Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

Transcription

1 1 Practical solutions driving tangible results Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

2 Agenda Common Themes Discussion Expectations Overcoming Obstacles Common Comments Cybersecurity Assessment Tool Expectations Reviewing Control Reports Additional Information 2

3 Regulatory Focus Continues FIL Guidance for Managing Third Party Risk FIL Guidance on Payment Processor Relationships FIL Revised Guidance on Payment Processor Relationships CFPB Bulletin on Service Providers FFIEC IT Exam Handbook Outsourcing added Appendix D Managed Security Service Providers (MSSP) FFIEC Statement July Outsourced Cloud Computing FFIEC Administrative Guidelines (Oct 2012) Supervision of Technology Service Providers FDIC Compliance Manual (July 2013) Abusive Practices-Third Party Procedures OCC Third Party Relationships: Risk Management Guidance FFIEC Joint Statement (Oct 2013) on End of Microsoft Support for XP Support FRB SR 13-19/CA Guidance on Managing Outsourcing Risk 3

4 Volunteers? This is a Fun and Exciting System Who is Responsible? Management Appreciates the Effort 4

5 Not My Job Inconsistent Documentation Inconsistent Risk Assessments Limited Final Reviews 5

6 But Paperwork Doesn t Fix Anything It just slows down the process We need it now Marketing already signed the contract But we know these guys, we have had them for years There is nobody else We are stuck with them 6

7 Know Your Vendors 7

8 Aligning the Level of Oversight with Regulatory Expectations PLANNING FOR NEW RELATIONSHIPS 8

9 Prior to Entering Into a Significant New Third Party Relationship Need a formal plan to manage this Identify and document all the risks associated with the significant activity being outsourced Plan for mitigation of those risks proactively Ensure it aligns with strategic direction as well as management and the Board s risk appetite Require Board approval Develop contingency plans 9

10 Due Diligence Review OCC and FRB Changing the Playing Field We ve talked about a lot of this before now it is in writing and very specific! Strategies and Goals Legal and Regulatory Compliance Financial Condition Business Experience and Reputation Fee Structure and Incentives Qualification, background and reputation of company principals Risk Management 10

11 Due Diligence For Significant Relationships (cont.) Information Security Management of Information Systems Resilience Incident Reporting and Management Oversight Physical Security Human Resource Management Reliance on Subcontractors Insurance Coverage Conflicting Contractual Arrangements with Other Parties 11

12 Common Comments Overall Vendor Management Program Documentation Not On Hand / Not Reviewed Continuous Cyclical Process Dependent on Vendor s Documentation and Control Cycles 12

13 Common Comments Customer Information Risk Unaccounted for Critical Vendor versus High Risk Vendors Due Diligence Requirements Based on Risk and Criticality Levels 13

14 Best Practice Double check to be sure you have accurately identified all your critical/significant vendors: Review the significant/critical criteria and run through your vendor list (not suppliers, actual vendors/service providers) to see if any are missing Review the various types of vendor risk and run through list again to identify all vendors with significant compliance/legal risk, then all vendors with significant transaction risk, reputation risk, operations risk, and strategic risk, etc. 14

15 Should you work with a vendor that will not or cannot comply? The OCC explicitly spells it out - if the due diligence results do not meet expectations, management should recommend: That the third party make appropriate changes to comply with expectations, Supplement the third party s resources or strengthen controls to properly manage the risks Find an alternate third party, Conduct the activity in-house, or Discontinue the activity altogether! Third-party relationships that involve critical activities: Management should present results of due diligence to the Board Issues raised in due diligence must be thoroughly reviewed, discussed, analyzed, documented, and the risk mitigated to the Board s satisfaction before the financial institution enters into a contract 15

16 FFIEC Cybersecurity Assessment Tool Contracts Baseline Level Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. A list of third-party service providers is maintained. A risk assessment is conducted to identify criticality of service providers. Formal contracts that address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential data or provide critical services. Contracts acknowledge that the third party is responsible for the security of the institution s confidential data that it possesses, stores, processes, or transmits. 16

