Articles & E-Books


Vendor risk management: Protecting your data

Jun 18, 2020

Risk management continues to be a top concern for financial institutions, especially concerning data. As reports of data breaches occur with alarming regularity these days, both bankers and regulators are beginning to place a greater emphasis on reviewing risk management policies and procedures. And with data liquidity becoming more and more ubiquitous between financial institutions and their partners, vendor relationships have garnered particular scrutiny.

The objective of any organization-wide risk assessment is to identify, assess and address risks through a quality internal audit that analyzes not only operational risks but also financial, technological and legal, compliance-based risks as well. While this may appear complicated — and the process itself certainly can be — it simply means financial institution executives must identify potential areas of risk and apply the appropriate controls to mitigate disaster.

Between the continuous monitoring from regulators and the watchful eye of increasingly security savvy account holders, financial institutions must take the added step of ensuring their risk management program holds up to the highest level of scrutiny. A key component for mitigating potential risk means not only placing a greater focus on their own internal risk management practices but also ensuring their vendors are using the same due diligence when it comes to the proper controls and procedures.

Identifying, prioritizing and stratifying

The key purpose of developing a risk management plan is to determine the most important threats to your institution to create the appropriate controls for mitigating these potential disasters. After identifying these issues, the next step in building a proper program is to stratify the risks by categories. While methods for this often vary among institutions, a common mistake many seem to make is treating all of their vendors as equal potential risks, regardless of the service provided, the types of data shared and the level of access to it.

In truth, this is a flawed approach that can create significant issues further down the road. The fact of the matter is that some vendors pose a much bigger risk for financial institutions than others, so applying the same risk rating across the board simply will not work.

For instance, most banks and credit unions tend to work with different vendors for their loan origination system (LOS) and branch automation technology. Both vendors have approved and monitored access to a given institution’s internal network. However, the LOS is much more likely to be drawing on larger amounts of sensitive data from the institution’s network and pulling it into its own system. If that vendor is not vigilant in maintaining its own safeguards and standards, it could be more easily compromised, thus exposing the partner institution’s data. 

A key related issue that must also be considered is how institutions are managing the flow of data across their own internal systems. While many vendors either work with or process data directly within a bank’s or credit union’s own servers, some services may require that data to be transferred off site to their own. Strict, careful monitoring of these types of data transfers can be critical for maintaining a strong, effective risk management program.

Unfortunately, they can fail to get the attention they deserve by many organizations, which are often more focused on external threats trying to get into their systems. While these intrusions are certainly a major risk for financial institutions, there is very little they can do to directly control or protect their data once it leaves the network, at which point financial institutions must rely on the vendor’s data security standards.

Creating safeguards and maintaining due diligence

Once the potential vendor risks have been identified, evaluated and categorized, the onus is then on the institutions to conduct their own due diligence. Confirming each vendor is following the correct procedures generally means requiring vendors to provide verification of their security policies, safeguards and controls for inspection prior to any contract approval.

While most institutions consider this to be critical step in establishing their initial vendor relationships, many fail to follow-up past the onset of the relationship. This mindset misses the true, fundamental purpose of due diligence, which is as a consistent, ongoing effort — and an integral part of the operation. A continuous approach allows institutions to more effectively monitor for issues that may arise over time, allowing them to be addressed before causing significant problems. The hard truth is that a vendor’s security standards, which may be judged adequate during the initial review, will not guarantee those same controls and safeguards moving forward.

As we have seen with many past high-profile data breaches like Equifax, a failure to maintain up-to-date controls made them vulnerable over time. In the Equifax case, the company failed to update the Apache Struts web application, and hackers gained access to more than 145 million Americans’ personal information, including sensitive data such as social security numbers. Even now, years later, the ripples are still being felt. The numbers alone suggest up to half of any bank’s or credit union’s account holders either have been — or could still be — impacted by this single breach.

Because the financial industry evolves rapidly, what is considered acceptable (perhaps even exceptional) when a contract is signed may not be the case just a few years in the future. This is especially true for technology vendors, most of which have specialized, direct access to a bank’s or credit union’s sensitive data.

While physical threats targeting branches and ATMs have been a constant consideration for years, the methods — and thus the protections needed to limit these risks — have remained fairly static. However, technology and software threats evolve at a much more rapid pace.

Frankly, it is the job of hackers to work tirelessly to undermine, circumvent and exploit security technologies (the newer, stronger or more cutting edge it is, the more profit they can demand).

Conversely, it falls to today’s bankers to help make this job more difficult for them by following proper security practices, thus limiting the number of potential backdoors and workarounds hackers can leverage.

Responding to a data breach

Implementing strong, adaptive risk management programs and vendor due diligence protocols is just the first part of the equation for properly securing a financial institution’s data. Once in place, it will be the controls created — along with regular, consistent audits — that will monitor for issues and guard against threats.

Unfortunately, there are no “foolproof” plans or strategies when it comes cybersecurity. Even if a bank or credit union follows all the correct procedures, takes all the proper precautions, installs the most secure software or hires the top experts, the inevitable can still happen. Employees can become lax or simply follow a bad link, a software update can be missed or fail or a hacker could find a new, unorthodox method to crack a system once thought near impenetrable. Regardless of the cause, the end results are the same.

Successful risk management lies in mitigating risks before they occur. However, if they do occur, the focus becomes how to prevent future opportunities for the same disaster. This means a full assessment of a financial institution’s overall program — identifying all vulnerabilities, possible missteps and/or flaws in the initial risk assessment. Doing so allows both management and staff alike to better understand the underlying issues associated with the problem and ultimately implement new, more effective controls (and perhaps even help other institutions protect themselves from similar situations).

These dangers are constantly evolving and ever present, and in a heavily regulated industry like financial services, it is best to have your safeguards in place sooner rather than later.

How Wipfli can help

See our cybersecurity web page to learn more about how can help manage, detect and respond to cyber threats.

Or read our series on containing cybersecurity threats.


Terry Ammons, CPA, CISA, CTPRP
View Profile