Vendor Management Challenges and Expectations An Open ......Outlined a general framework for third party risk management Four Main Elements of Effective Vendor Risk Management Programs:

Practical solutions driving tangible results

1

Vendor Management

Challenges and Expectations

An Open Discussion

April 13, 2017


Agenda

Common Themes Discussion

Expectations

Overcoming Obstacles

Common Comments

Cybersecurity Assessment Tool Expectations

Reviewing Control Reports

Additional Information

2


Regulatory Focus Continues

FIL-44-2008 Guidance for Managing Third Party Risk

FIL-127-2008 Guidance on Payment Processor Relationships

FIL-3-2012 Revised Guidance on Payment Processor Relationships

CFPB 2012-3 Bulletin on Service Providers

FFIEC IT Exam Handbook – Outsourcing – added Appendix D Managed Security

Service Providers (MSSP)

FFIEC Statement July 2012 - Outsourced Cloud Computing

FFIEC Administrative Guidelines (Oct 2012) – Supervision of Technology

Service Providers

FDIC Compliance Manual (July 2013) Abusive Practices-Third Party Procedures

OCC 2013-29 Third Party Relationships: Risk Management Guidance

FFIEC Joint Statement (Oct 2013) on End of Microsoft Support for XP Support

FRB SR 13-19/CA 13-21 Guidance on Managing Outsourcing Risk

3


Volunteers?

This is a Fun and

Exciting System

Who is Responsible?

Management Appreciates

the Effort

4


Not My Job

Inconsistent

Documentation

Inconsistent

Risk Assessments

Limited Final Reviews

5


But Paperwork Doesn’t Fix Anything

It just slows down the

process

We need it now

Marketing already signed

the contract

But we know these guys,

we have had them for years

There is nobody else

We are stuck with them

6


Know Your Vendors

7


PLANNING FOR NEW RELATIONSHIPS

Aligning the Level of Oversight with Regulatory Expectations

8


Prior to Entering Into a Significant New Third Party Relationship

Need a formal plan to manage this

Identify and document all the risks associated with the

significant activity being outsourced

Plan for mitigation of those risks proactively

Ensure it aligns with strategic direction as well as management

and the Board’s risk appetite

Require Board approval

Develop contingency plans

9


Due Diligence ReviewOCC and FRB Changing the Playing Field

We’ve talked about a lot of this before… now it is in writing

and very specific!

Strategies and Goals

Legal and Regulatory Compliance

Financial Condition

Business Experience and Reputation

Fee Structure and Incentives

Qualification, background and reputation of company principals

Risk Management

10


Due Diligence For Significant Relationships (cont.)

Information Security

Management of Information Systems

Resilience

Incident Reporting and Management Oversight

Physical Security

Human Resource Management

Reliance on Subcontractors

Insurance Coverage

Conflicting Contractual Arrangements with Other Parties

11


Common Comments

Overall Vendor Management Program

Documentation Not On Hand / Not Reviewed

Continuous Cyclical Process

Dependent on Vendor’s

Documentation and

Control Cycles

12


Common Comments

Customer Information Risk

Unaccounted for

Critical Vendor versus

High Risk Vendors

Due Diligence Requirements

Based on Risk and

Criticality Levels

13


Best Practice

Double check to be sure you have accurately identified all your

critical/significant vendors:

Review the significant/critical criteria and run through your vendor

list (not suppliers, actual vendors/service providers) to see if any

are missing

Review the various types of vendor risk and run through list again

to identify all vendors with significant compliance/legal risk, then all

vendors with significant transaction risk, reputation risk, operations

risk, and strategic risk, etc.

14


Should you work with a vendor that will not or cannot comply? The OCC explicitly spells it out - if the due diligence results do not meet

expectations, management should recommend:

That the third party make appropriate changes to comply with expectations,

Supplement the third party’s resources or strengthen controls to properly manage

the risks

Find an alternate third party,

Conduct the activity in-house, or

Discontinue the activity altogether!

Third-party relationships that involve critical activities:

Management should present results of due diligence to the Board

Issues raised in due diligence must be thoroughly reviewed, discussed, analyzed,

documented, and the risk mitigated to the Board’s satisfaction before the financial

institution enters into a contract

15


FFIEC Cybersecurity Assessment Tool Contracts – Baseline Level

Risk-based due diligence is performed on

prospective third parties before contracts are

signed, including reviews of their background,

reputation, financial condition, stability, and

security controls.

