Select Page

A Primer on Vendor Classificat...

08-28-2014

With the publication of OCC Bulletin 2013-29 as well as numerous recent breaches involving vendors a perfect storm of awareness has arisen not only in the financial services industry but many others a[...]

With the publication of OCC Bulletin 2013-29 as well as numerous recent breaches involving vendors a perfect storm of awareness has arisen not only in the financial services industry but many others as well. The inevitable result will be an emphasis within organizations on better management of the inherent risk realized from utilizing services from third parties. With regards to the axiom that no organization has unlimited resources a critical question arises – How do I categorize my vendors so as to maximize existing resources while identifying and minimizing the greatest risks.

There are multiple classification schemes for vendors. These classifications are predicated on specific internal vendor management requirements. Some of the common classifications do touch on some elements of risk such as total spend, vendor financial performance, Service Level Agreement compliance and should remain as ingredients in an overall evaluation of vendor risk.

The scheme proposed below in no way supplants any existing vendor management schemes. Its sole purpose is to categorize vendors that will require information security risk assessments from those that will not. The risks addressed through these types of assessments, and are central to the mission of the Shared Assessments Program, include risks to sensitive information such as company financials and intellectual property, personally identifiable information relating to staff and customers, PCI designated data, personal health information and other data classification subject to regulatory and contractual restraints.

The basis for this scheme is:

    1. Criticality of the vendor’s service to the continuation of the client’s services
    2. Critical data being shared – critical will need to be defined by each organization but common elements are data that is regulated (for instance medical data regulated by HIPAA/HITECH, financial data regulated by Sarbanes-Oxley, internal intellectual property data regulated by internal business requirements), or whose confidentiality, integrity, and availability is critical to the business
    3. Software services include both development, and software as a service (SaaS) which may provide their service independent of any data exchange

Scheme for vendor classification:

  • Service is critical and intolerant of disruption (BC/DR critical)
    • Data shared digitally
    • Data shared other than digitally
    • Software service provider
      • On-site service
      • Off-site service
    • No data shared
  • Service is tolerant of disruption (BC/DR is not important)
    • Data shared digitally
    • Data shared other than digitally
    • Software service provider
      • On-site service
      • Off-site service

      Once this scheme is used to determine which vendors will be assessed for risk there are several further steps that must be undertaken:

        1. Prioritization of assessments – this should be based on criteria specific to the client which may include calculation of reputational impact and potential concerns for a vendor stemming from other risk factors such as sudden decline in the quality of service delivery or recent mergers and acquisition activity; and,
        2. Scope of the assessment – which will be dependent on the specifics of the service being provided.

    A coherent approach to categorizing vendors is an essential ingredient to the best use of scarce resources. Focusing on the specifics of the service provided will lead to a more efficient approach to managing inherent vendor risk.

    For more than seven years, as the Senior Consultant and Manager of Operations for Churhill & Harriman, Inc., Donald Williams has managed all aspects of the organization’s delivery services, internal financial management and development of Churchill & Harriman’s Vendor Assessment Program, Risk Management Program and ISO 27001 Certification Services Program.

New OCC Guidance: Merchant Pro...

OCC issues revised guidance (OCC Bulletin 2014-41) on Merchant Processing as regulators continue to increase focus on third party risk. In their revised guidance the OCC stresses the need for expanded[...]

OCC issues revised guidance (OCC Bulletin 2014-41) on Merchant Processing as regulators continue to increase focus on third party risk. In their revised guidance the OCC stresses the need for expanded due diligence of third party card processors. The guidance reinforces the OCC’s concept of managing third party service providers throughout the entire vendor lifecycle by focusing first on the due diligence necessary for vendor selection.

A New Ice Bucket Challenge for...

08-26-2014

While last week my news feeds on social media showed an avalanche of humorous ice bucket challenges, it sparked a comparison to me of the recent Avalanche of Regulation Infographic published by the Am[...]

While last week my news feeds on social media showed an avalanche of humorous ice bucket challenges, it sparked a comparison to me of the recent Avalanche of Regulation Infographic published by the American Bankers Association (ABA). The burden of regulatory compliance is dousing the fires of creativity and customer loyalty in banking.

Avalance-of-Regulation-Infographic

How Regulations are Stifling Innovation

Just like a bucket of ice water can bring a chilly reality to one’s day; the growing regulatory burden appears to be stifling innovation in financial services.

The survey conducted by the ABA and routed as a call to action to members of Congress shared some sobering statistics from the banking sector show that more regulation is resulting in fewer products and choices for consumers. Compliance considerations are clearly having an impact on the marketing of products or services in financial services based on the organizations that responded to the survey:

  • 44% reduced current consumer financial products or services due to compliance regulatory burden
  • 27% cancelled a new product launch, delivery channel, or market due to compliance considerations
  • 31% are ‘holding off’ on new products, delivery channels or markets, while they determine the regulatory impact

The increased costs of compliance, including increased compliance staffing are reducing the amount of available investments both financial and human capital in the development of new financial products or services.

The regulatory burden alone for the Dodd-Frank Act has added 14,000 pages of new rules, regulations, and pending guidance. Dodd-Frank is requiring more than 60 million hours of paperwork for compliance; and we are only 50% through the mandated rules. That’s a lot of time that could have been used to identify customer needs and develop solutions to meet those needs.

Impact of Regulations on Banks and Credit Unions

It is not surprising that over the past decade, the growing costs of compliance are fueling consolidation between smaller financial institutions. The era of growth and creating innovation of start-up De Novos is a fading memory. Traditional community banks are faced with challenges of maintaining profitability while maintaining compliance to the same regulations are national banks with significantly more resources. The resulting impact means fewer choices for consumers in many communities.

The unintended consequences of regulation stifling innovation. While most financial regulations start from a good intentions point of view of protecting consumers, financial assets, or the banking sector in general; there are unintended consequences in the execution and operations of compliance that can hinder creativity and innovation.

  • Fears of UDAAP enforcement: Consumer protection rule-making and enforcement start from a good construct – to protect the consumer from unfair, deceptive, or abusive marketing practices. Creating simple to understand terms and condition is a good thing. However, most financial products are complicated – even the simple checking account can contain an account holder agreement longer than the play Romeo and Juliet. Enhancing customer disclosure s and notices can improve customer understanding of their financial options. However the fines and enforcement are sponsoring a culture of fear, uncertainty and doubt in bank marketing team’s ability to be creative in marketing. Over-regulation of a particular product’s features or functionality risk commoditization of the product, resulting in a “vanilla approach” to structuring a financial product or service. Last year’s ABA Bank Compliance Officer Survey showed that 78% of banks said they will or may need to change the nature, mix, and volume of mortgage products. In the last three years, the market share of non-bank mortgage services has nearly tripled, and that shifts consumers into product systems that are less regulated.
  • Big Data & Privacy: Privacy is fundamental in financial services. Online privacy preferences are a staple of web privacy statements. Privacy regulation has evolved as technology has evolved. Conflicts with privacy and technology, including surveillance have been headlines for the last year. Big data and the usage of data to drive customer experience and eMarketing can be a tricky ski slope. Traditional notice and choice concepts of fair information practices could not have anticipated how data analytics and big data have emerged. Creating regulation that could anticipate future uses of data would be difficult to enforce or interpret, especially with pace of technological change. Rather, collectively, the advances in innovation enabled by big data need to be balanced with clear customer awareness of data usage and respect for context.
  • Net Neutrality: While not directly a result of prudential banking regulators, the recent FCC actions are prompting an online debate over net neutrality and the risks that regulatory change could hinder innovation on the internet. The concept that all internet data is equal is under scrutiny. When the internet was created, we could not have anticipated things like digital video streaming, Netflix, social media or You Tube. While big players in the internet service provider (ISP) space debate the interpretation of the ruling the implications to pricing and access to content for smaller and medium sized ISPs can’t be forgotten. Small Businesses are a primary driver for economic growth, and profitability to financial institutions. The net neutrality debate stems from a legal interpretation of jurisdiction, but has creating an avalanche of concerns regarding competition, payments processing, and evolution of payments.
  • The evolution of payments: Historically, no payment method has truly ever been totally obsolete – barter is still used today, just like checks are still written by consumers and businesses. The rapid emergence of technology has driven changes to payments, including testing our perceptions of traditional payment mechanisms. Mobile technology alone spurs innovation in customer access and usage. It is difficult for regulations to keep pace with technology innovation and can risk applying old business models to a new hybrid banking landscape. Debates over remotely written checks, industry efforts to electronify checks, and virtual currency are creating a hailstorm of questions about how to protect payments, but not halt innovation. Bottom line the debate can create confusion for end customers – both financial institutions and service providers need to monitor the influx of regulatory commentary and how it may affect the development of their payment strategy roadmap. Innovation in payments requires technology + meeting customer needs in a way that still delivers a protected transaction. Payments are a critical component to most financial institutions profitability, and as payments evolve, the regulatory oversight needs to evolve in parallel, but without slowing down technology innovations.

We need regulation in financial services, to avoid the repeat of the mistakes seen during the Financial Crisis.The structuring and marketing of financial products and services needs to continually evolve, but at a much faster pace due to the pace of technology innovation.

The avalanche of regulation and the corresponding delays in product enhancement are an “ice-bucket” wake up call for financial services. As an industry, we need to understand how regulation can stifle innovation and take steps to address the fear, uncertainty and doubt within our organizations and identify ways to tip the scales and creating a more balanced governance model for compliance and innovation.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

PCI Security Standards Council...

08-12-2014

Confirming the need for stringent third party risk assessments, the PCI security standards council issued a guidance this week focusing on the need to thoroughly assess third party service providers w[...]

Confirming the need for stringent third party risk assessments, the PCI security standards council issued a guidance this week focusing on the need to thoroughly assess third party service providers who store, process or transmit cardholder data. The PCI Guidance underscores and reinforcing Shared Assessments’ position that because third party service providers are under increasing attack by criminal elements the need to insure that service providers are enforcing stringent IT security and data privacy protection standards has never been greater.

The guidance is intended to assist in the interpretation of PCI DDS requirement 12.8, which focuses on the need to insure that card holder data, which is residing with a their party service provider, is adequately protected by the service provider. Included in the guidance are suggestions and clarifications for PCI DSS requirements and a sample PCI DSS responsibility matrix to assist in the determination of roles and responsibility of the identification and development of specific control areas.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad or on LinkedIn.

