Vendor management is one hot topic that never seems to cool down. With the frequent reporting of data breaches and cyber/ransomware attacks in the news, it is imperative that financial institutions continue to evolve their vendor management programs.
The best vendor management programs are the ones that are incorporated into operations rather than being an annual event. They go beyond just collecting reports from the vendor and checking off a box.
A successful vendor management program is based on an understanding of the vendor’s experience, reputation, solvency and — most importantly — the security procedures in place to safeguard nonpublic personal information.
When the vendor’s security procedures change, due diligence reviews should include an evaluation of these changes and a determination of whether the procedures are still acceptable. Due diligence reviews should be documented, with financial institutions setting due diligence requirements based on risk level to ensure appropriate monitoring is being completed.
Vendor management due diligence looks different today than it did only a year ago because of security concerns with remote working arrangements.
Similarly, it wasn’t that long ago when cloud-based information storage was widely introduced to server-strapped organizations.
In the beginning of cloud-based storage, who knew what questions to ask and what needed to be inspected related to vendor due diligence? Were employees knowledgeable enough to ask about cloud storage and to evaluate the answers received? Are current employees knowledgeable about information security procedures that should be considered for remote workers?
The only way to be sure is to provide ongoing vendor management training — not just when new software is implemented This is especially important when an organization’s vendor management program is a decentralized departmental process.
In a decentralized vendor management program, each department is entrusted to conduct its own vendor due diligence for that department. Training will help make sure all responsible employees have the same understanding of the expectations of your vendor due diligence process.
In addition, vendor management training should also cover topics such as reading and interpreting a vendor’s System and Organization Controls (SOC) report, evaluating complementary user entity controls (CUECs) in SOC reports, inquiring about subcontractor responsibilities, and documenting vendor security programs, vendor contract requirements, and vendor safeguard procedures for nonpublic personal information.
How Wipfli can help
A successful vendor management program should be dynamic, understanding and responding to risks throughout the year, rather than an annual requirement. Wipfli’s Internal audit team can help determine the effectiveness, completeness and compliance of vendor program — as well as provide best practice recommendations. Learn more on our internal audit web page.