1

REGULATORY HOT TOPIC Third Party IT Vendor Management

2

• Core Processing • Internet Banking • Mobile Banking • Managed Security Services • Managed Data Center Services • And More…

Todays Outsourced Technology Services

3

Implementing a Comprehensive Vendor Management Program

4

• Risk Assessment • Selection of the Service Provider • Contracting with the Service Provider • Monitoring • Business Continuity

Vendor Risk Management Program

5

• The Board and Senior Management retain the responsibility of the service

• You must manage the service as if it were completed internally by the bank – Maintain the same controls – Require the same information – Monitor the process

Vendor Management Responsibilities

6

Standard Risk Management Process

Identify the risks

Measure the risks

Mitigate the risks Monitor the risks

Report the risk status and updates

7

• Have an approved vendor management policy in place before you outsource a service.

• Complete and DOCUMENT your due diligence. • Understand what you need in the contract to

protect the interests of the bank. • Ensure board oversight of the vendor

management program.

Deciding to Outsource

8

• Updates for: – Service Level Agreements (SLAs) – Data Security – Audits and Attestations – Vendor Business Recovery and Continuity Testing Results – Financial Statements

• The degree of reporting should be increased based on risk to the bank.

• Regulatory reports should be obtained if available. • ANNUAL BOARD REPORTING IS REQUIRED by Appendix B

part 364- Also periodic reporting during vendor due diligence

What the Board Should Know

9

• Ensure the outsourced service provider is aligned with business and strategic plans and is appropriate for the size and complexity of the bank.

• Ensure the bank can properly oversee and manage the services.

• Ensure proper monitoring is in place based on the initial and current risk.

• Properly assign responsibilities for monitoring and reporting.

Management Requirements

10

Vendor Management Components

Risk Assessment

Selection

Contracts

Monitoring

11

Implementing a Comprehensive Vendor Management Program RISK ASSESSMENT

12

• To identify and make the board aware of inherent risk of the outsourced service like: – Fraud – Error – Inability to delver services

• These are operational risks that the board should understand.

• Some of the risks can be mitigated by the service provider.

• Some of the risks have to be mitigated by the bank.

The Risk Assessment

13

• Strategic Risk – Poor planning for implementation or scalability for growth

• Compliance Risk – Outsourcing to vendors that cannot provide the needed proof of compliance

• Reputational Risk – Breaches – Fraud – Errors – Service Level

• Interest Rate Risk – Errors that lead to inaccurate decisions

• Liquidity – Processing Delays or Errors

• Cyber Risk – Disruption – Malware

Other Risks to Consider

14

• Functional Risk Measurements – Volume of transactions – Sensitivity of the data involved – Criticality of the service

• Provider Risk Measurements – Financial Stability – Experience – Location

• Technology Risk Measurements – Security – Reliability – Scalability

Quantifying the Risk- What to Consider

15

• A team with the ability to assess the risk measurements

• Consider carefully who has the expertise to assess the risk based on the services – Internal Personnel – Auditors – Subject Matter Experts

• IT Security • Recovery • Cyber Security

Who Should Complete the Risk Assessment

16

• Controls in place that have been independently tested for – Security – Availability – Confidentiality – Processing Integrity – Privacy – Reporting

Risk Mitigations by the Service Provider

17

• What are the bank’s responsibilities – How are they defined

• Contracts? • SOC reports?

– Testing these requirements • Internal testing • External testing • Monitoring

Risk Mitigation by the Bank

18

Implementing a Comprehensive Vendor Management Program SELECTION AND DUE DILIGENCE

19

• Due Diligence Should be Based on Level of Risk to the Bank – High risk

• Very formalized – Low risk

• Minimal formalization • Key Points

– Financial Stability – Capabilities to Scale

• Technology and Infrastructure – Internal Controls and Audits – Use of Subcontractors – Qualifications and References – History of Legal or Regulatory Issues – Insurance – Ability to Recover – Physical and Environmental Controls

Selection and Due Diligence

20

Implementing a Comprehensive Vendor Management Program CONTRACTS

21

• Negotiating the Contract – Meets the Banks Needs and Requirements

• Identified during the risk assessment process • Some Common Contact Provisions

– Scope of Services • Activities • Implementation Plan • Defined Responsibilities

– The Service Providers Controls and Responsibility to: • Report incidents including time frames to report

– Notification provisions must be aligned with Appendix B Part 364 • Provide reports on security and confidentiality controls such as:

– Cybersecurity – Maintenance – Notifications

• Notification provisions must be aligned with Appendix B Part 364

Contracts

22

• Auditing – Right to Audit – Right to Receive Audits – Frequency of Audits – Types of Audits Completed

• Financial • IT Security • General Controls • Recovery • Funds Transfers

Key Contract Provisions (Cont.)