A list of third-party service providers is

maintained.

A risk assessment is conducted to identify

criticality of service providers.

Formal contracts that address relevant security and privacy

requirements are in place for all third parties that process, store, or

transmit confidential data or provide critical services.

Contracts acknowledge that the third party is responsible for the

security of the institution’s confidential data that it possesses, stores,

processes, or transmits.

16


FFIEC Cybersecurity Assessment Tool Contracts – Baseline Level

and these…

Contracts stipulate that the third-party security controls are

regularly reviewed and validated by an independent party.

Contracts identify the recourse available to the institution

should the third party fail to meet defined

security requirements.

Contracts establish responsibilities for

responding to security incidents.

Contracts specify the security requirements

for the return or destruction of data upon

contract termination.

17


FFIEC Cybersecurity Assessment Tool Due Diligence and Monitoring – Baseline

these too. . .

Due Diligence:

Risk-based due diligence is performed on prospective third parties before

contracts are signed, including reviews of their background, reputation,

financial condition, stability, and security controls.

A list of third-party service providers is maintained.

A risk assessment is conducted to identify criticality of service providers.

Monitoring:

The third-party risk assessment is updated regularly.

Audits, assessments, and operational performance reports are obtained

and reviewed regularly validating security controls for critical third parties.

Ongoing monitoring practices include reviewing critical third-parties’

resilience plans.

18


FFIEC Cybersecurity Assessment Tool Contracts – Evolving Level

Responsibilities for managing devices (e.g., firewalls, routers)

that secure connections with third parties are formally

documented in the contract.

Responsibility for notification of direct and indirect security

incidents and vulnerabilities is documented in contracts or

service-level agreements (SLAs).

Contracts stipulate geographic

limits on where data can be stored

or transmitted.

19


FFIEC Cybersecurity Assessment Tool Due Diligence and Monitoring – Evolving Level

Due Diligence

A formal process exists to analyze assessments of third-party cybersecurity

controls.

The board or an appropriate board committee reviews a summary of due diligence

results including management’s recommendations to use third parties that will

affect the institution’s inherent risk profile.

Monitoring

A process to identify new third-party relationships is in place, including identifying

new relationships that were established without formal approval.

A formal program assigns responsibility for ongoing oversight of third-party access.

Monitoring of third parties is scaled, in terms of depth and frequency, according to

the risk of the third parties.

Automated reminders or ticklers are in place to identify when required third-party

information needs to be obtained or analyzed.

20


SSAE16 / SOC Reviews

Report of Controls

SOC 1 or SOC 2

Ensure the Function is Covered

Note the Date of the Review

Review the Scope

Check for Qualified Opinions

Document the User Entity Controls Requirements

Note and Analyze Exceptions Noted

Maintain Responsibility and Accountability for the Reviews

by Third Parties

21


Best in Class Systems

Due Diligence Complete Prior to Contracts Being Signed

Automated Triggers for Periodic Reviews on the Full List

of Vendors

Automated Document Requirements Based on Risk

and Criticality Levels

Evaluations of GLBA / Red Flag

Documented Review of Materials

Documents are Retained

22


Questions?

Christopher Nolan, CISA, CISM, CGEIT

Regional IT Audit Director – Risk and Compliance

207.230.7390

[email protected]


Additional Detailed Information

Examiner Expectations and Guidance

Critical or Significant Vendors

Vendor Risk Assessment

Identifying the Risks for Each Critical/

Significant Vendor

Planning for New Relationships

Aligning Level of Initial Due Diligence and

On-Going Oversight with Regulatory Expectations

24



Outlined a general framework for third party risk management

Four Main Elements of Effective Vendor Risk Management

Programs:

Risk Assessment

Due Diligence in Selecting a Third Party

Contract Structuring and Review

Oversight

Introduced the concept of “Significant” Vendor Relationships –

not just Technology vendors

25



Identifying Significant Relationships

Significant Information Security Exposure

Product or Service is a New Activity

Critical to On-Going Operations

Not just a “high, medium, low” risk exercise

Assign Responsibility for Oversight to Senior Management and

Report to the Board

Identify and control risks to the same extent as if the activity

were handled within the institution

26


OCC Bulletin 2013-29Third Party Relationships: Risk Management Guidance

The OCC is concerned that the quality of risk management over

third-party relationships may not be keeping pace with the level

of risk and complexity of these relationships

The OCC specifically cited failure to assess the direct and

indirect costs, failure to perform adequate due diligence and

monitoring, and multiple contract issues, as troublesome

trends.