Holistic Information Security ...

yadzinski 08-06-2014

The attention to People and Process is lagging far behind In reviewing the recent plethora of data breach stories, I am beginning to see a pattern here. While many companies answer to breaches with m[...]

The attention to People and Process is lagging far behind

In reviewing the recent plethora of data breach stories, I am beginning to see a pattern here. While many companies answer to breaches with more and more technology, it appears that they are ignoring what may be the real root cause…….People and Process.

Case in point. In the article, How Physicians’ SSN’s Were Exposed, reported by HealthInfo Security (HIS), “Several Blue Shield of California spreadsheet reports inadvertently containing the Social Security numbers of 18,000 physicians and other healthcare providers were released 10 times by the state’s Department of Managed Health Care” . (( (McGee, 2014) McGee, M. K. (2014, July). How Physicians’ SSNs Were Exposed. Healthcare Info Security, p. 1.))

In another story, PHI Exposed in Mailing Error, from HIS, it was reported that “St. Vincent Breast Center in Indianapolis has notified 63,000 individuals that a clerical error led to the mailing of letters containing personal health information to the wrong recipients” (( (Roman, 2014)Roman, J. (2014, July). PHI Exposed in Mailing Error. Healthinfo Security, p. 1.))

And the big one for me was reported through TechTarget. Report finds poor security communication among executives. It appears that the Ponemon Institute LLC just released results of a survey of nearly 5,000 IT security practitioners. That report was very enlightening. “Just under one-third of respondents indicated that their organizations’ respective IT security teams never discuss security with executives. Of those surveyed; the report goes on, “only 1% said security teams spoke with executives weekly and 11% quarterly, though 15% specified that they could meet with executives on an on-demand basis”. (( (Blevins, 2014) Blevins, B. (2014, July). Report finds poor security communication among executives. Search Security Tech Target, p. 1.))

I think we found the possible problem why breaches in the first two cases happen and possibly why breaches happen at all. Lack of top management involvement.

You see, it is people and process failures that cause the most breaches. Sure technology has its place and a huge part of the security posture, but what every security and IT professional learned way back in the day, still holds……..”Garbage in, Garbage out”.

If we are not training our people properly and installing the necessary checks and balances needed to ensure competency of our people and effectiveness of the processes, breaches will continue to happen. Sure, hackers enter our systems through the technology, but it is the people who install it and the processes we implement that guide that technology. No such thing as turnkey technology.

In December of last year the U.S. Department of Energy reported on a July breach that exposed the personal information of more than 104,000 individuals. They noted IT and agency management failures around vulnerability management, access controls and a general lack of communication between decision makers. The story notes that “DOE failed to live up to industry standards and government mandates around not only encryption of sensitive data, but using Social Security numbers as identifiers, running IT systems with unpatched critical vulnerabilities and outdated software”. (( (Mimoso, 2013) Mimoso, M. (2013, December). POOR PATCHING, COMMUNICATION FACILITATED JULY DEPT. OF ENERGY BREACH. Threat post, p. 1.))

Convinced yet?

Luis Aguilar, Commissioner, U. S. Securities and Exchange Commission “stated that “Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril” during a speech at the “Cyber Risks and the Boardroom” conference held at the New York Stock Exchange on June 10th. (( Aguilar, C. L. (2014). Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus. United States Securities and Exchange Commission.(Aguilar, 2014) ))

A board’s failure to manage cyber risks can create threats of litigation, fines, increased insurance costs and, perhaps most importantly, loss of consumer confidence.

Best practices like ISO/IEC 27001, Shared Assessments, CSA STAR Certification for the cloud and the NIST Cybersecurity Framework are all there as holistic road maps that provide you with guidance for driving security from the top down. Using one of these as a foundation or integrating them is an excellent way to show standard of care and that you do in fact care.

Information and cyber security like it or not is a board level issue. Like most things in our lives it is people and process that drives what tools we use and how we use them. It drives the culture of our organizations and ultimately how we safeguard our company, employees, customers and society around us.

Shared Assessments Steering Committee member, John DiMaria, BSI Group America, Inc., is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 28 years of successful experience in Management Systems and international standards. Connect with John on LinkedIn.

Notice: The statements within this article are the independent views and opinions of the author and not necessarily those of the management of BSI Group America, Inc.

Assurance Processes to Address...

07-29-2014

Part III of a IV part series In part II of the four part blog series, Regulators Expectations for Third Party Risk Management, I focused on governance and oversight structures for each phase of the t[...]

Part III of a IV part series

In part II of the four part blog series, Regulators Expectations for Third Party Risk Management, I focused on governance and oversight structures for each phase of the third party relationship lifecycle. Today, I am going to take a deeper dive into managing fourth party and subcontracting risks along with how external assurance strategies can be leveraged to minimize the complexities in implementing effective third party risk management programs.

I would be remiss if I did not start with the obvious confusion in naming convention terms. Much like the timeless “Who’s on First” baseball comedy routine from Abbott and Costello, figuring out the players in third & fourth party risk can be just as confusing.

If Company A contracts to Company B, then Company B is considered to be a “third party”— I guess in contractual relationships at least the first party must be the user of Company A’s services, but starting in 3rd person in the game of vendor oversight, always seemed odd. However, today the game has changed, since oversight concerns regarding security, data breaches, and compliance, are bringing fourth party risk front and center. Right to audit expectations extend from third party to the fourth, fifth, and downstream based on how deep in the supply chain providers have access to, the processing of, transmission of, or retention of the company’s data.

Cookie Crumbs on the Right to Audit Trail

Vendor and third party relationships are pervasive in today’s economy and with today’s changing technologies. The starting point is to focus on what assets you are trying to protect when determining your approach to right to audit for your third parties and their usage of suppliers, vendors, or outsourced functions.

A fundamental driver for a financial institution to demand a right to audit for fourth parties is to mitigate data breach risk considerations should their primary third party experience a data breach. In the absence of a contractual provision for recourse, the financial institution may still experience the customer risk. What may sound simple on the paper of the negotiated contract is much more nuanced to operationalize.

DefineSurveyAssess (1)

A common misperception or reaction to recent guidance on managing fourth party risks is that financial institutions must apply the exact same due diligence to all of their own third parties and each and every subcontractor or vendor their primary service provider utilizes. In contrast, the intent is that the financial institution has established a risk-based program; implemented appropriate governance and oversight programs for third party risk; and has demonstrated to its regulator or examiner how they have developed sufficient approaches to assess and manage fourth party risk.

What aspects of the relationship you need to assess depends on the depth of the type of assurance your organization needs to manage third party risk for information protection, service continuity, or regulatory compliance. This process will be dynamic, with ongoing changes based on all phases of your third party lifecycle and the lifecycle of the relevant critical subcontractors or outsourced providers.

Semantics in Subcontracting

Defining and implementing fourth party controls requires viewpoints on traditional due diligence processes to be adapted to ensure focus on the material risks being addressed. Chasing every potential vendor, application provider or commercial software company is not feasible, nor does it address the critical path to managing risk.

When building your expectations for fourth party considerations into your contract and due diligence process, consider your demands in the context of what services are being considered for the contract. Your service providers may leverage vendors or third parties to provider work ranging from staff augmentation, facility management functions, mailing services, application support, call center support, technology outsourcing, to direct subcontracting of manufactured work. Create a set of definitions for the types of subcontracting, outsourcing, or fourth party relationships that are applicable to the services under review:

  • Services vs. services debate: A common contractual trap in subcontracting is the legal debate over services with a capital “S” vs. a small case “s”. Capitalized Services need to be contextually defined in the contract; and based on the contract structure may be more appropriately called out in statements of work. Literal compliance can create a burden of contract administration that was not the intent of the language. Partner with your service provider on what types of fourth party relationship trigger “risk” or “compliance” requirements within your Third Party Oversight Program and define and execute a process for information sharing that aligns with both organization’s expectations
  • Notice and approval provisions: Keep the focus on oversight of your service provider and due diligence for material third party relationships that affect your critical operations. Demanding an approval provision but not defining processes for granting permission puts your third party in a stalemate situation. Set expectations for the type of notification that is reasonable based on the service and hold your service provider accountable to provide sufficient due diligence efforts to meet regulatory expectations.
  • Offshore outsourcing: Usage of offshore resources or firms in information technology outsourcing (ITO) or business process outsourcing (BPO) introduces different risks based on geography and modifications to the due diligence approach. Focus in your assurance efforts on the information protection and service continuity controls in place to protect your organization from additional risk. Focus on location risk, and any cross-border data access or transfers. Most traditional ITO and BPO relationships in financial services are structured where the customer data resides in the U.S. and outsource workers access sanitized or masked data, from workstations that enable controls to limit data from residing offshore. Require that your service provider conduct sufficient oversight which may include risk management reporting, site visits, inspections, and issue management. Ensure that they have processes to monitor evolving geopolitical risk and have adequate business continuity management plans in place.

Trust but Verify Oversight Approach

Adequate due diligence requires more than getting compliance information from a third party service provider. For key controls that your organization has deemed important in managing your risk, financial institution’s need to request evidence of the implementation of those controls and effectiveness of implementation. Evidence or artifacts can take many forms, and may or may not be distributed externally. However, most service providers will have a process to provide artifacts in on-site visits, or by using online tools for information sharing via web meetings to show confidential documentation or artifacts. While confidentiality provisions and contractual relationships allow information sharing, service providers may need to ‘redact’ or sanitize certain compliance documents to either protect other party’s confidential information, or to mitigate risks to the organization for data leakage.

  • Due Diligence Protocols: Conducting due diligence for fourth party risk requires adjusted processes as there is not a direct contractual relationship with the fourth party or subcontractor. The due diligence approach is typically less focused on the third party itself, but more an inspection of how your 3rd party has structured its program for oversight of their providers. Risk management controls, methodology, type of data location.
  • Inspecting Third Party Service Provider Programs: Service providers that focus on outsourcing within financial services should have a documented policy and procedures to manage and assess risk of their own third party subcontractors. The program should encompass risk assessment, onboarding, termination and periodic assessments of the third party.
    Assess Maturity of Program Processes: Structuring a third party service provider program and evaluating specific components is dynamic and changes as the organization changes. Organizations can use a self-assessment process to identify areas of continuous improvement to strengthen the maturity of third and fourth party oversight processes.

