Vendor Management, Top of Mind with Regulators
The definition of third party management: the process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties.
What exactly does this mean though? Well like many things in the world of compliance it can mean different things to different people and is subject to interpretation. Financial Institutions (FI’s) have long been expected to perform some form of third party management and generally have done a pretty good job. However, new and updated regulations are forcing many more organizations, especially outside of the financial services world to put in place robust third-party management programs.
The Office of Inspector General (OIG) recently released a report documenting a review they did of FDIC-supervised FI’s. The OIG had concerns on the level of oversight being performed by these Financial Institutions and conducted a study to ensure these arrangements are governed by contracts that appropriately protected the security, availability, and confidentiality of the FI’s data.
Interesting observations from the report:
- Although results varied widely, we did not see evidence, in the form of risk assessments or contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that Technology Service Providers (TSP) and their subcontractors could have on the FI’s ability to manage its business continuity planning and incident response and reporting operations.
- Eight (42 percent) completed both a TSP risk assessment matrix and a due diligence review, as recommended by supervisory guidance.
- Contracts associated with 18 of the 19 FIs that the OIG reviewed (95 percent) allowed service providers to subcontract assigned work. However, only 4 of 19 FIs documented consideration of subcontractor use within their TSP due diligence and risk assessment matrices.”
This last bullet point provides an interesting view to show that the FIs did not have an accurate understanding of where their data was, and who has access to it. It’s nearly impossible to ensure the protection of such assets when they could be located almost anywhere.
Additional data contained in the report focused on Incident Response management that appeared to be missing from contracts and that clear language relating to the contracts that did not address the TSP’s responsibilities for assessing and responding to a potential incident, determining the potential effect on the FI and its customers, or the reporting and notification processes to regulatory and law enforcement authorities.
Aside from this report, we have noticed a misunderstanding of sorts while performing audits related to the disaster recovery and continuity language within contracts. Organizations often work through a business impact analysis(BIA) to determine the criticality of a service and to also determine an appropriate level of downtime that could be tolerated. Performing a BIA and comparing that to a contract is such an important exercise to undertake. However, we often find discrepancies between documented level of tolerated downtime in the BIA and what a TSP includes in their contract. Significant issues could arise if a major outage were to occur with a TSP. If nothing is in the contract stating X as a Recovery Time Objective (RTO) what do you have for leverage with your TSP to recover your systems? It’s important to know what is in the contract and what impact that has along with ensuring that your executive management team and possibly even your board are aware of the risks posed.
Some changes related to third party management are either in place or coming very soon. Some of the most significant changes as the AICPA transitions from the SSAE 16 to the SSAE 18 is third party management. If you have had an SSAE 16 done in the past or company being advised by your customers that an independent audit of this kind is needed to continue the business relationship, or you are due for a new round, be sure to do some homework on this topic. HIPAA, PCI, and the new General Data Protection Regulation (GDPR), recently passed by the European Union all have significant portions of their frameworks dedicated to third-party management.
Here is a small list of resources to help you do a little research as you embark on either creating a third-party management program or enhancing the existing one you currently have:
- The Federal Financial Institution Examination Council (FFIEC) ffiec.gov
- The Office of the Comptroller of the Currency (OCC) has an excellent write-up on what you should consider including in contracts. OCC Bulletin 2013-29 as well as follow-up FAQ that was just recently released.
- ISACA has published a using Cobit 5 for Vendor Management Guide
- Shared Assessments Program
Some additional thoughts to ponder from the OIG report:
- FIs may not be sufficiently engaged in writing and negotiating contracts to ensure their rights and TSP responsibilities are defined. TSPs appear to be drafting the contracts and ensuring that their rights are protected more than the FIs.
- Nearly half of the contracts we reviewed did not require the TSP to establish a business continuity plan. Those that did so did not elaborate on the TSP’s responsibilities for maintaining continuous risk management processes, risk scenario events, integrative considerations between multiple components and service providers (internal and external dependencies), and capacity in supporting required processing and restoring services to multiple clients under adverse scenarios. Some contracts also limited the TSP’s business continuity responsibilities in the event of a disaster.
- Few contracts established or defined clear performance standards, and few of those established performance metrics and remedies for failures to meet such standards.
- Institutions should maintain adequate oversight of third-party activities and adequate quality control over those products and services provided through third-party arrangements to minimize exposure to potentially significant financial loss, reputation damage, and supervisory action. An oversight program will include monitoring of the third party’s quality of service, risk management practices, financial condition, and applicable controls and reports.”
- Contract negotiations along with an appropriate legal review will be crucial as organizations forge ahead and continue the proliferation of cloud-based services replacing in-house systems. Formulating stringent contract checklists and tracking key metrics identified within the contracts will continue to gain traction, especially as your executive management teams and board of directors become more engaged in the process.
Contact OCD Tech if you would like to learn more about ways to improve your third party management processes and programs.