17 FFIEC Cybersecurity Assessment Tool Contracts Baseline Level and these Contracts stipulate that the third-party security controls are regularly reviewed and validated by an independent party. Contracts identify the recourse available to the institution should the third party fail to meet defined security requirements. Contracts establish responsibilities for responding to security incidents. Contracts specify the security requirements for the return or destruction of data upon contract termination. 17

18 FFIEC Cybersecurity Assessment Tool Due Diligence and Monitoring Baseline these too... Due Diligence: Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. A list of third-party service providers is maintained. A risk assessment is conducted to identify criticality of service providers. Monitoring: The third-party risk assessment is updated regularly. Audits, assessments, and operational performance reports are obtained and reviewed regularly validating security controls for critical third parties. Ongoing monitoring practices include reviewing critical third-parties resilience plans. 18

19 FFIEC Cybersecurity Assessment Tool Contracts Evolving Level Responsibilities for managing devices (e.g., firewalls, routers) that secure connections with third parties are formally documented in the contract. Responsibility for notification of direct and indirect security incidents and vulnerabilities is documented in contracts or service-level agreements (SLAs). Contracts stipulate geographic limits on where data can be stored or transmitted. 19

20 FFIEC Cybersecurity Assessment Tool Due Diligence and Monitoring Evolving Level Due Diligence A formal process exists to analyze assessments of third-party cybersecurity controls. The board or an appropriate board committee reviews a summary of due diligence results including management s recommendations to use third parties that will affect the institution s inherent risk profile. Monitoring A process to identify new third-party relationships is in place, including identifying new relationships that were established without formal approval. A formal program assigns responsibility for ongoing oversight of third-party access. Monitoring of third parties is scaled, in terms of depth and frequency, according to the risk of the third parties. Automated reminders or ticklers are in place to identify when required third-party information needs to be obtained or analyzed. 20

21 SSAE16 / SOC Reviews Report of Controls SOC 1 or SOC 2 Ensure the Function is Covered Note the Date of the Review Review the Scope Check for Qualified Opinions Document the User Entity Controls Requirements Note and Analyze Exceptions Noted Maintain Responsibility and Accountability for the Reviews by Third Parties 21

22 Best in Class Systems Due Diligence Complete Prior to Contracts Being Signed Automated Triggers for Periodic Reviews on the Full List of Vendors Automated Document Requirements Based on Risk and Criticality Levels Evaluations of GLBA / Red Flag Documented Review of Materials Documents are Retained 22

23 Questions? Christopher Nolan, CISA, CISM, CGEIT Regional IT Audit Director Risk and Compliance

24 Additional Detailed Information Examiner Expectations and Guidance Critical or Significant Vendors Vendor Risk Assessment Identifying the Risks for Each Critical/ Significant Vendor Planning for New Relationships Aligning Level of Initial Due Diligence and On-Going Oversight with Regulatory Expectations 24

25 FIL Guidance for Managing Third Party Risk Outlined a general framework for third party risk management Four Main Elements of Effective Vendor Risk Management Programs: Risk Assessment Due Diligence in Selecting a Third Party Contract Structuring and Review Oversight Introduced the concept of Significant Vendor Relationships not just Technology vendors 25

26 FIL Guidance for Managing Third Party Risk Identifying Significant Relationships Significant Information Security Exposure Product or Service is a New Activity Critical to On-Going Operations Not just a high, medium, low risk exercise Assign Responsibility for Oversight to Senior Management and Report to the Board Identify and control risks to the same extent as if the activity were handled within the institution 26

27 OCC Bulletin Third Party Relationships: Risk Management Guidance The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships The OCC specifically cited failure to assess the direct and indirect costs, failure to perform adequate due diligence and monitoring, and multiple contract issues, as troublesome trends. 27