Utilizing External Assurance for effective monitoring

Sufficient and regular due diligence is just one aspect of third and fourth party risk management. Many organizations lack the internal resources, or capacity to conduct manual audits or inspections for third parties. External assurance options have evolved past the focus on Sarbanes Oxley (SOX) controls. Even the new Payment Card Industry (PCI) standards are developing a focus on third party risk. Independent assessments or engagements provide a level of independence and objectivity to the due diligence or third party risk assessment process.

  • SSAE 16 Engagements: AICPA structured engagements can be tiered based on the needs of the organization in demonstrating adequacy of control objections. The SOC 1, SOC 2, SOC 3 options provide the ability to not only assess the controls, but including the testing of the controls by an independent point of view. Service Provider organizations need to define the controls to be included in the scope of the external audit, but also which applications are included in the testing process.
  • Agreed Upon Procedures(AUP) Engagements: The Shared Assessments Program has created a tool called the AUP, which can be used in two ways within third party risk management programs. Organizations that use the tools from Shared Assessments can use the tool to structure the agenda and control testing for conducting an on-site assessment of a third party. Organizations should scope however, which risk domains within the AUP are applicable to the services provided by the third party. The tool provides structure to the testing to achieve the objectives of the “Trust but Verify” approach to due diligence. Service Providers can use the AUP by directly contracting with an outside assessment firm to conduct an AUP engagement. Once completed, an AUP report can be provided that the service provider can distribute to clients as an independent assurance report, and minimize the need for multiple on-site assessments.

With the heightened focus on third and fourth party risk, it is critical to structure and determine senior management involvement in program oversight. Formalized reporting, risk reporting, issue management, and maturity of the third party risk program are all important elements required to ensure that risk management is being addressed at the right levels, with the right information. Third party risk management is not just an event driven at the signing of a contract – that’s when the process only just begins.

The last area of focus in this blog series will be on the evolution of contract compliance given today’s regulatory landscape, provided by Sybill McDowell, Risk & Compliance Operations Manager at Deluxe.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

How Shared Assessments Approac...

07-24-2014

During discussions in 2013 to determine the next risk areas that should be addressed by the Shared Assessments Program Tools, the focus rapidly turned to software security. As we polled our members we[...]

During discussions in 2013 to determine the next risk areas that should be addressed by the Shared Assessments Program Tools, the focus rapidly turned to software security. As we polled our members we found that many of them were concerned with the security of the software being provided by their vendors, and more importantly what could they do to determine if the software was developed and maintained in a secure environment.

The issues to be addressed by the 2014 version of the Program Tools were prioritized by the Shared Assessments Steering Committee based on the recommendations of the SIG Working Group. A subcommittee was then formed to bring together secure software development industry experts from member organizations, in addition to knowledge experts from Veracode and Cigital to round out the risk professionals who addressed the issue.

The first item addressed by the subcommittee was what were the key questions to ask in assessing the strength of a third party’s Software Development Life Cycle (SDLC). The assessment performed by the Shared Assessments’ Program Tools should be thorough and effective, but should not try and replicate a comprehensive assessment of the type performed by Veracode and Cigital. Keeping their focus on the need to balance effectiveness with efficiency the subcommittee began their work in the spring of 2013.

Using vBSMM as a framework, the subcommittee tackled the second major issue – how to perform the assessment. What evolved as the key feature of assessing a third party’s SDLC environment is focusing on the security of the process used to develop and maintain software. Process areas which are investigated as part of the assessment range from the components of the third party’s SDLC policy to the frequency of code review, penetration testing and the management of post-production issues. These questions formed the basis of the full assessment of a third party’s software security that was proposed by the subcommittee as a new risk area (tab) for the 2014 SIG. The proposed additions to the SIG were then reviewed and approved by the full SIG Working Group and the Shared Assessments Steering Committee for inclusion in the SIG for 2014.

Recent threat reports underscore the importance of including software security in your third party assessment program. Symantec’s 2014 Internet Threat Report, revealed that web site containing vulnerabilities grew from 53% to 78% from 2012 to 2013. Even more troubling is the recent findings of Veracode who determined that 90% of the policies they have reviewed were not in compliance with OWASP top 10.

The inclusion of a thorough approach to determining the security of a third party’s software security environment is another example of the Shared Assessments efforts to keep its Program Tools on the leading edge identifying and managing third party risks.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad or on LinkedIn.

Structure Governance & Ov...

07-18-2014

Part II in a IV part series As I outlined in part one in this four part blog series entitled, Regulators Expectations for Third Party Risk Management, organizations need to deploy a risk-based approa[...]

Part II in a IV part series

As I outlined in part one in this four part blog series entitled, Regulators Expectations for Third Party Risk Management, organizations need to deploy a risk-based approach when developing their third party oversight program. Today, I want to explore concepts for how organizations can structure governance & oversight programs for each phase in the third party relationship lifecycle.

Building a relationship with a third party service provider, especially one that your organization may be outsourcing a key service or function, is not a one dimensional task, but a multi-faceted strategy to meet current market expectations. The Office of Comptroller of the Currency (OCC) set the bar on establishing a lifecycle approach with their updated guidance on managing risk in third party relationship. A differentiator in that guidance was the expanded accountability for senior management to be directly involved in assessing the process for selecting and implementing new third party relationships. For those relationships defined as critical to a financial institution, senior management must engage Board of Director level engagement to formalize such relationships.

Financial organizations of all sizes have different processes or approval mechanisms to engage senior management, audit committees, and Boards of Directors. The starting point is in the planning phases when considering a change in third party relationship. I call it the “4 P’s” in the third party proposal process.

The 4 P’s of Third Party Risk

When initiating the need to create a new third party relationship; change an existing third party relationship; or outsource a new function there are different steps to be taken in the pre-assessment phase of defining requirements. The regulatory landscape today requires a more thoughtful and strategic approach to ensure that the management has properly assessed, and understands the risks involved and has aligned the third party RFP or selection process to the organizations requirements.

  • Planning: During the planning phase of third party selection, it is important to know and establish the stakeholders who need to be involved in the selection process. Identify the subject matter professionals who need to define business and technical requirements.
  • Preparation: Determine what steps and type of due diligence that must be performed to meet the risks of the relationship. Establish in the business case the resources needed for the selection process, and the direct and indirect costs in making a change.
  • Process: Typically the business lines are driving the need for a change in service delivery that requires usage of a third party relationship. Validate your defined internal committees or governance structures that may have to provide authorization or require information to advance making a third party relationship change. Understand any stage-gate triggers up front in your planning process so you perform adequate due diligence and account for timelines needed in the approval process.
  • Performance Criteria: Prior to initiating the due diligence, establish your critical success factors and key relationship performance indicators who how you will evaluate the selection decisions. This can become a balancing act, and you can avoid conflicts with competing influencing if you have engagement stakeholders up front in the process.

Due Diligence & 3rd Party Engagement

During the due diligence process and onboarding for third party relationships you will establish the required due diligence based on the type of service and level of risk in the relationship. The due diligence process may involve unique areas of accountability from within your organization, but also from the service provider. The due diligence process to assess Information Protection, Service Continuity, or Regulatory Compliance may be quite different. Each function may require different risk assessment activities within your organization, and involve different subject matter professionals at the third party service provider.

  • Governance: Establish the linkages to your own internal governance processes for key risk areas of information protection, service continuity, and regulatory governance. Each of those functions may have different organization governance mechanisms for approvals, or specific needs to be met.
  • Oversight: By engaging the stakeholders early on, you can ensure you have alignment to their critical requirements to avoid road-blocks in contract negotiation. The lack of involvement up front can create a “due diligence loop” where the business line has to keep going back to get more information, or repeat the risk assessment process with other functional areas.

Contract Negotiation & Structures

Regulatory guidance for what types of contract terms, conditions, and requirements has quickly advanced the maturity of the contracting process. While important to align the third party contract to regulatory expectations, don’t try a one size fits all approach. Different types of third party relationships will trigger different sets of terms and conditions or requirements. As contract expectations evolve, it requires more education internally on how the due diligence process works. Right to audit provisions and Fourth Party subcontracting oversight are known risk processes to the risk and third party assurance teams, but not processes typically that Legal team engage in at an operational level.

When building out the contract structures for different types of third party relationships, consider the resource and management on the go-forward basis. There are pros and cons to the “Master Services Agreement”, which may help minimize the number of contracts in place, but in most cases the actual specific operational requirements may not be known at engagement. The structure of the contract, or statements of work should help you break out the contracts obligations in the “what” and the “how” – knowing the how’s can change during the third party lifecycle, so address the change management process with resources and administrative complexity in mind. Define up front the approval or oversight process and stakeholders who need to approve changes in the third party relationship after the contract is finalized.

Ongoing Relationship Monitoring

More thorough due diligence is conducted in the initiation stage of the third party relationship. However, the expectations today require ongoing monitoring. This can often be confused with “vendor management” which tends to be the operational oversight of day to day operations with lines of business. Vendor management functions are critical to ensuring business needs or key performance indicators are met, but may not be the primary mechanisms for ongoing monitoring of third party risks.

Separate of duties and independence of the risk management function for third party oversight are the primary facets in the governance and oversight of third party risk. Financial institutions should define and set expectations internally with their third party service providers for what the annual, bi-annual, or frequency will be for updating due diligence, or providing artifacts or evidence to meet contractual obligations.

Establish third party scorecards and dashboards and internal reports to management for key third party relationships. Senior management has an ongoing risk obligation to ensure that the relationship risks are being management. This may involve initiating linkages to changes in corporate governance policies, including periodic reviews of the organization’s Third Party Risk Management process.

Change Management, Exit Strategies & Disengagement

Third party relationships can change or evolve during the term of the agreement. Both internal and external events can trigger changes to the contract or due diligence process. Based on recent guidance, financial organizations need to build more thorough strategies into the contracting process regarding the roles and responsibilities of the end of the relationship, including costs and support in the off-boarding process.

Managing and negotiating these terms, can’t just be a one-side debate – a mutual third party relationship is in place which requires agreement on how parties disengagement that satisfies the terms of the agreement and reason for termination. A change management process for negotiating the terms of disengagement, return of data and what third party risk obligations survive the current term need to be considered up front, and not just at relationship end.