27


OCC Bulletin 2013-29: “Critical Activities”

Significant bank functions (such as payments, clearing,

settlements, and custody)

Significant shared services (such as information technology)

Other activities that could significantly impact customers,

require significant investment in resources to implement the

relationship and manage the risk, impose significant risk to the

bank if the third-party fails to meet expectations, or have a major

impact on bank operations if the bank has to find an alternate

vendor or service provider or if the outsourced activity has to be

brought in-house.

Similar to FDIC “significant” third party relationship concept

28


OCC Bulletin 2013-29

Life Cycle Focus

Much more emphasis on “planning” and ensuring proper due

diligence before any contract is signed with a third party

Very specific recommendations:


Information Security

Contingency Plans

Independent Reviews

Board Oversight

Subcontractors (oversight for the vendor’s vendors)

29



Due Diligence and Selection of Third Party

Similar to previous 2001 guidance but adds the

following specific areas for review:


Information and Physical Security

Fee Structure and Incentives

Incident Reporting and Management Oversight

Conflicting Contractual Arrangements with Subcontractors or other

parties where the risk may be transferred to the financial institution

30



Contract Negotiation

On-going Monitoring

Termination

New Phase in the Life Cycle

Contingency Plans for

Data retention and destruction

Handling of joint intellectual property

Mitigation of reputational risks

Continued compliance with laws and regulations

31


Contract Considerations** The Board should formally approve all contracts for critical vendors

before the contract is executed **

Guidance Includes Very Detailed Due Diligence and Contract Considerations

on a multitude of topics, for example:

Verify that the third party has fidelity bond coverage to insure against losses

attributable to dishonest acts, liability coverage for losses attributable to negligent

acts, and hazard insurance covering fire, loss of data, and protection of documents.

Determine whether the third party has insurance coverage for its intellectual

property rights, as such coverage may not be available under a general commercial

policy. The amounts of such coverage should be commensurate with the level of

risk involved with the third party’s operations and the type of activities to be

provided.

Stipulate that the third party is required to maintain adequate insurance, notify the

bank of material changes to coverage, and provide evidence of coverage where

appropriate. Types of insurance coverage may include fidelity bond coverage,

liability coverage, hazard insurance, and intellectual property insurance.

32


Federal Reserve – 12/5/13Guidance on Managing Outsourcing Risk

Introduces concept of “concentration risk”

Effective programs include the following:

Risk Assessments

Due Diligence and Selection of Service Providers

Contract Provisions and Considerations

Incentive Compensation Review

Oversight and Monitoring of Service Providers

Business Continuity and Contingency Plans

33


FRB Incentive Compensation Review

Effective Review and Approval of any Incentive

Compensation Embedded in Service Provider

Contracts

Is the Servicer incented to take “imprudent risks”?

Inappropriate incentives may encourage selling of

services to customers that have higher margins and

not in their best interest

34


FRB - Other Risks

Suspicious Activity Reporting Functions

Foreign Based Service Providers

Internal Audit

Specifically references SOX prohibition against external

account firm providing internal audit services

Outsourcing Risk Management Activities

35


IDENTIFYING CRITICAL OR SIGNIFICANT VENDORS

Revisiting Vendor Risk Assessment

36


Refining the Risk Assessment

Most Vendor Risk Assessments rank each third party

relationship (excluding suppliers) as high, medium,

or low risk

High risk vendors usually have information security

exposure or are critical to bank operations

But are all high risk vendors really critical and/or

significant - requiring Board level oversight?

37


Critical or Significant Third Party Relationships Likely Require:

Extensive Planning and Due Diligence

Board Oversight and Approval

Clear Senior Management Responsibility

Cost/Benefit Analysis

Contingency Plan for Termination

Board Review of Management’s Monitoring Results

Extensive Contract Review and Monitoring for Performance

More than a simple vendor file that is updated each year with new documents!