28 OCC Bulletin : Critical Activities Significant bank functions (such as payments, clearing, settlements, and custody) Significant shared services (such as information technology) Other activities that could significantly impact customers, require significant investment in resources to implement the relationship and manage the risk, impose significant risk to the bank if the third-party fails to meet expectations, or have a major impact on bank operations if the bank has to find an alternate vendor or service provider or if the outsourced activity has to be brought in-house. Similar to FDIC significant third party relationship concept 28

29 OCC Bulletin Life Cycle Focus Much more emphasis on planning and ensuring proper due diligence before any contract is signed with a third party Very specific recommendations: Legal and Regulatory Compliance Information Security Contingency Plans Independent Reviews Board Oversight Subcontractors (oversight for the vendor s vendors) 29

30 OCC Bulletin Due Diligence and Selection of Third Party Similar to previous 2001 guidance but adds the following specific areas for review: Legal and Regulatory Compliance Information and Physical Security Fee Structure and Incentives Incident Reporting and Management Oversight Conflicting Contractual Arrangements with Subcontractors or other parties where the risk may be transferred to the financial institution 30

31 OCC Bulletin Contract Negotiation On-going Monitoring Termination New Phase in the Life Cycle Contingency Plans for Data retention and destruction Handling of joint intellectual property Mitigation of reputational risks Continued compliance with laws and regulations 31

32 Contract Considerations ** The Board should formally approve all contracts for critical vendors before the contract is executed ** Guidance Includes Very Detailed Due Diligence and Contract on a multitude of topics, for example: Considerations Verify that the third party has fidelity bond coverage to insure against losses attributable to dishonest acts, liability coverage for losses attributable to negligent acts, and hazard insurance covering fire, loss of data, and protection of documents. Determine whether the third party has insurance coverage for its intellectual property rights, as such coverage may not be available under a general commercial policy. The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided. Stipulate that the third party is required to maintain adequate insurance, notify the bank of material changes to coverage, and provide evidence of coverage where appropriate. Types of insurance coverage may include fidelity bond coverage, liability coverage, hazard insurance, and intellectual property insurance. 32

33 Federal Reserve 12/5/13 Guidance on Managing Outsourcing Risk Introduces concept of concentration risk Effective programs include the following: Risk Assessments Due Diligence and Selection of Service Providers Contract Provisions and Considerations Incentive Compensation Review Oversight and Monitoring of Service Providers Business Continuity and Contingency Plans 33

34 FRB Incentive Compensation Review Effective Review and Approval of any Incentive Compensation Embedded in Service Provider Contracts Is the Servicer incented to take imprudent risks? Inappropriate incentives may encourage selling of services to customers that have higher margins and not in their best interest 34

35 FRB - Other Risks Suspicious Activity Reporting Functions Foreign Based Service Providers Internal Audit Specifically references SOX prohibition against external account firm providing internal audit services Outsourcing Risk Management Activities 35

36 Revisiting Vendor Risk Assessment IDENTIFYING CRITICAL OR SIGNIFICANT VENDORS 36

37 Refining the Risk Assessment Most Vendor Risk Assessments rank each third party relationship (excluding suppliers) as high, medium, or low risk High risk vendors usually have information security exposure or are critical to bank operations But are all high risk vendors really critical and/or significant - requiring Board level oversight? 37

38 Critical or Significant Third Party Relationships Likely Require: Extensive Planning and Due Diligence Board Oversight and Approval Clear Senior Management Responsibility Cost/Benefit Analysis Contingency Plan for Termination Board Review of Management s Monitoring Results Extensive Contract Review and Monitoring for Performance More than a simple vendor file that is updated each year with new documents! 38