Defining the organizational structures and oversight programs for third party risk has become a collaborate effort between lines of business, risk management and assurance functions in both financial institutions and service providers. Managing agreement to changes in third party subcontracting, or fourth party risk, and how to leverage external assurance strategies is the next topic in this series.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Risk-based Approach to Third P...

07-10-2014

Part I in a series In less than eighteen months, there has been more industry guidance and updated regulations regarding third party risk than at any other juncture in the evolution of governance wit[...]

Part I in a series

In less than eighteen months, there has been more industry guidance and updated regulations regarding third party risk than at any other juncture in the evolution of governance within the financial services industry.

Media attention from retailer breaches and enforcement actions by industry regulators has put the oversight of third party risk as a top priority for all levels of management within banking organizations. Each regulator has issued their own guidance specific to third party risk management creating an overlap of requirements depending on the types of services that a financial institution may have outsourced. Developments in payment card security standards have expanded focus on third party risk management. Common themes have emerged when looking across the various published contract or third party examination expectations.

A common misperception is that there is a vast number of “net-new” requirements, when in fact the recent issuance simply put expectations more clearly communicated to align third party governance to industry best practices. The focus is less about a specific prescriptive approach, but rather describing what practices should be deployed to demonstrate how third party risk is being managed.

These practices will be explored in a series of blogs to share insights how to mature your third party risk management oversight program to meet the higher threshold expected in today’s market landscape. The themes to be explored include developing a risk-based approach; structuring your governance model; addressing assurance for fourth parties or subcontracting; and assessing contract and audit processes in third party agreements.

Regulators-Expectations-for-Vendor-Management-1

STEP 1: Deploy a risk-based approach to third party risk management

Third Party Oversight has evolved since the days of checklist compliance – checking the box on an insurance certificate or receipt of a SAS-70 is a waning memory of simpler times in thinking about third party risk. As the usage of third parties grows across the supply chain; and services become more pervasive with adoption of new technologies, the approach to identifying, assessing, and mitigating third party risk evolves.

All third parties are not alike – in terms of the type of services they provide to your organization. Commodity suppliers present different risks than technology service providers. Companies that sell or market on behalf of a financial institution may trigger consumer protection risks that are not applicable to service providers that don’t have accountholder interaction.

Third party risk management is not a “one size fits all” approach – the level and type of risk assessments to be performed about a third party is directly related to the scope of work they perform, the type of data or information sharing, and may trigger different regulatory compliance obligations based on the type of function performed. A function or process can be outsourced, but the financial institution can’t outsource accountability for information protection, regulatory compliance or service continuity.

Regulators expect organizations to develop a third party risk management program that meets the size and complexity needs of the individual organization.Here are some suggestions as you look to develop or improve your third party risk management program:

  • Create a third party dictionary: Retail, Operations, Lines of Business, Sourcing, Information Security, and Legal all define third parties in different ways. Vendors, suppliers, service providers, outsourcing, technology service providers (TSP), business process outsourcing (BPO) are all examples of types of third party relationship. In large holding company relationships a third party can even be an affiliate or sister company. Create a common set of defined terms that describe the types of third party relationships that exist within your organization. Make sure that you have alignment on the structure of the types of third party relationships in scope for your program. Don’t overburden a third party with governance requirements that are not applicable to the type of service. Be able to articulate “why” and “how” you defined the types of third party relationships in scope for your risk-based program.
  • Assess your own risk factors: Just like all third parties are not alike – risks are not alike. Governance models can differ based on what risks you are trying to mitigate. Enterprise risk, credit risk, market risk, regulatory risk and operational risk all require different strategies and tactics to identify, assess, and mitigate risk. Within your inventory of third party relationships, identify what types of risks that relationship creates for your organization. The type of risk will influence the level and type of risk management activities that need to be implemented. The complexity of the types of financial products and services your organization directly offers to accountholders, vs. leveraging third parties will directly impact the types of risk management controls that may need to be structured. Good contract terms alone can’t take the risk off the table in today’s regulatory landscape.
  • Define your Third Party Risk Ladder: A risk-based approach requires a clear strategy for determining low, medium and high risk third party relationships. Based on your Third Party Dictionary and Third Party inventory, define a hierarchy or stratification structure to group your third party relationships. Your highest risk vendors are the top rung of the ladder – that require the strongest oversight and governance. The number of steps or levels may differ based on your product offering; the types of outsourcing in scope; or your organization’s strategic direction of what is insourced vs. outsourced.
  • Determine the Depth, Breadth, and Frequency of Third Party Oversight: Build into your third party classification structure what due diligence or oversight activities need to be performed. Create and document your strategy for what level of independent assurance is needed. Regulators expect financial institution’s to request due diligence and compliance documentation from third parties – but this is not simply a paper pushing exercise. Define what types of controls need to be in place and how you expect your third parties to accomplish meeting your expectations. A risk-based approach requires your organization to be able to articulate how you leveraged the information provided by the third party to assess the risk within the organization.
  • Practice what you Preach: After structuring your program – think like the examiner and be prepared to defend your decisions. Expectations today are that third party risk programs are adaptable and must be aligned within your organization to the risk management strategies at all levels. Have your internal teams to a “dry run” or “simulation” of presenting and defending why the inventory and oversight approach meets the needs of the organization. Having confidence in being able to show how the organization used a risk minded view to structure the third party program will strengthen your organization’s compliance readiness for inspection.
  • Update Your Third Party Report Card: Risks change based on many types of market events. A third party report card is not just about grading a third party – but should be reflective of the risks being managed. In today’s highly focused landscape there is more accountability at senior management to understand third party risks and how their organization is addressing the oversight expectations. Broaden management reporting to include third party risk, but also highlight the activities and actions put in place. A risk-based approach requires not only governance but adequacy of resources, skills and capacity to accomplish the third party service provider program expectations. Senior executives and Boards of Directors require more than a risk management report card; but more formality on providing assurance on third party risk.

Stay tuned for Part II in this series where I’ll explore governance and oversight programs for each phase in the third party relationship life cycle. Adapting third party risk management to third party assurance is a journey for organizations of all sizes.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Payment Token Implementation D...

07-01-2014

With an estimated 70% of US credit cards likely to be EMV chip ready by the end of next year ((70 Percent of U.S. Credit Cards to Include EMV Chips 2015, Computer World, June 16, 2014, http://www.ewee[...]

With an estimated 70% of US credit cards likely to be EMV chip ready by the end of next year ((70 Percent of U.S. Credit Cards to Include EMV Chips 2015, Computer World, June 16, 2014, http://www.eweek.com/security/70-percent-of-us-credit-cards-to-include-evm-chips-by-2015.html)) , the race to protect against sharply increased levels of card-not-present fraud has begun in earnest. As we’ve discussed in the past, one of the most important tools to help mitigate card-not-present fraud will be tokenization of the front end of the payment. EMVCo, which is one of several organizations developing a payment token specification, has committed to a speedy drafting process, promising a completed standard this year ((Chip Standards Body Fast-Tracks New Token Standard in Wake of Target, Other Recent Breaches, DigitalTransactions, February 5, 2014.http://digitaltransactions.net/news/story/4502)) . At the moment, although both The Clearing House and X9 are working on (and in the case of The Clearing House largely completed) tokenization standards, it appears that EMVCo has the best shot at prevailing in the marketplace, at least in the short term.

The work product ((EMV Payment Tokenisation Specification – Technical Framework, Version 1.0, March 2014, http://www.emvco.com/specifications.aspx?id=263)) released by EMVCo in March of this year was a promising start, and contains some critically important elements. For example the standard’s Technical Framework contains a process for establishing and vetting the assurance level of each token, based on the identity and verification performed, the entity that performed the evaluation, as well as other factors. Token assurance levels are designed to be conveyed with each transaction, and optionally the Token Service Provider’s additional information supporting a particular token assurance level can be passed to the issuer as part of an authorization request.

Another significant positive is that the standard anticipates useful payment token domain controls. Token domains define the types of transactions for which a given token may be used. The standard will provide for payment tokens that are channel specific (for example, NFC only), merchant specific, digital wallet specific, or any combination of these items. Venue specific token hierarchies such as those proposed in the standard are a very important feature that have the potential to increase security levels while making life less complicated for key stakeholders.
The Technical Framework also contains a number of use cases, including Mobile NFC at the Point-of-Sale, Mobile/Digital Wallet E-Commerce, Card-On-File E-Commerce, and Scan at Point-of-Sale. It also documents the capture and clearing and exception flows.

So far, so good, and it’s important to note that EMVCo has not yet released a full draft of the complete standard. That said, from what we can see in the Technical Framework document, the standard will be written so as to allow participants considerable freedom in terms of how they execute product against the standard. That’s not inappropriate, but there may be unintended consequences, especially if the industry flocks to a lowest common denominator approach to execution.

What are the key choices the industry will make?

  • What’s the life span of a token? Tokens can be completely dynamic (that is, they change with every transaction), they can be static (they don’t change until the token expiry date, and then can be renewed “as is” at each expiry date in perpetuity), or, effectively, anything in between.
  • What’s the token’s bandwidth? The standard seems certain to provide considerable flexibility concerning the constraints around token use. As we’ve noted earlier, the standard provides for merchant specific tokens, channel specific tokens, digital wallet specific tokens, or tokens with any combination of those three items. But there will likely be nothing in the standard that prohibits parties from using a single token without bandwidth restrictions. And if those tokens happen to be static tokens, then the question of safety compromise cannot be avoided.
  • How effectively will the token assurance framework be implemented? High assurance tokens issued to individuals based on weak credentials will compromise the system, as will significant actor to actor variations in the interpretation and implementation of each assurance level definition.
    • We’re still relatively early on in the EMVCo process, but once stakeholders coalesce around a single tokenization standard, work has just begun. There has yet to be a broad industry discussion about the consequences of different payment token implementation paths, but there is still time. The industry will be best served by a more robust discussion among all stakeholders about the ramifications of key implementation choices that – after all – will determine the standard’s ultimate effectiveness. The industry’s credibility is very much on the line.

      For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

Deciphering the 3TG in Dodd Fr...

06-18-2014

Part II of a Two Part Series The Dodd-Frank Act put Consumer Protection into the headlines with the creation of the Consumer Financial Protection Bureau (CFPB), triggering a large restructuring of co[...]

