The Comptroller of the Currency Thomas Curry gave a speech the other day (paid subscription required), and emphasized a couple of points that vendor management folks at financial institutions with various charters--state and federal, bank and credit union--and the lawyers who represent them, would be wise to heed.
Comptroller of the Currency Thomas Curry said his agency is increasingly concerned about the cybersecurity risks from banks relying too much on certain vendors and using service providers in foreign countries.
Banks can end up becoming dependent on certain vendors because of consolidation in the service provider industry, Curry said in his prepared remarks for the Consumer Electronics Show's Government Summit in Washington. They can also be exposed to risks when they assign critical functions to outside vendors, including those that use foreign-based subcontractors.
"Banks need to consider the legal and regulatory implications of where their data is stored or transmitted, and make a determination as to whether geographic limitations are needed in their contracts," Curry said. "Finally — and perhaps most importantly — we are concerned about the access third parties have to large amounts of sensitive bank or customer data."
Here are a few take-aways:
First, cybersecurity due diligence of your vendor assumes critical importance when that vendor has access to customer data and other sensitive information of the institution. Access to sensitive information ought to make that vendor a "critical" vendor regardless of the dollar "value" of the contract. The institution needs to be able to document that it examined the information security procedures and systems and found that they met industry standards.
Second, the provisions of the agreement between the institution and such vendors on confidentiality and information security need to be "robust." This is especially critical when one or a couple of vendors of the institution have access to a lion's share of sensitive data. Read OCC Bulletin 2013-29, FFIEC's handbooks on the outsourcing of technology services, and other regulatory guidance. Make sure you know what contractual assurances you need and then make sure they're in the agreement.
Third, the financial institution needs to monitor the compliance of these vendors with information security safeguards throughout the life of the relationship. If a critical vendor's not providing an annual SASE 16 audit report of an appropriate type (SOC 1 vs. SOC 2), and not addressing problems raised by such annual reviews, you've got a problem.
"We expect the board and management to ensure that appropriate risk management practices are in place, that clear accountability for day-to-day management of these relationships is established, and that independent reviews of these relationships will be conducted periodically," Curry said in his remarks Wednesday.
That's a red flag, no?
Fourth, you need to read between the lines of what Curry's saying about "certain vendors." Pay attention to what's happening in the marketplace. If an article appears in the press that notes problems with a critical vendor, investigate and assure your self that any problems are being addressed. Review the web sites of the regulators for enforcement actions, and pay attention to what you find if a vendor is the subject. Pay attention to your own due diligence. If you gather necessary information but don't act upon it appropriately, your regulator will not be pleased.
Fifth, foreign subcontractors have become a "hot button" concern. I would recommend that in your vendor agreements with critical vendors you have adequate restrictions on the use of subcontractors. Among those restrictions ought to be that the use of a non-US based subcontractor requires your prior written consent. I represent banks that would never consent, but that's a story for another day.
If the vendor pushes back, that vendor ought to be a cause for grave concern. They're not doing you a favor by selling you their technology, although a few of the larger ones act that way, especially if you're a smaller institution. These concerns are regulatory concerns, matters of safety and soundness. If the vendor is large and representing a number of financial institutions, none of these issues should come as surprise to them. If you have concerns about a vendor, give your federal regulator a call and tell him or her about those concerns. As Curry makes clear, your regulator will be interested. Very interested.