REGULATORY HOT TOPIC Third Party IT Vendor Management

Transcription

1 REGULATORY HOT TOPIC Third Party IT Vendor Management 1

2 Todays Outsourced Technology Services Core Processing Internet Banking Mobile Banking Managed Security Services Managed Data Center Services And More 2

3 Implementing a Comprehensive Vendor Management Program 3

4 Vendor Risk Management Program Risk Assessment Selection of the Service Provider Contracting with the Service Provider Monitoring Business Continuity 4

5 Vendor Management Responsibilities The Board and Senior Management retain the responsibility of the service You must manage the service as if it were completed internally by the bank Maintain the same controls Require the same information Monitor the process 5

6 Standard Risk Management Process Identify the risks Report the risk status and updates Measure the risks Monitor the risks Mitigate the risks 6

7 Deciding to Outsource Have an approved vendor management policy in place before you outsource a service. Complete and DOCUMENT your due diligence. Understand what you need in the contract to protect the interests of the bank. Ensure board oversight of the vendor management program. 7

8 What the Board Should Know Updates for: Service Level Agreements (SLAs) Data Security Audits and Attestations Vendor Business Recovery and Continuity Testing Results Financial Statements The degree of reporting should be increased based on risk to the bank. Regulatory reports should be obtained if available. ANNUAL BOARD REPORTING IS REQUIRED by Appendix B part 364- Also periodic reporting during vendor due diligence 8

9 Management Requirements Ensure the outsourced service provider is aligned with business and strategic plans and is appropriate for the size and complexity of the bank. Ensure the bank can properly oversee and manage the services. Ensure proper monitoring is in place based on the initial and current risk. Properly assign responsibilities for monitoring and reporting. 9

10 Vendor Management Components Risk Assessment Selection Contracts Monitoring 10

11 Implementing a Comprehensive Vendor Management Program RISK ASSESSMENT 11

12 The Risk Assessment To identify and make the board aware of inherent risk of the outsourced service like: Fraud Error Inability to delver services These are operational risks that the board should understand. Some of the risks can be mitigated by the service provider. Some of the risks have to be mitigated by the bank. 12

13 Other Risks to Consider Strategic Risk Poor planning for implementation or scalability for growth Compliance Risk Outsourcing to vendors that cannot provide the needed proof of compliance Reputational Risk Breaches Fraud Errors Service Level Interest Rate Risk Errors that lead to inaccurate decisions Liquidity Processing Delays or Errors Cyber Risk Disruption Malware 13

14 Quantifying the Risk- What to Consider Functional Risk Measurements Volume of transactions Sensitivity of the data involved Criticality of the service Provider Risk Measurements Financial Stability Experience Location Technology Risk Measurements Security Reliability Scalability 14

15 Who Should Complete the Risk Assessment A team with the ability to assess the risk measurements Consider carefully who has the expertise to assess the risk based on the services Internal Personnel Auditors Subject Matter Experts IT Security Recovery Cyber Security 15

16 Risk Mitigations by the Service Provider Controls in place that have been independently tested for Security Availability Confidentiality Processing Integrity Privacy Reporting 16

17 Risk Mitigation by the Bank What are the bank s responsibilities How are they defined Contracts? SOC reports? Testing these requirements Internal testing External testing Monitoring 17

18 Implementing a Comprehensive Vendor Management Program SELECTION AND DUE DILIGENCE 18

19 Selection and Due Diligence Due Diligence Should be Based on Level of Risk to the Bank High risk Very formalized Low risk Minimal formalization Key Points Financial Stability Capabilities to Scale Technology and Infrastructure Internal Controls and Audits Use of Subcontractors Qualifications and References History of Legal or Regulatory Issues Insurance Ability to Recover Physical and Environmental Controls 19

