Hot Topics in Third Party Management April 5, 2018 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2018 Wolf & Company, P.C.
Before we get started Today s presentation slides can be downloaded at www.wolfandco.com/webinars/2018. The session will last about 50 minutes, and we ll then have time for Q & A. Our audience will be muted during the session. Please send your questions in using the Questions Box located on the webinar s control panel. 2
About Wolf & Company, P.C. Established in 1911 Offers Audit, Tax, and Risk Management services Offices located in: Boston, Massachusetts Springfield, Massachusetts Albany, NY Livingston, NJ Over 200 professionals As a leading regional firm founded in 1911, we provide our clients with specialized industry expertise and responsive service.
Financial Institution Expertise Over 45 Risk Management Professionals: IT Assurance Services Group Internal Audit Services Group Regulatory Compliance Services Group WolfPAC Solutions Group Provide services to over 300 financial institutions: Approximately 85 FIs with assets > $1B Approximately 40 publicly traded FIs Constant regulatory review of our deliverables Provide Risk Management Services in 27 states and 2 U.S. territories 4
Meet Today s Presenter Jason T. Clinton IT Assurance Senior Consultant Phone: 617-261-8132 Email: jclinton@wolfandco.com
Today s Agenda Fundamental Elements of a Vendor Management Program Office of Inspector General (OIG) Review Regulatory Expectations and Trends Completeness of Vendor Risk Assessments Usage of System and Organization Controls (SOC) Reports Subcontracting Arrangements 6
Fundamental Elements Risk Assessment Vendor Selection and Due Diligence Contract Structuring and Review Ongoing Monitoring 7
Risk Assessment 1. Strategic Risk 2. Reputation Risk 3. Operational Risk 4. Transaction Risk 5. Credit Risk 6. Compliance Risk 7. Other Risk Source: FDIC FIL 44-2008, Guidance For Managing Third-Party Risk None of this is new 8
Regulatory Guidance FDIC FIL 44-2008: Guidance for Managing Third- Party Risk OCC Bulletin 2013-29: Third Party Relationships FFIEC BCP Appendix J: Strengthening the Resilience of Outsourced Technology Services Cybersecurity Assessment Tool (CAT) External Dependencies Information Technology Risk-based Exam (InTREx) OIG EVAL-17-004: Technology Service Provider Contracts with FDIC-Supervised Institutions 9
Office of Inspector General Review OIG reviewed Technology Service Provider (TSP) contracts of FDIC-supervised institutions Scope: 48 critical vendor contracts from 19 financial institutions Results published as EVAL-17-004 in February 2017 Objective: Assess how clearly contracts with TSPs address: Business Continuity Planning Incident Response Handling 10
Evaluation Results Contracts provide FIs with limited assurance that TSPs: Could recover and resume critical operations timely and effectively if disrupted Appropriate steps would be taken to contain, manage, and report security incidents FFIEC took numerous steps to provide FIs with BCP, Cybersecurity, and Vendor Management guidance Many contracts are dated (pre-2015) and don t integrate new guidance Risk remains FIs may attempt to transfer their inherent responsibility for BCP and cybersecurity to TSPs 11
Recommendations and Response The FDIC should continue to reinforce with FIs the need to: Fully assess risks associated with TSPs Ensure contracts include specific, detailed provisions to address risks and protect FIs interests Clearly define contract terms around BCP and IRP The FDIC concurred with the recommendations and proposed actions responsive to the recommendations to be completed by October 2018 12
Takeaways for Financial Institutions During contract structuring and review consider: Requiring the TSP to establish a BCP that considers supporting required processing and restoring services to multiple clients under adverse scenarios Defining clear performance standards for restoring services Defining clear responsibilities and expectations for handling security incidents Ensuring clear terminology so the responsibilities of both parties are not subjective and open to interpretation Ensure FI management is engaged in writing and negotiating contracts to avoid contracts where TSP rights are more protected than the FIs 13
Risk Assessment Accuracy and Completeness Growing trend of vendor risk assessments missing contracted service providers and/or including service providers that are no longer in use Review processes and procedures to ensure necessary personnel are notified of new and/or terminated relationships Implement a process to periodically reconcile the risk assessment against an independent source (e.g. accounts payable) 14
Subcontracting Arrangements Growing trend of FIs not explicitly defining the responsibilities of subcontractors or performing adequate due diligence/ monitoring Define in contracts if/what services may be subcontracted and expectations for monitoring Ensure the risk assessment for service providers considers the use of subcontractors Perform due diligence/ monitoring on subcontractors to obtain a level of comfort with their control environment. 15
Proper Usage of SOC Reports Identify the correct SOC Report(s) to obtain from your service providers SOC 1 (SSAE 18): A report on a service provider s controls relevant to financial reporting SOC 2: A report on a service provider s controls relevant to the selected Trust Services Criteria (i.e. Security, Availability, Confidentiality, Processing Integrity, and Privacy) These reports may be issued as either a Type I or Type II. A Type I (as of date) assesses only the design of the controls. A Type II (defined time period) assess the design and operating effectiveness of controls. 16
Proper Usage of SOC Reports Collect the correct reports from your service provider Ensure the collected report(s) cover all contracted services or products Ensure the service provider does not just forward the report(s) of their subcontractor(s) Review the reports for content and completeness SOC Reports are not a one-stop shop for fulfilling due diligence and monitoring requirements Use a checklist/ form to guide your review of the reports 17
Proper Usage of SOC Reports What should be done if you obtain the wrong reports or the reports do not include all relevant controls? Contact the service provider and assess if different reports may be available that are more relevant Request additional materials to assess the service provider s control environment (e.g. policies and procedures, internal audit reports, regulatory examinations, etc.) Send the service provider a questionnaire or setup a meeting with their management to discuss the control environment Add the vendor to an internal watch list and report the issue to a designated committee or management to determine an appropriate level of action (e.g. additional monitoring, updating the contractual requirements, or termination of the relationship) 18
Questions! Jason T. Clinton IT Assurance Senior Consultant Phone: 617-261-8132 Email: jclinton@wolfandco.com