Part II of a Two Part Series

The Dodd-Frank Act put Consumer Protection into the headlines with the creation of the Consumer Financial Protection Bureau (CFPB), triggering a large restructuring of consumer financial laws and regulations. However, not all parts of Dodd Frank deal with the marketing practices of financial services companies. Dodd-Frank is the shortened name of the , and contains significant provision related to corporate governance. While the financial and capital provision are getting the headlines in the finance boardrooms; compliance teams in many publicly traded companies are preparing for initial Securities and Exchange Commission (SEC) filings related to Section 1502 of Dodd-Frank Act related to Conflict Minerals.

Conflict Minerals Basics: Finding 3TG

As I discussed in my previous blog, conflict minerals are natural resources extracted in a conflict zone and sold to perpetuate the fighting, conflict, or human rights violations. The concept is broad, due to the nature of international trade and the nature of monitoring the sourcing of conflicts across a vast spectrum of specific countries. In the case of Dodd-Frank, conflict minerals are defined as cassiterite, columbite-tantalite, gold wolframite, and their derivatives which are limited to tin, tantalum, and gold (“3TG””.)

Compliance program maturity of the supply chain varies across industry sectors – based on the pervasiveness of metals in the manufacturing process. Minerals are sourced not only by technology companies, but many manufacturers of products in today’s marketplace. While “mining” may sound like an antiquated fulfillment process in today’s digital age, the reality is that 3TG minerals can be used in many everyday consumer products including: hearing aids, pacemakers, GPS, mobile phones, fishing weights, cosmetics, dart tips and golf club heads. Even the vibration from your ubiquitous cell phone can be derived from a 3TG mineral.

The corporate governance changes driven by Section 1502 require full transparency for certain manufacturers to provide assurance if 3TG minerals are present in their products and to audit their supply chains and report conflict minerals status for sourcing from the Democratic Republic of the Congo, and adjoining countries (“Covered countries”) which are in scope for Dodd Frank. The objective is to confirm if the sourcing of the minerals directly or indirectly financed or benefited armed groups in the Covered Countries.

What is Required?

Under Dodd-Frank, companies would be required to submit an annual conflict minerals report to the SEC if they either (1) Are required to file reports with the SEC under the Exchange Act of 1934 and (2) if conflict minerals are necessary to the functionality or production of a product that they manufacture or contract to be manufactured. That sounds simple, but the reality is far from simple, and creates a sourcing complexity for supply chain management.

The reporting requirements trigger the organization to have conducted a thorough review of their products and process, including the controls within the manufacturing process. U.S. manufacturers may determine they are in scope if they have obvious 3TG in a product that meets the necessary to the functionality definition, but they also can be affected based on how they outsource or source the manufacturing of a product. If the manufacturer exerts influence over the manufacturing process or even specifically contracts to have the product manufactured for itself, can trigger the conflict minerals requirements.

While manufacturers are closely assessing and implementing their own internal compliance programs, organizations will start to see Conflict Minerals Reports filed from manufacturers regarding their status with the SEC. Sourcing and procurement organizations will begin to integration conflict minerals compliance into their supplier risk management strategies. Consumer advocacy groups are highlighting progress on achieving conflict minerals free sourcing as a key objective for consumer goodwill and corporate governance.

Understanding the scope of effort for achieving conflict minerals free sourcing is quite challenging for those not deeply involved in the supply chain analysis. Traditional vendor risk management or third party service provider oversight focuses more on risk management and risk controls in place with the supplier. Assessing the adequacy of an organizations approach to conflict minerals compliance requires a more nuanced understanding of the rules, the exceptions, and the triggers for external audit assurance obligations.

Recent court rulings about the constitutionality of the requirements and the overall costs of compliance have increased concern for the pending timelines. Manufacturers that have identified 3TG in their products are beginning to file reports for the June 2014 SEC deadline. Organizations that need to comply will need to not only build their conflict minerals supply chain compliance program, but integrate the requirements into their overall third party risk management program.

Based on lessons learned, and summaries of industry approaches, here are highlights in five key focus areas on how to assess or refine building a supply chain compliance program to address conflict minerals compliance.

Product Scoping

A starting point within the product scoping effort it to assess the commodity groups used within the organization as components of the final manufactured product. By clearly defining “in scope” and “out of scope” product parameters, based on the criteria established by the SEC can reduce the volume of suppliers that may need to be assessed. A key differentiator is that the use of the minerals must be inherently functional to the product, and not purely for decorative purposes. Sourcing from recycled or scrap materials is deemed out of scope. Packaging materials are also considered out of scope, along with stock product purchased from an outside supplier, with no customization by the manufacturer.

After validation of the set of commodity products that must be assessed, including identification of risk factors, the manufacturer will identify the subset of suppliers to be surveyed. The primary outcome of the product scoping effort is to identify the set of commodity products that have the potential or likelihood to contain a 3TG mineral.

Assessing the Supply Chain

The process to assess the supply chain and to conduct reasonable country of origin inquiries is challenging as sourced materials do not come with simple bar-coded “Made in a Covered Country Label.” Metals are produced from ores through a smelting process. Conflict minerals supply chain assessments require organizations to trace the origin of the source material to not only the smelter that processed the materials, but back to the mine itself to determine if that mine is financially sourcing the conflict in the covered country. Depending on the results of the assessments, SEC reporting requirements may trigger external audits of the due diligence process.

When conducting a survey or questionnaire to suppliers, it is important to provide context to the request to ensure accuracy in the responses. The Conflict-Free Sourcing Initiative (“CFSI”) guidelines and the Electronic Industry Citizenship Coalition Global eSustainability Initiative (“EICC-GeSI”) created industry standard templates for use with assessing suppliers regarding the identification of 3TG minerals, the location of the and surveyed these suppliers of certain identified commodities used in our manufacturing processes.

Reasonable Country of Origin Analysis

A critical aspect of the due diligence aspect of conflict minerals supply chain compliance is to conduct a reasonable country of origin analysis. Based on the supplier response to the CFSI questionnaire, the country of origin of the minerals should be identified at the smelter level. Each county may have a high, medium, or low risk status based on the potential for the country to have sourced minerals from the Covered Countries in Africa. The Conflict-Free Smelter (CFS) Program is a program developed by EICC and GeSI to enhance an organization’s capability to verify the responsible sourcing of materials. Further details of the CFS Program can be found here: http://www.conflictfreesmelter.org).

CFSI maintains a list of “certified” smelters that have been vetted to confirm that they are not funding the conflict. Due to the volume of manufacturers assessing their supply chains, suppliers are working with CFSI on an ongoing basis, so the list of approved smelters can be dynamic. Organizations are obligated to investigate any “Red Flags” they uncover during the supplier assessment process, based on standards created by the Organization for Economic Co-Operation and Development (OECD) to demonstrate that they are doing appropriate oversight and monitoring of the responses from suppliers.

Manufacturers should establish a target response rate as part of the conflict minerals sourcing initiative for receiving completed supplier responses. It is not sufficient to assess only the direct supplier, but all the sub-suppliers that are used to procure source minerals that could have been provided to the manufacturer. Based on the results of the due diligence, the manufacturer should be able to establish their position or filing status for the SEC.

Governance Programs

Conflict minerals compliance is not a one-time supply chain or vendor risk management event. Compliance requirements will need to be integrated into the organizations sourcing, vendor risk, and compliance teams as part of developing the governance mode. A compliance program for conflict minerals needs to include not only the governance model, but a posted Conflict Minerals Policy published on the manufacturer’s web site, and communicated to suppliers. Like most aspects of third party risk, there are due diligence obligations for each phase of the supplier lifecycle. Change management is critical within conflict minerals compliance as new trigger points need to be conveyed by contract if a commodity good supplier changes or modifies the sourcing of the mineral.

SEC Reporting & Audit Considerations

Based on the nature of an organization’s sourcing determination, an external audit may need to be performed to confirm the adequacy of the due diligence effort. If the publicly traded manufacturer has reason to believe that any of the conflict minerals in their supply chain may have originated in the Covered Countries, or if they are unable to determine the country of origin of those conflict minerals, then the organization must exercise due diligence on the conflict minerals’ source and chain of custody.

Annually a report must be submitted, called the Conflict Minerals Report (CMR) to the SEC that includes a description of those due diligence measures. Due complexity of the chain of custody, many organizations may have to initially file Conflict Minerals Status as “undeterminable”, a status that the SEC rules allows during the initial years of filing. As organizations continue to follow the trail of the 3TG minerals, conflict minerals reports will be updated and filed for diverse set of publicly held companies.

While third party risk and subcontractor risks have been the most common themes of recent guidance from prudential regulators, deciphering the 3TG in Dodd Frank has created a new aspect to supply chain vendor risk management. Corporate governance and ethical business practices are not just an internally focused policy and employee program, but extend into the supply chain, created new requirements for organizations to develop tools and process for third party risk assurance.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Finding the 3TG in Dodd-Frank...

06-12-2014

Part I in a Two Part Series The Dodd-Frank Act put Consumer Protection into the headlines with the creation of the Consumer Financial Protection Bureau (CFPB), triggering a large restructuring of con[...]

Part I in a Two Part Series

The Dodd-Frank Act put Consumer Protection into the headlines with the creation of the Consumer Financial Protection Bureau (CFPB), triggering a large restructuring of consumer financial laws and regulations. However, not all parts of Dodd Frank deal with the marketing practices of financial services companies. Dodd-Frank is the shortened name of the “Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010”, and contains significant provision related to corporate governance. While the financial and capital provision are getting the headlines in the finance boardrooms; compliance teams in many publicly traded companies are preparing for initial Securities and Exchange Commission (SEC) filings related to Section 1502 of Dodd-Frank Act related to Conflict Minerals.

The simplest starting point for understanding Conflict Minerals, I started with the Wikipedia citation that Conflict resources are natural resources extracted in a conflict zone and sold to perpetuate the fighting. The concept is broad, due to the nature of international trade and the nature of monitoring the sourcing of conflicts in specific countries In the case of Dodd-Frank, conflict minerals are defined as cassiterite, columbite-tantalite, gold wolframite, and their derivatives which are limited to tin, tantalum, and gold (“3TG”) .

While visions of raw materials and mines evoke historical references and movie scenes, the reality is that 3TG minerals can be used in many everyday consumer products including: hearing aids, pacemakers, GPS, Mobile phones, fishing weights, cosmetics, dart tips and golf club heads. Even the vibration from your ubiquitous cell phone can be derived from a 3TG mineral.

