that accesses, processes, stores or
transmits confidential customer information
Overdraft protection programs
Nearly any third party relationship that impacts your
customers in any way
45
Practical solutions driving tangible results
Strategic Risk
Risk arising from adverse business decisions
Failure to implement appropriate business decisions
consistent with the institution’s strategic goals
Use of a third party to perform banking functions or
to offer products or services that do not help to
achieve corporate goals and provide an inadequate
return on investment
46
Practical solutions driving tangible results
Strategic Risk Examples
Outsourcing Call Center Operations to a competitor
Utilizing Outsourced Remote Deposit Capture services to
service multiple out of market Money Service Businesses
Outsourced Subprime Lending originations
Outsourced Compliance Management or BSA Oversight
Any offering that will involve intense regulatory scrutiny without
a strong business case and thorough risk
assessment/monitoring.
47
Practical solutions driving tangible results
Transaction Risk
Risk arising from problems with service or product
delivery
Third party’s failure to perform as expected due to
inadequate capacity, technological failure, human error,
or fraud
Lack of an appropriate business resumption and
contingency plan
Weak controls over technology; threats to security and
integrity of systems and data
May result in unauthorized transactions or inability to
perform transactions as expected
48
Practical solutions driving tangible results
Transaction Risk Examples
Core application servicer
Internet Banking
On-Line Bill Pay, ACH and/or Wire Originations
On-Line Backup Services
Cloud Computing Services
49
Practical solutions driving tangible results
Operational Risk
Risk of a loss due to inadequate or failed internal
processes, people, systems, or external events
Increase in operational complexity due to integration
of institution processes with third party internal
processes
50
Practical solutions driving tangible results
Operational Risk Examples
Cloud Computing Service Provider
Remote Deposit Capture Services
New Products and Services without sufficient
experience or expertise to properly implement and
oversee
51
Practical solutions driving tangible results
Credit Risk
Risk that a third party is unable to meet the terms of
the contractual arrangements or otherwise financially
perform as agreed
Financial condition of the third party itself
Third parties that market or originate certain types of
loans, solicit or refer customers, conduct
underwriting analysis, or set up product programs for
the institution
52
Practical solutions driving tangible results
Credit Risk Examples
Mortgage brokers
Automobile Dealer Relationships
Credit Cards
Critical Vendors – Core Processor/Data Center
Can they invest properly in on-going information
security and regulatory compliance?
Are they likely to be acquired or go out of business?
53
Practical solutions driving tangible results
Country Risk
Exposure to the economic, social, and political
conditions and events in a foreign country
Potential for loss of data, research and development
efforts, or other assets
54
Practical solutions driving tangible results
Examples of Country Risk
Cloud Computing Service Provider
Foreign Correspondent Bank Relationships
Outsourced Call Centers
55
Practical solutions driving tangible results
Other Risks
Liquidity
Interest Rate
Price
Legal
Foreign Currency Translation Risk
Concentration Risk
56