38


Characteristics of Critical or Significant Third Party Relationships

Significant Information Security Exposure

High Volume of Confidential Customer Information Stored by or

Accessible to the Third Party

Service is Critical to Maintaining the Institution’s Information

Security Program/Protection/Controls

Critical to Operations

Transaction Processing; Payments, Clearing, Settlement, Custody

Core Accounting and Account Maintenance

Disaster Recovery/Business Continuity Services in an in-house

data center environment

39


Characteristics of Critical or Significant Third Party Relationships

Substantial Impact on Financial Condition

Potential for civil money penalties and fines

Credit risk associated with vendor activities

Risk of significant affect on earnings or capital

New Products or Services

Institution does not have experience or expertise

Management may not understand the risks

Material Compliance Risk

Third Party Markets Institution’s Products/Services

Activity Involves Subprime Lending or Card Payments

40


IDENTIFYING THE RISKS FOR EACH CRITICAL OR SIGNIFICANT VENDOR

Customized review and documentation requirements

41


Compliance Risk

Risk arising from violations of laws, rules, or

regulations or from noncompliance with the

institution’s policies, procedures, or business

standards

42


Compliance Risk Examples

Third Party Payment Processors

Flood Determination Services

Reverse Mortgage Programs

Automobile Dealer Relationships

Subprime Lending Programs

Overdraft Programs

Outsourced Trust Operations

43


Reputation Risk

Risk arising from negative public opinion

Dissatisfied customers

Unexpected customer financial loss

Inappropriate recommendations

Security breaches

Vendor insider fraud

Any negative publicity whether or not associated

directly with the third party

44


Reputation Risk Examples

Core Application

Internet Banking

Any vendor that accesses, processes, stores or

transmits confidential customer information

Overdraft protection programs

Nearly any third party relationship that impacts your

customers in any way

45


Strategic Risk

Risk arising from adverse business decisions

Failure to implement appropriate business decisions

consistent with the institution’s strategic goals

Use of a third party to perform banking functions or

to offer products or services that do not help to

achieve corporate goals and provide an inadequate

return on investment

46


Strategic Risk Examples

Outsourcing Call Center Operations to a competitor

Utilizing Outsourced Remote Deposit Capture services to

service multiple out of market Money Service Businesses

Outsourced Subprime Lending originations

Outsourced Compliance Management or BSA Oversight

Any offering that will involve intense regulatory scrutiny without

a strong business case and thorough risk

assessment/monitoring.

47


Transaction Risk

Risk arising from problems with service or product

delivery

Third party’s failure to perform as expected due to

inadequate capacity, technological failure, human error,

or fraud

Lack of an appropriate business resumption and

contingency plan

Weak controls over technology; threats to security and

integrity of systems and data

May result in unauthorized transactions or inability to

perform transactions as expected

48


Transaction Risk Examples

Core application servicer

Internet Banking

On-Line Bill Pay, ACH and/or Wire Originations

On-Line Backup Services

Cloud Computing Services

49


Operational Risk

Risk of a loss due to inadequate or failed internal

processes, people, systems, or external events

Increase in operational complexity due to integration

of institution processes with third party internal

processes

50


Operational Risk Examples

Cloud Computing Service Provider

Remote Deposit Capture Services

New Products and Services without sufficient

experience or expertise to properly implement and

oversee

51


Credit Risk

Risk that a third party is unable to meet the terms of

the contractual arrangements or otherwise financially

perform as agreed

Financial condition of the third party itself

Third parties that market or originate certain types of

loans, solicit or refer customers, conduct

underwriting analysis, or set up product programs for

the institution

52


Credit Risk Examples

Mortgage brokers

Automobile Dealer Relationships

Credit Cards

Critical Vendors – Core Processor/Data Center

Can they invest properly in on-going information

security and regulatory compliance?

Are they likely to be acquired or go out of business?

53


Country Risk

Exposure to the economic, social, and political

conditions and events in a foreign country

Potential for loss of data, research and development

efforts, or other assets

54


Examples of Country Risk

Cloud Computing Service Provider

Foreign Correspondent Bank Relationships

Outsourced Call Centers

55


Other Risks

Liquidity

Interest Rate

Price

Legal

Foreign Currency Translation Risk

Concentration Risk

56