23

• Reporting – Financial – Service Level – Regulatory Compliance

• Disaster Recovery – Maintenance and Testing – Availability of Test Results – Bank Participation

• Sub-contracting – Aware of ANY Sub-contracted Service

• Be careful of SOC “insertion” here – Responsibility Remains with the Service Provider

• Regulatory Adherence • Performance Standards (SLAs)

– Measurement and Remedies

Key Contract Provisions (Cont.)

24

• Banks shall notify their regulator within 30 days of entering the contract or performance of the services begin. Whichever occurs first.

Notification of Service Organization Contract

25

• SLAs can provide service level promises for: – Record Keeping – Security – Confidentiality – Availably – Processing Timeliness and Accuracy (Integrity of Data) – System Changes and Updates – Independent Testing – Business Continuity

A Word About SLAs

26

Implementing a Comprehensive Vendor Management Program VENDOR MONITORING

27

• Makes sure the vendor is meeting its obligations or has mitigated new risk – Reevaluate Active Service Providers at Least

Annually – Align Monitoring with Risk – Report Monitoring Information to the Board

Vendor Monitoring

28

• Similar to Due Diligence Documentation – Audit reports

• Type Scope and Frequency of Audits • Review of Corrective Actions

– Financial Condition (at least annually) – Compliance with SLAs

• GLBA and Incident Response Program – Any incidents reflecting non-compliance with SLAs or other security

standards should be reported to the board. – Continuity Plans and Testing

• Some regulatory reports are available for service providers. – Bank must be a client under contract – Request from FDIC regional office

• Ensure the right personnel are used to monitor the vendor.

What Should be Monitored

29

• Disruptive Events – Cybersecurity Attacks – Environmental Disasters

• Service Providers MUST be included in the continuity plans INCLUDING recovery time objectives.

• Management must review vendor continuity testing including: – Connectivity – Capacity or Alternate Facilities – Transaction Volume – Interdependences (internal and external)

• Revised Business Continuity Appendix J

Business Continuity for Vendors

30

• Service Organization Controls (SOC) Report – SOC 1 (formally SAS70)

• May not completely cover all controls • May not be the right report

– SOC 2- Uses Trust Principles – What’s important to you?

• Security • Availability • Processing Integrity • Confidentiality • Privacy

– SOC 3- Used as a marketing tool

Evaluating the Provider

31

• Does the report fit the services provided? – SOC 1 or 2 Type 1 or 2 – Does it address the correct services? – Is it from a sub-service provider? (SOC Insertion)

• What are the dates of the report? – Type 1- As of – Type 2- For the period of – Does the report cover the latest period?

• Is the opinion unqualified or qualified? • What kind of exceptions are noted and what are the

management responses.

Reviewing an SOC Report

32

Example of a Qualified Opinion Service Organization Controls (SOC)

33

Example of a Unqualified Opinion Service Organization Controls (SOC)

34

Exceptions Review for and SOC

35

• What are the client control considerations? – These are critical because they are what YOUR

responsibilities are. – Are you completing these items?

Reviewing an SOC Report

36

Example of User Control Considerations

37

• Agreed Upon Procedures – These can be custom tailored to the banks needs

• Agreed to by the bank, the vendor, and the auditor

• Specialized Reports – PCI (Payment Card Industry) – TR-39 Payment Card Processing

Other Reports to Consider

38

• Foreign Based Relationships – Unique Risks Can Occur

• All risks may be more difficulty to measure • Legal and Regulatory • See Appendix C of Outsourcing Booklet

Other Areas to Consider

39

David Mills, MBA, CISA, CISSP, CGEIT, CRISC, MCSE

IT Audit and Assurance Partner CRI Corporate Office

334.348.1436 dmills@cricpa.com

Kathleen Zuniga, CPA

Audit and Assurance Partner CRI New Orleans Office

504.493.4711 kzuniga@cricpa.com