20 Implementing a Comprehensive Vendor Management Program CONTRACTS 20

21 Contracts Negotiating the Contract Meets the Banks Needs and Requirements Identified during the risk assessment process Some Common Contact Provisions Scope of Services Activities Implementation Plan Defined Responsibilities The Service Providers Controls and Responsibility to: Report incidents including time frames to report Notification provisions must be aligned with Appendix B Part 364 Provide reports on security and confidentiality controls such as: Cybersecurity Maintenance Notifications Notification provisions must be aligned with Appendix B Part

22 Key Contract Provisions (Cont.) Auditing Right to Audit Right to Receive Audits Frequency of Audits Types of Audits Completed Financial IT Security General Controls Recovery Funds Transfers 22

23 Key Contract Provisions (Cont.) Reporting Financial Service Level Regulatory Compliance Disaster Recovery Maintenance and Testing Availability of Test Results Bank Participation Sub-contracting Aware of ANY Sub-contracted Service Be careful of SOC insertion here Responsibility Remains with the Service Provider Regulatory Adherence Performance Standards (SLAs) Measurement and Remedies 23

24 Notification of Service Organization Contract Banks shall notify their regulator within 30 days of entering the contract or performance of the services begin. Whichever occurs first. 24

25 A Word About SLAs SLAs can provide service level promises for: Record Keeping Security Confidentiality Availably Processing Timeliness and Accuracy (Integrity of Data) System Changes and Updates Independent Testing Business Continuity 25

26 Implementing a Comprehensive Vendor Management Program VENDOR MONITORING 26

27 Vendor Monitoring Makes sure the vendor is meeting its obligations or has mitigated new risk Reevaluate Active Service Providers at Least Annually Align Monitoring with Risk Report Monitoring Information to the Board 27

28 What Should be Monitored Similar to Due Diligence Documentation Audit reports Type Scope and Frequency of Audits Review of Corrective Actions Financial Condition (at least annually) Compliance with SLAs GLBA and Incident Response Program Any incidents reflecting non-compliance with SLAs or other security standards should be reported to the board. Continuity Plans and Testing Some regulatory reports are available for service providers. Bank must be a client under contract Request from FDIC regional office Ensure the right personnel are used to monitor the vendor. 28

29 Business Continuity for Vendors Disruptive Events Cybersecurity Attacks Environmental Disasters Service Providers MUST be included in the continuity plans INCLUDING recovery time objectives. Management must review vendor continuity testing including: Connectivity Capacity or Alternate Facilities Transaction Volume Interdependences (internal and external) Revised Business Continuity Appendix J 29

30 Evaluating the Provider Service Organization Controls (SOC) Report SOC 1 (formally SAS70) May not completely cover all controls May not be the right report SOC 2- Uses Trust Principles What s important to you? Security Availability Processing Integrity Confidentiality Privacy SOC 3- Used as a marketing tool 30

31 Reviewing an SOC Report Does the report fit the services provided? SOC 1 or 2 Type 1 or 2 Does it address the correct services? Is it from a sub-service provider? (SOC Insertion) What are the dates of the report? Type 1- As of Type 2- For the period of Does the report cover the latest period? Is the opinion unqualified or qualified? What kind of exceptions are noted and what are the management responses. 31

32 Example of a Qualified Opinion Service Organization Controls (SOC) 32

33 Example of a Unqualified Opinion Service Organization Controls (SOC) 33

34 Exceptions Review for and SOC 34

35 Reviewing an SOC Report What are the client control considerations? These are critical because they are what YOUR responsibilities are. Are you completing these items? 35

36 Example of User Control Considerations 36

37 Other Reports to Consider Agreed Upon Procedures These can be custom tailored to the banks needs Agreed to by the bank, the vendor, and the auditor Specialized Reports PCI (Payment Card Industry) TR-39 Payment Card Processing 37

38 Other Areas to Consider Foreign Based Relationships Unique Risks Can Occur All risks may be more difficulty to measure Legal and Regulatory See Appendix C of Outsourcing Booklet 38

39 David Mills, MBA, CISA, CISSP, CGEIT, CRISC, MCSE IT Audit and Assurance Partner CRI Corporate Office Kathleen Zuniga, CPA Audit and Assurance Partner CRI New Orleans Office