39 Characteristics of Critical or Significant Third Party Relationships Significant Information Security Exposure High Volume of Confidential Customer Information Stored by or Accessible to the Third Party Service is Critical to Maintaining the Institution s Information Security Program/Protection/Controls Critical to Operations Transaction Processing; Payments, Clearing, Settlement, Custody Core Accounting and Account Maintenance Disaster Recovery/Business Continuity Services in an in-house data center environment 39

40 Characteristics of Critical or Significant Third Party Relationships Substantial Impact on Financial Condition Potential for civil money penalties and fines Credit risk associated with vendor activities Risk of significant affect on earnings or capital New Products or Services Institution does not have experience or expertise Management may not understand the risks Material Compliance Risk Third Party Markets Institution s Products/Services Activity Involves Subprime Lending or Card Payments 40

41 Customized review and documentation requirements IDENTIFYING THE RISKS FOR EACH CRITICAL OR SIGNIFICANT VENDOR 41

42 Compliance Risk Risk arising from violations of laws, rules, or regulations or from noncompliance with the institution s policies, procedures, or business standards 42

43 Compliance Risk Examples Third Party Payment Processors Flood Determination Services Reverse Mortgage Programs Automobile Dealer Relationships Subprime Lending Programs Overdraft Programs Outsourced Trust Operations 43

44 Reputation Risk Risk arising from negative public opinion Dissatisfied customers Unexpected customer financial loss Inappropriate recommendations Security breaches Vendor insider fraud Any negative publicity whether or not associated directly with the third party 44

45 Reputation Risk Examples Core Application Internet Banking Any vendor that accesses, processes, stores or transmits confidential customer information Overdraft protection programs Nearly any third party relationship that impacts your customers in any way 45

46 Strategic Risk Risk arising from adverse business decisions Failure to implement appropriate business decisions consistent with the institution s strategic goals Use of a third party to perform banking functions or to offer products or services that do not help to achieve corporate goals and provide an inadequate return on investment 46

47 Strategic Risk Examples Outsourcing Call Center Operations to a competitor Utilizing Outsourced Remote Deposit Capture services to service multiple out of market Money Service Businesses Outsourced Subprime Lending originations Outsourced Compliance Management or BSA Oversight Any offering that will involve intense regulatory scrutiny without a strong business case and thorough risk assessment/monitoring. 47

48 Transaction Risk Risk arising from problems with service or product delivery Third party s failure to perform as expected due to inadequate capacity, technological failure, human error, or fraud Lack of an appropriate business resumption and contingency plan Weak controls over technology; threats to security and integrity of systems and data May result in unauthorized transactions or inability to perform transactions as expected 48

49 Transaction Risk Examples Core application servicer Internet Banking On-Line Bill Pay, ACH and/or Wire Originations On-Line Backup Services Cloud Computing Services 49

50 Operational Risk Risk of a loss due to inadequate or failed internal processes, people, systems, or external events Increase in operational complexity due to integration of institution processes with third party internal processes 50

51 Operational Risk Examples Cloud Computing Service Provider Remote Deposit Capture Services New Products and Services without sufficient experience or expertise to properly implement and oversee 51

52 Credit Risk Risk that a third party is unable to meet the terms of the contractual arrangements or otherwise financially perform as agreed Financial condition of the third party itself Third parties that market or originate certain types of loans, solicit or refer customers, conduct underwriting analysis, or set up product programs for the institution 52

53 Credit Risk Examples Mortgage brokers Automobile Dealer Relationships Credit Cards Critical Vendors Core Processor/Data Center Can they invest properly in on-going information security and regulatory compliance? Are they likely to be acquired or go out of business? 53

54 Country Risk Exposure to the economic, social, and political conditions and events in a foreign country Potential for loss of data, research and development efforts, or other assets 54

55 Examples of Country Risk Cloud Computing Service Provider Foreign Correspondent Bank Relationships Outsourced Call Centers 55

56 Other Risks Liquidity Interest Rate Price Legal Foreign Currency Translation Risk Concentration Risk 56