Vendor management is covered a lot more in industry news now. It's hard to keep up, and sometimes tempting not to try. This video mentions recent examples of important items covered.
Welcome to this week’s Third Party Thursday. My name is Dana Bowers, and I’m the CEO and Founder of Venminder. Today we’re going to be talking about What's in the News Matters.
Let’s face it – every day it seems like there is new news coming out about an enforcement action or a data breach. In fact, a recent article said that the Consumer Financial Protection Bureau was setting policy through enforcement actions rather than through issuing actual guidance. I think that is an interesting perspective on just how requiring the regulatory environment has become.
Cybersecurity has also become an absolute laser focus of late. I’m sure most of you saw the headlines in February when the Obama administration declared that it was requesting additional funding to bolster the nations cybersecurity systems and named the former National Security Advisor Tom Donilon to head up the efforts. Even Congress has gotten in the act – the Committee on Science, Space and Technology sent a very pointed letter to Janet Yellen on June 3 about the recently released information about more than 50 data breaches at the Federal Reserve over the period of 2011 to 2015. I am sure that will only prompt more inspection by the Fed and other regulatory agencies into the practices at their member institutions. Incidentally, if you haven’t read that letter – it’s pretty direct and reads like an examination request letter – you can easily Google it and find it out there if you’re curious – having been on the receiving end of many examination request letters, I found it kind of interesting to see Congress sending their own examination request documents to the chair of the Fed. It certainly hasn’t stopped there.
Just in the past couple of months ,the FFIEC (which stands for the federal financial institutions examination council) has come out with updated guidance – if the newly released enhancements to appendix E on mobile banking are followed as stringently as appendix J was last year, it will be a very prescriptive guide. I glanced through the appendix E items and saw about 18 references to third party products.
A few weeks ago, you may have seen that the FFIEC along with other regulators sent out a warning to all banks, following the disclosure of the Swift breaches, encouraging all financial institutions to review their data protection procedures. In an article in CU Insight earlier this month (June 2016), there was a terrific analysis of all of the ways that a well-managed security program can help counter account takeover fraud…. So it’s not just about data breaches but additional fraud management.
Remember, you have people out there who are making a career out of trying to breach financial institutions and create ways to steal people’s identities, so you’ve really got to work to stay one step ahead of them. I would suggest that effective cybersecurity goes way beyond documented procedures on preventing unlawful access and needs to also consider the appropriate response mechanisms if something happens – ransomware, holding your data hostage for money or denying access to your information is an interesting but really scary new developing threat and it’s not just the financial services industry.
In fact, a couple of weeks ago, I was reading about two hospital systems who had recently been impacted, one in the first quarter and one at the end of May. Hardly a day should go by without talking to our CISO (your chief information security officer) or Business Continuity manager to compare notes, discuss what we’re seeing and how it could impact us. In addition, you need to really drill down to think about your third party’s own data protection and business continuity practices. The old saying of a chain is only as strong as the weakest link really applies – if your third party isn’t securing its doors, you could have a shared vulnerability.
So, things like understanding their business continuity plan and asking for results of their penetration testing are perfectly appropriate. Looking at their SSAE16 SOC report and determining your credit union’s own role in making absolutely sure your compensating controls are in place are also important.
Certainly the best time to be asking these types of questions is in a proactive manner to prevent problems in the first place rather than the costly and time consuming process of cleaning up mistakes. When mistakes do occur – and they will – it’s tempting to try to sweep them under the rug – you can ever really do that, instead use it as an opportunity to look very closely at what led to the mistake and what you can do to prevent it from happening again. Document it fully, invite input or informed perspective and ask for guidance where you’re not sure what exactly happened or what could be done differently. Those who do not learn the errors of history are bound to repeat them.
Even examiners do not expect perfection – though it seems like they might, but they certainly expect you to have ways of detecting problems, addressing them early, and clear documentation on the scope of the problem, the impact of the problem and what can be done to prevent it from recurring, whether it’s additional testing, new monitoring techniques or additional or more frequent reviews.
I’m Dana Bowers, thanks for watching. And don’t forget to subscribe for next week’s Third Party Thursday video.