Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Looking for TPG Software? You are in the right place!

TPG Software is now part of Abrigo. You can continue to count on the world-class Investment Accounting software and services you’ve come to expect, plus all that Abrigo has to offer.

Make yourself at home – we hope you enjoy being part of our community.

Cyber Complications for Vendor Risk Management

Emily Larkin
October 21, 2019
Read Time: 0 min

In a marketplace where data is shared and distributed at record speeds, third-party or vendor risk management is a challenge for most businesses. The banking industry is no stranger to this. The spotlight from federal and state regulators continues to shine on the use of third parties, and the pressure for those vendors to meet regulatory guidelines has greatly increased. This is especially challenging with cloud-based providers where cybersecurity concerns are even greater.

We are seeing banks moving to the cloud for a number of services ranging from core processing to lending. This movement to the cloud requires a robust vendor due diligence process and rigorous ongoing third party management that includes a focus on cybersecurity controls.

If your bank is considering partnering with a vendor, consider the following areas of cyber due diligence before signing a contract:

Establish a risk rating for your vendors. Just as risk ratings are a foundational element of sound lending decisions, creating a systematic approach to rate your prospective and current vendors based on the risk they pose to your business is essential for establishing the level of oversight they require. Ratings should be based on the risk they pose to the business. Helpful measures in determining that risk include the type of data you are sharing with the vendor, the ability to quickly replace that vendor, the vendor’s reputation in the market, and the amount of investment you are making with the vendor.

Understand the vendor’s financial stability. While this is not directly related to cybersecurity controls, it is imperative to acquire the necessary assurances that the vendor you are working with will be around in the long run. This is especially critical with cloud-based offerings, as they have control of the software or platform and if they go out of business, then your institution will not have the ability to run the solution internally.

Get it in writing. Whether it’s external audits, testing, or attestation, look for the vendor to provide external assurance regarding the state of their secure practices and governance. This includes system and organization controls, or SOC, reports, penetration/vulnerability assessments, and ISO certifications.

Know how many parties are involved. Just because you’re enlisting a third party doesn’t mean that’s where the parties end—there may be fourth and fifth parties involved. A number of solution providers build their environment within a cloud provider such as Amazon Web Services or Microsoft Azure and assume security is being managed. This is a big misconception. While AWS and Azure offer great options for businesses, they are not responsible for the security of the data. The vendor you are contracting with is responsible. Ensure that your vendors are layering the appropriate controls within their cloud provided solution and can share with you the steps they take to manage their cloud-based vendors. Vendors using AWS, Azure or other hosting providers should provide their own independent attestation of their security controls, not simply handing over an AWS or Azure SOC report.

Have transparency of internal controls. Banks should hold their vendors to the same level of regulatory guidance that they hold themselves. This means asking critical vendors to supply documentation affecting the security and protection of your data, including:

  • Policy documentation
  • Business continuity planning documentation
  • Proof of insurance
  • Details regarding their information security and cybersecurity programs
  • Vulnerability detection and management.

Thoroughly assess your contract. Ensure the appropriate cyber protections and terms are noted in the contract. Look for the vendor to highlight their cyber controls and commitment to follow regulations and laws within the contract. Ensure they are willing to assume a reasonable amount of liability and provide the appropriate notification and incident management procedures in the event of a data breach. Also, depending upon the type of vendor and their risk rating, look for service-level agreements with financial implications if they are not met.

We don't just build great software. We support it with unmatched industry expertise.

learn more

Ongoing Vendor Management

In addition to initial vendor due diligence, organizations are required to follow an ongoing systematic approach to managing their third-party relationship. For some, this may be a spreadsheet approach, for others, it may be a third-party governance package. Whatever your institution chooses to tackle it, ensure that your approach is consistent and aligns with your vendor management policy. Regulators look for your management of vendors to be appropriate for the size, scope and complexity of your organization. This is intentionally vague and requires institutions to be thoughtful and intentional in maintaining their vendor management program and adjusting it when there are changes to the size, scope, and complexity of the organization. Because of the number of vendors that are entering and exist in the financial space and the amount of data we share across these vendors, organizations have started to carve out dedicated roles and job descriptions to manage the vendor burden. Regardless of whether banks manage it internally or outsource it, the regulatory burden lies with the institution. It is critical that banks stay current with regulatory expectations and potential risks.
This article was first published in ABA Banking Journal on October 17, 2019.
About the Author

Emily Larkin

Chief Administrative Officer and CISO
Emily Larkin, Chief Administrative Officer and CISO of Abrigo, has over 20 years of experience in leadership. Her extensive background includes enterprise risk management, operations, IT regulatory compliance and cyber management. Emily leads Abrigo’s Human Resources, Information Security, Compliance, ESG and Enterprise Programs teams. A frequent speaker, Emily joined Abrigo,

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.