The corporate governance changes driven by Section 1502 require full transparency for certain manufacturers to provide assurance on if 3TG minerals are present in their products and to audit their supply chains and report conflict minerals usage in the Democratic Republic of the Congo, and adjoining countries (“Covered countries”).

What’s Required?

Under Dodd-Frank, companies would be required to submit an annual conflict minerals report to the SEC if they either are:

      1. Required to file reports with the SEC under the Exchange Act of 1934
      2. Necessary to the functionality or production of a product that they manufacture or contract to be manufactured. That sounds simple, but the reality is far from simple, and creates a sourcing complexity for supply chain management

The reporting requirements trigger the organization to have conducted a thorough review of their products and process, including the controls within the manufacturing process. U.S. manufacturers may determine they are in scope if they have obvious 3TG in a product that meets the necessary to the functionality definition, but they also can be affected based on how they outsource or source the manufacturing of a product. If the manufacturer exerts influence over the manufacturing process or even specifically contracts to have the product manufactured for itself, can trigger the conflict minerals requirements.

The process to assess the supply chain and to conduct reasonable country of origin inquiries is challenging as sourced materials do not come with simple bar-coded “Made in a Covered Country Label.” Metals are produced from ores through a smelting process Conflict minerals supply chain assessments require organizations to trace the origin of the source material to not only the smelter that processed the materials, but back to the mine itself to determine if that mine is financially sourcing the conflict in the covered country. Depending on the results of the assessments, SEC reporting requirements may trigger external audits of the due diligence process.

The industry cost and expense for conflict minerals compliance is estimated to be in the billions as manufacturers work to assess the usage of 3TG in their products and supply chains. Initial filings are required by the end of May, for the June 2014 effective date, however due to the complexity, many organizations may have to initially file Conflict Minerals Status as “undeterminable”, a status that the SEC rules allows during the initial years of filing. As organizations continue to follow the trail of the 3TG minerals, conflict minerals reports will be updated and filed for diverse set of publicly held companies.

The elevator speech version is that Conflict Minerals Compliance is a lot like “Blood Diamonds” but without the blockbuster movie version. Finding the 3TG in your organization if applicable, is an important first step in Dodd Frank Compliance. Check out Part II to this blog to learn about how to assess and review adequate reporting and build compliance programs in supply chain management for Conflict Minerals Compliance.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Breach Response 101: Educate Y...

06-02-2014

Between the Q1 market response to retailer breaches and the Heartbleed Bug Vulnerability, organizations of all sizes are assessing and reviewing their internal and external incident management policie[...]

Between the Q1 market response to retailer breaches and the Heartbleed Bug Vulnerability, organizations of all sizes are assessing and reviewing their internal and external incident management policies, standards and procedures. The pace at which incidents can go viral requires communication to be coordinated at all levels within an organization. A challenge for many companies is helping executives understand the scope and type of privacy and security incident response plans their organizations maintain and the extent to which they are tested and updated.

Risk committees, audit committees, and Boards of Directors likely all have different perceptions and understanding of what procedures exist. However, when CFO’s and CEO’s are required to testify in Congress, with televised and internet coverage, they need more than talking points in speaking to incident response.

While most organizations have specific organizational readiness plans for different types of incidents, executives are likely more familiar with the differences between disaster recovery and business continuity plans, than the subtle nuances between security incident response, crisis communication, and incident notification.

Keep it Simple: Structure key messages on the types of incident processes and key concepts that exist within your incident management program

Develop an education plan for all levels of management to identify and differentiate the common components included within incident management processes. Create the elevator pitch and succinct definition of the key components in your incident management approach so that all levels of management can describe in simple statements what processes exist.

  • Understand the Basics of Security Incident Response Plans
    Purpose: Quickly respond to a suspected or detected breach to protect sensitive data and information
  • Explain the scope and nature of Crisis Communication Plans
    Purpose: Ensure a timely, effective communication response to an incident that protects the brand and business
  • Incident Notification Procedures
    Purpose: Understand and follow all notification obligations and requirements following a privacy or security incident

Effective incident management is based on an incident lifecycle and requires integration between multiple processes. A common misperception is that incident response is a straightforward and sequential process. The reality is that privacy and security incident management requires three dimensional thinking and close coordination and communication between all participants in each process.

Breach-Response-Graphic

Conduct Lessons Learned Events

Most organizations conduct periodic tabletop or testing of their incident response plans. However, sometimes the best learning is by experience. Either from real-life incidents, or taking examples that went well and doing the “what if?” comparison if things had gone differently. By practicing or discussing the linkages between plans, helps you mature your incident management processes throughout the incident lifecycle.

  • Focus on your crown jewels – know where your biggest risks are, and focus your planning on the scenarios that could have the biggest impact
  • Follow your data – know where your data is, and who is accountable for security, operations, and management
  • Don’t forget about social media – PR and communications team need to be involved not only in “real” events, but in “reel” events, where you practice it like you were filming a movie. With the pace at which news goes public, integrate communications into your test planning
  • Update call trees and escalation processes – Organizations change all the time. Knowing who to notify, who to inform, and how to communicate is critical to success. Make sure you know who is Responsible, Accountable, Consulted, and Informed (RACI) for all phases of incident management.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Forward Banker

A Look at the Maturity of Vend...

05-29-2014

Key Findings from the Shared Assessments and Protiviti, Benchmarking Study by Brad Keller, SVP and Program Director,The Santa Fe Group/Shared Assessments & Rocco Grillo, Managing Director, Protiviti [...]

Key Findings from the Shared Assessments and Protiviti, Benchmarking Study

by
Brad Keller, SVP and Program Director,The Santa Fe Group/Shared Assessments
&
Rocco Grillo, Managing Director, Protiviti

As the volume of outsourced products and services has surged in recent years, so, too, have the risks associated with vendors and third party providers. This is occurring in highly regulated industries such as financial services and healthcare; in media and retail, as seen in recent news; as well as in any organization that is relying on third party vendors to manage operations and processes. These vendors include not just data management, IT and security providers, but also facilities management (cleaning, HVAC) along with any vendor that may have access to your network, data or facilities.

The list of standards and regulations with third party risk implications is long: Consumer Financial Protection Bureau (CFPB) regulations, ISO 27001/2, PCI Security Standards Council’s data security standards, Office of the Comptroller of the Currency (OCC) Third Party Risk Guidance, and NIST’s Cybersecurity Framework. The urgency to address this risk is further driven home by recent massive and highly publicized security breaches at several large companies, and the resulting public and regulatory scrutiny of the way personal data is managed in a global IT environment.

“You can have all the security in the world inside your company’s four walls, but all it takes is a compromise at one third party vendor that’s connected to you. This creates a bridge directly into your organization.” Rocco Grillo, Protiviti Managing Director and Shared Assessments Program Steering Committee member

Despite this environment, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program. The VRMMM sets forth best practices for developing a comprehensive third party risk program and allows a company to evaluate its program’s maturity against development goals.

The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third party risk management benchmarking study based on this maturity model. Nearly 450 respondents, including C-suite executives, as well as IT, internal audit and IT audit vice presidents and directors, participated in our study.

“If you’re outsourcing to or relying on a third party, you can’t just shut the door and say it’s someone else’s problem. You can outsource the function but you ultimately own the risk. If a third party doesn’t have the same controls in place or the level of controls you need from a risk management standpoint, you have a serious risk to address.” Brad Keller, Senior Vice President & Program Director, The Santa Fe Group (which manages the Shared Assessments Program)

The results of our survey revealed some interesting trends:

  • Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies – This is not a surprise given the highly regulated nature of the financial services industry.
  • Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set – This finding is a surprise given that the insurance industry also is highly regulated. The results suggest there is substantial room for growth among insurance organizations.
  • Notable areas for improvement include program governance, and policies, standards and procedures – while there is no standard, “one-size-fits-all” approach to vendor risk management given the nuanced differences between different industries and organizations, having mature program governance capabilities, as well as established policies, standards and procedures for vendor risk management, are considered fundamental steps. These two areas should serve as the foundation for establishing effective vendor risk management practices in other areas. Yet the survey results show that most organizations are no more advanced in these critical areas than they are in other components of vendor risk management.

Brad Keller is Senior Vice President & Program Director with the Santa Fe Group (which manages the Shared Assessments Program) and Rocco Grillo is a Managing Director with Protiviti, a global consulting firm, and is a Shared Assessments Program Steering Committee member. This article is adapted from the 2014 Vendor Risk Management Benchmark Study, a survey from Shared Assessments and Protiviti to assess the current state of vendor risk management in organizations, as measured against the Shared Assessments Vendor Risk Management Maturity Model. For more information, visit www.sharedassessments.org or www.protiviti.com/vendor-risk.

A Critical Need in Any Busines...

yadzinski 05-28-2014

With the release of ISO 27001:2013, users will be inundated with a multitude of new information, requirements, and terms related to the standard. One critical subject area likely not addressed much in[...]

With the release of ISO 27001:2013, users will be inundated with a multitude of new information, requirements, and terms related to the standard. One critical subject area likely not addressed much in any communication is supply chain management.

Supply chain management is a very critical aspect of a good Information Security Management System (ISMS). Far too few companies are giving it sufficient attention, or worse, companies are leaving it on the back burner and not recognizing it at all.

There is a growing concern about the continued increase in higher business environment volatility that continually makes the task of managing global supply chains tougher every day. Changes over the last few years in the social, political, technology, environment, and economic domains around the world, suggest that the business landscape and paradigm of supply-chain management has transformed permanently.

Uncertainty is the road block to flawless execution. We need global continuity.

ISO/IEC 27001 has requirements as under section A.15 Supplier Relationships that relate to “Information security in supplier relationships” and “Supplier service delivery management”. Additionally, there are requirements under section 4.2 regarding 4.2 “Understanding the needs and expectations of interested parties”. 3.02 of Directive 1 (guidance which all new standards are written against) defines interested parties as a stakeholder (admitted term) person or organization (3.01) that can affect, be affected by, or perceive themselves to be affected by a decision or activity.

Not implementing a supplier program to evaluate and develop the supply chain could be a costly oversight.

