With everything on your plate, running a Vendor Management program for your Bank’s multiple vendors may seem overwhelming. Who do you call? What do you ask?
An effective Vendor Management program will ascertain all vendors’ security postures. It will advise you whether you need to take extra steps to protect your data when using a particular vendor. It may be surprising to think of a banking vendor with poor security, but they do exist – and regulators don’t want you assuming you’re protected.
Here are some questions your Vendor Management program should answer to inform your Bank’s Risk Management efforts.
Do you have a complete list of your Bank’s vendors – and their services?
This list will help you identify your mission-critical vendors. They are essential to daily operations. They may be involved with frequent transmission of customer data or store substantial amounts of the Bank’s non-public information. If their services go down, that could cause significant disruption to your Bank’s daily services – and even reputational harm.
What’s your process for conducting vendor due diligence?
FFEIC guidelines require that Banks exercise “appropriate due diligence” in selecting vendors. When examination time comes, how do you answer this query?
Documenting your vendor assessment process is a crucial step. A good Vendor Management program may list what measures you expect your vendors to meet, how you determine their compliance with those measures, and your due diligence results. Relevant measures can include compliance with appropriate regulations and up-to-date security measures. And your review should extend to both vendor applications and vendor business practices.
Above all, your Vendor Management program should monitor financial conditions, controls, quality of service, and support.
Have you risk-rated your vendors?
You should assess and assign the criticality of your vendors using a tiered scale: Who is critical to your operations? Who falls under GLBA requirements? Who directly interacts with your key customers? And who represents low risk to your data and operations?
Risk-rating your vendors help you identify how critical the vendors’ services are to your overall business and what access that vendor may have to non-public information.
Do your vendors have their own Vendor Management program?
Did you ask your critical vendors if they were impacted by the recent security attacks – Solar Winds, Microsoft Exchange, Kaseya…? Even if they were not affected, one of their vendors could have been. They should be able to discuss their own vendors’ risk posture with you, including ongoing compliance with regulatory requirements.
If you find your in-house team lacks the time or expertise to run a Vendor Management program, consider outsourcing it to an expert such as ImageQuest. You can start by contacting us for a confidential chat about your needs.