Consider the following released by the World Economic Forum:

  • The study showed that more than 90% of industry experts surveyed believe that supply chain and transport risk management are greater priorities in their companies today than five years ago. According to that same study, natural disasters were the cause of 59% of uncontrollable supply chain disruptions. Yet amazingly, 46% of disruptions that are considered to be influenced by outside forces came from conflict and political unrest.
  • Nearly three-quarters of risk managers say their companies’ supply chain risk levels have continued to increase since 2005. This is according to Marsh’s survey of 110 risk managers, conducted in cooperation with Risk & Insurance magazine. Not only has risk gone up, but 71% report that the financial impact of supply chain disruptions has also increased—damaging bottom lines, customer retention, and brand equity. Perhaps most concerning, not a single respondent said that their company is highly effective at supply chain risk management today, and just 35% said they were moderately effective.

Four key takeaways from the survey bring light to the task at hand:

  • Create a cross-functional supply chain risk team that looks end-to-end.
  • Embed risk management activities and responsibilities into existing supply chain processes and functions; create consistency across the organization.
  • Build up analytics and risk metrics.
  • Extend the risk manager role.

It is undesirable for organizations to enforce their own approach to BCM down their supply chains. While a supplier can run different quality systems to meet the requirements of its customer base, it cannot run different, and possibly conflicting, BCM systems, which will be used during a disruption at a time when tensions are high. This was one of the principal drivers for establishing BCM standards in the UK.

A recent story published in the Wall Street Journal titled “Cybersecurity Due Diligence Key in M&A Deals” ((ENSIGN, R. L. (2014). Cybersecurity Due Diligence Key in M&A Deals. Wall Street Journal.
World Economic Forum Report, Global Risks 2012 – In collaboration with Marsh & McLennan Companies
Swiss Reinsurance Company, Wharton Center for Risk Management, University of Pennsylvania, Zurich Financial Services.
Marsh Survey, Stemming the Rising Tide of Supply Chain Risks–April 15, 2008))
brings to our attention one of the hidden risks that may not be considered during mergers and acquisitions. “Firms need to vet the cybersecurity defenses of those they do business with, a former top prosecutor said. “When you buy a company, you’re buying their data, and you could be buying their data-security problems.” (ENSIGN, 2014)

Businesses need to support and conduct supply chain vulnerability audits, formulate more detailed risk mitigation strategies, and transfer that analysis to actionable business continuity plans.

Shared Assessments Steering Committee member, John DiMaria, BSI Group America, Inc., is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 28 years of successful experience in Management Systems and international standards. Connect with John on LinkedIn.

Notice: The statements within this article are the independent views and opinions of the author and not necessarily those of the management of BSI Group America, Inc.

Press Release: Experts Cite Se...

05-20-2014

PRESS RELEASE Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508, lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com Experts Cite Security Gaps in Current [...]

PRESS RELEASE
Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508,
lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com

Experts Cite Security Gaps in Current Third-Party Risk Management Practices

Vendors and Service Providers are Top Targets for Data Breach Attacks;
Experts Suggest Best Practices to Move from Risk Management to Risk Assurance

Santa Fe, NM — May 20, 2014 — Sophisticated networks of criminals are penetrating databases in new complex methods, putting systems that maintain high-value data such as personal identifiable information or operational and systems data at high risk for breach. Third-party service providers that warehouse terabytes of high-value data have become the latest target, the weakest link in risk management strategy. In fact, the latest benchmarking study—2014 Vendor Risk Management Benchmark Study—by Shared Assessments and global consulting firm Protiviti, reveals serious vulnerabilities and security risks to organizations that emerge from outsourcing and partnering with third-party vendors. The study examines the maturity of organizations’ current vendor risk management programs and finds significant risk gaps between companies and their vendors. To download a complimentary copy of the report, please visit https://sharedassessments.org/2014-benchmark-study

How can organizations and companies manage data security risks when they lie outside of their control? As evidenced by the study, the vendor management landscape needs to move from risk management to risk assurance, a core topic at this weeks Shared Assessments Summit 2014.

Managing Third-Party Risks and Prevention Strategies
Shared Assessments asked top industry experts to comment on risk management trends, best practices, and prevention strategies to manage the risks associated with third-party service providers: Shared Assessments provides risk management Tools including the Vendor Risk Management Maturity Model (VRMMM), a tool organizations use to measure the quality and maturity of their existing risk management programs.

“The best way to prevent a data breach is to have a robust program to assess how your vendors are managing data risks. That’s the only control you have.”
-Catherine A. Allen, chairman and CEO, The Santa Fe Group.

“The combination of data breach occurrences, managing third-party risks, and regulatory scrutiny are increasing organizations’ liability and responsibility. With data breach cybersecurity looming and so much at stake, the onus is on organizations—especially in healthcare, retail, and financial industries—to get their third-party risk programs in shape.”
-Jonathan E. Dambrot, Shared Assessments Program vice-chair and managing director, Prevalent Networks

“Vendors and service providers have an ‘EZ-Pass’ into companies’ network environments and are often granted access to the most sensitive data. When outsourcing or partnering, companies need to exercise vendor due diligence the same way they would safeguard critical assets and sensitive data in their own possession. Companies can outsource the function but cannot outsource the risk.”
-Rocco Grillo, managing director and global leader for incident response and forensic investigations, Protiviti

“Continually assessing vendor program and related controls is one of the best ways to reduce uncertainty around managing third-party risks.”
-Mark Holladay, chief risk officer, Synovus Financial Corporation

“The best risk management program within an organization means nothing if compliance is outsourced along with production. Risk management must extend to organizations’ vendors to drive a full-fledged governance program.”
-Kenneth P. Mortensen, Esq., attorney and counselor at law; privacy, cybersecurity, and governance counselor

“As a service provider to financial institutions, we find that it’s no longer adequate to have a static strategy for managing risks. The threat landscape changes so quickly, requiring a dynamic approach to managing risk along the entire value chain of all third-parties that can be a weak link.”
-Paul B. Poh, vice president, technology investment services, FISERV, Inc.

“Companies need to do more than simply ‘duck and cover’ in this age of cyberwar. Company-wide systems, training, and doctrine are crucial for many current and evolving cyber-threats, but will not be sufficient for threats emanating from a State or state-sponsored actor. As threats are becoming more global, companies need accurate and timely information to think and act proactively, giving them the ammunition to organize and push for the right changes to be made in U.S. policy.”
-Dr. Samantha Ravich, executive, senior advisor, The Chertoff Group

“Assessing and managing vendor risk is not a “once and done” effort, but an ongoing process for third-party risk at each phase of the lifecycle of the third-party relationship, from on-boarding to ongoing monitoring, to exit strategies. Mature programs should adopt a federated approach that brings together all of the parts of an organization that play a role in third-party risk management, to drive a holistic approach to vendor risk assurance.”
– Linnea Solem, Shared Assessment Program Chair, and chief privacy officer vice president risk and compliance at Deluxe Corporation

“The regulators have made it clear that from an ownership perspective there’s virtually no distinction between first- and third-party data risk. In that environment, market and supplier vigilance is no longer a luxury—it’s a necessity.”
-Atul Vashistha, founder and CEO, Neo Group

About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third-party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle; creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; adopted globally across a broad range of industries both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Agreed Upon Procedures, Standard Information Gathering questionnaire and Vendor Risk Management Maturity Model), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico.

Press Release: Survey Reveals ...

05-19-2014

Editor Contact: For Protiviti: Kathy Keller (650) 234-6252 kathy.keller@protiviti.com For Shared Assessments: Lisa MacKenzie, MacKenzie Marketing Group 503-705-3508, lisam@mackenzie-marketing.com o[...]

Editor Contact:

For Protiviti:
Kathy Keller
(650) 234-6252
kathy.keller@protiviti.com

For Shared Assessments:
Lisa MacKenzie, MacKenzie Marketing Group
503-705-3508, lisam@mackenzie-marketing.com or
Kelly Stremel, kellys@mackenzie-marketing.com

FOR IMMEDIATE RELEASE

Survey Reveals Significant Risk Gaps between Companies and Their Vendors, According to Study from Protiviti and Shared Assessments

Shared Assessments and Protiviti benchmark current industry practices and find serious vulnerabilities; improvements needed in governance, policies, standards, and procedures

SANTA FE, N.M. and MENLO PARK, Calif.– May 19, 2014 – Organizations are failing to adequately address information technology and security risks that emerge from outsourcing and partnering with third-party vendors, according to a new survey by Shared Assessments Program and global consulting firm Protiviti that examines organizations’ current vendor risk management programs.

Despite the extensive range of standards and regulations in the business environment today, and the need for increased vigilance due to highly publicized data breaches and cyber threats, the benchmarking study, titled 2014 Vendor Risk Management Benchmark Study, found that companies lack mature vendor risk management practices and do not have the necessary resources and staff to meet best practice standards.

“Managing the risks associated with outsourced services and vendor relationships is one of the many challenges facing organizations when it comes to data security,” said Rocco Grillo, a managing director with Protiviti and the firm’s global leader for incident response and forensic investigations. “Many companies aren’t adequately or effectively protecting themselves from exposure to vendor outsourcing risks. This could result in their potential exposure to system compromise, fraudulent abuse of data and, in some cases, regulatory exposures and fines, which could have significant impact on their brands and reputations.”

Nearly 450 IT and risk management professionals rated their organizations on the Vendor Risk Management Maturity Model (VRMMM), a best practice tool from Shared Assessments that measures the quality and maturity of an existing risk management program. Respondents scored more than 100 characteristics about their organizations’ vendor risk management strategies on a maturity scale of 1 to 5 (lowest to highest) across eight categories (average scores shown below):

  • Program Governance (2.9)
  • Policies, Standards and Procedures (2.9)
  • Contracts (3.0)
  • Vendor Risk Identification and Analysis (2.7)
  • Skills and Expertise (2.3)
  • Communication and Information Sharing (2.6)
  • Tools, Measurement and Analysis (2.4)
  • Monitoring and Review (2.9)

“While the needs to manage vendor risk vary by specific company profile and needs, we found that organizations are still falling short of best practice recommendations,” said Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program. “The increased use of third parties could create a wider gap for risk managers that can only be addressed through closer attention to consistency in policies, procedures and governance. Failing to include the necessary components may result in vendor risks going undetected, with potentially devastating results.”

Key Findings from the Survey

  • Financial Services Organizations Outperform Other Industries. Although all companies had ratings that were below the desired range, the financial services industry had more mature risk management programs across key categories than other sectors. This is largely driven by stricter guidelines for companies in the sector and by the highly regulated nature of the industry.
  • Lackluster Procedures for Assessing Vendors. Organizations fail to have mature processes in place for reviewing vendors periodically through the course of an engagement, as well as for establishing criteria and process around the end of a vendor relationship. Given the potential risk involved with third parties, companies should have stronger policies and guidelines to ensure they are protected at the beginning of an engagement, through the course of the relationship via ongoing risk reviews, and during the exit process.
  • A Need for Training, Staffing and Resources. Companies don’t spend enough time assessing their own skill sets and deficiencies in terms of vendor risk management – nor are they proactive about training and improving areas where employees’ knowledge is inadequate. The overall investment in resources to better manage vendor risk is below average for most companies.

Resources Available to Learn More

The 2014 Vendor Risk Management Survey precedes the seventh annual Shared Assessments Summit, to be held in Boston on May 19 – May 21, 2014. Protiviti’s Rocco Grillo will be a panelist in the session titled, “Shared Assessments Program 2014: Moving Beyond the Tools” on Tuesday, May 20.

Additionally, Protiviti will host a complimentary webinar, led by Grillo and Brad Keller, senior vice president and program director of The Santa Fe Group (which manages the Shared Assessments Program), to discuss the results of the survey on June 3, 2014, at 10:00 a.m. PDT. They will be joined by guest speaker Tom Garrubba, senior privacy manager with CVS Caremark. To register, visit www.protiviti.com/vendor-risk. Grillo and Keller have also recorded a podcast in which they offer insights into what companies can do to raise their vendor risk management maturity levels.

To download a complimentary copy of the survey report, 2014 Vendor Risk Management Benchmark Study, please visit: https://sharedassessments.org/2014-benchmark-study/. The site also hosts an infographic of the survey’s highlights and a benchmarking tool to compare the user’s results to the survey respondents’ results.

About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third-party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle, creating efficiencies and lowering costs for all participants. The Program keeps current with regulations, industry standards and guidelines, and the current threat environment. It is adopted globally across a broad range of industries, both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Agreed Upon Procedures, Standard Information Gathering questionnaire and Vendor Risk Management Maturity Model), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group , a strategic consulting company based in Santa Fe, New Mexico.

Shared Assessments Program members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third-party risk. They include financial institutions, healthcare organizations, energy/utility providers, retailers and telecommunications companies. They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.

About Protiviti

New York To Examine Cybersecur...

05-09-2014

Citing the growth in cyber-attacks against financial institutions of all levels, the New York State Department of Financial Services (“DFS”) announced Tuesday that it will begin examining institut[...]

Citing the growth in cyber-attacks against financial institutions of all levels, the New York State Department of Financial Services (“DFS”) announced Tuesday that it will begin examining institution’s for cybersecurity preparedness.

In 2013 DFS initiated a study to determine how well institutions information security frameworks were addressing the need for enhanced cyber security protections. The study focused on:” corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on pre-conference workshops at this year’s annual Shared Assessments Summit (scheduled for May 19-21) will focus on how to develop and maintain a strong and effective third party risk management program that satisfies all of the new regulatory requirements.

That all financial institutions need to scrutinize their vendors’ cyber security efforts is a given. What is yet to be seen is whether other states will follow New York’s lead and add cyber security to their examinations as well. If they do, institutions in those states can count on Shared Assessments to help them address these concerns.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad or on LinkedIn.

Heightened Expectations, Cyber...

04-30-2014

The first quarter of 2014 has been marked by an increasing focus on the board’s role in risk management, not just in the financial services industry (where in January the OCC issued proposed rules d[...]

The first quarter of 2014 has been marked by an increasing focus on the board’s role in risk management, not just in the financial services industry (where in January the OCC issued proposed rules detailing how a board of directors should oversee risk ((OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of 12 CFR Parts 30 and 170, January, 2014)) ) but more widely in other vertical sectors. As The Conference Board noted in its March 2014 Director Notes ((The Board’s Role in Cybersecurity”, Director Notes, The Conference Board, March, 2014)), 2013 was the year when the more and more evident consequences associated with cybersecurity risks – financial and reputation loss, operational disruption, legal liability, and competitive disadvantage – forced oversight of cybersecurity risk from the IT department to the boardroom. While a shift to greater board involvement in risk management is appropriate, it comes with at least two notable risks.

These board related risks are most evident in the banking business, where the clear trend is to ask boards to play a larger and larger risk management role. In fact the OCC’s proposed January language uses wording that’s unusual as it relates to board roles, including provisions calling for boards to “ensure that the bank establishes and implements an effective risk governance framework…provide active oversight of management…to question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the bank.” ((See “Standards for Boards of Directors,” Proposed OCC Guidance, in Appendix A)) That’s strong and unusually detailed language, and as many observers have said seems to go well beyond the board’s traditional oversight function. While the guidelines will formally effect only a limited number of the country’s larger national banks, those are the banks that have generated the headlines around data breach, denial-of-service attacks, and other risk management lapses.

The OCC’s proposed guidance raises two key questions:

  • How far should the board go in fulfilling its role to “ensure” (that is, make certain) that management implements an effective risk governance framework, potentially usurping the traditional role of senior management?
  • What kind of incremental liability would these new requirements impose on board members, and is it enough to have an impact on directors’ willingness to serve?

Every board has the responsibility to oversee management and organizational performance, but at what level should that oversight occur? Boards micromanage solutions at their own peril. Boards, on the other hand, clearly should hold senior management responsible for the demonstrated effectiveness of solutions that management proposes, in this case the effectiveness of a risk management governance framework recommended by senior management and approved by the board. If a risk management framework proves to be ineffective, the traditionally effective board role would be to question senior management about the process through which the framework was developed and the competency of individuals who oversaw development. It is not the board’s role to develop an alternative risk management framework. The OCC’s current proposed guidance does little to sharpen the line between board and senior management roles, and arguably blurs it.

When regulators are perceived to push board members into “active oversight of management, questioning, challenging, and where necessary opposing…decisions made by management” ((See “Standards for Boards of Directors,” proposed OCC Guidance, in Appendix A)) around a specific issue, they change the nature of traditional board oversight. Under these circumstances, especially in the glare of regulatory oversight, there is increased risk that board members may elect not to serve. In fact, in April 2014, the American Association of Bank Directors reported that Directors and Officers (D&O) insurance carriers have refused to cover regulatory risk for an increasing number of banks, and that almost a quarter of survey respondents said that had either lost a director, been refused by a perspective new director, or had directors decline to serve on specific committees because of liability concerns. ((“AABD Survey Results – Measuring Bank Director Fear of Personal Liability,” April, 2014, American Association of Bank Directors.))

However well-intentioned the proposed OCC guidance may be, the rule of unintended consequences provides a caution not just in banking, but in other critical infrastructure verticals where cyber and other operational risk issues are taking on potential headline significance. And in areas outside of banking, where cyber/data security risks may not be as well understood at the c-suite and board levels, there will be a steep learning curve (the just released “Excellence in Risk Management XI” ((Special Report: Excellence in Risk Management XI – Risk Management and Organizational Alignment: A Strategic Focus, April 2014, Marsh)) survey found that risk professionals ranked data security as their number one top risk in 2014, while c-suite respondents in the same survey group did not even put that issue on their top ten risk list). Settling on the proper roles for the board and senior management in risk management must be an immediate priority, and industry clearly needs to increase the level of discussion around this topic before events overtake us.

Appendix A

Proposed OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of 12 CFR Parts 30 and 170
III. STANDARDS FOR BOARD OF DIRECTORS
A. Ensure an effective risk governance framework. Each member of the bank’s board of directors has a duty to oversee the bank’s compliance with safe and sound banking practices. Consistent with this duty, the board of directors should ensure that the bank establishes and implements an effective risk governance framework that meets the minimum standards described in these Guidelines. The board of directors or the board’s risk committee should approve any changes to the risk governance framework.
B. Provide active oversight of management. The bank’s board of directors should actively oversee the bank’s risk-taking activities and hold management accountable for adhering to the risk governance framework. In providing active oversight, the board of directors should question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the bank.
C. Exercise independent judgment. When carrying out his or her duties under III.B each member of the board of directors should exercise sound, independent judgment.
D. Include independent directors. To promote effective, independent oversight of bank management, at least two members of the board of directors should not be members of the bank’s management or the parent company’s management.7
E. Provide ongoing training to independent directors. To ensure each member of the board of directors has the knowledge, skills, and abilities needed to meet the standards set forth in these Guidelines, the board of directors should establish and adhere to a formal, ongoing training program for independent directors. This program should include training on:
(i) Complex products, services, lines of business, and risks that have a significant impact on the bank;
(ii) Laws, regulations, and supervisory requirements applicable to the bank; and
(iii) Other topics identified by the board of directors.
F. Self-assessments. The bank’s board of directors should conduct an annual self-assessment that includes an evaluation of its effectiveness in meeting the standards in section III of these

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

Santa Fe Group CEO, Catherine ...

Santa Fe Group Chairman and CEO, Catherine A. Allen, recently participated in the article, Getting On Board: Seven action steps — accompanied by a big dose of persistence, timing and luck. The artic[...]

Santa Fe Group Chairman and CEO, Catherine A. Allen, recently participated in the article, Getting On Board: Seven action steps — accompanied by a big dose of persistence, timing and luck. The article, written by Susan F. Schultz and Robert Barker, appeared in Directors & Boards magazine.

To read the full article, click here.

There’s Plenty of Support fo...

04-18-2014

The need for community banks to be particularly attentive to third party risks was underscored yesterday in a speech by the Controller of the Currency’s Thomas Curry. Smaller institutions tend to be[...]

The need for community banks to be particularly attentive to third party risks was underscored yesterday in a speech by the Controller of the Currency’s Thomas Curry. Smaller institutions tend to be more dependent on third parties for IT services. Curry noted that reliance on third parties for IT services can be “particularly problematic for community banks and thrifts that may not have the resources or specialized expertise to identify and mitigate” third party risks.

Unfortunately, the supervision of technology service providers by regulators provides limited relief for banks’ third party risk management efforts. While federal regulators have the authority to examine a category technology vendors, Curry stressed that their supervision “does not take the place of due diligence or ongoing monitoring commensurate with the level of risk and complexity of the arrangement.”

Fortunately, the Shared Assessments Program is well suited to help smaller institutions address their third party due diligence requirements. Shared Assessments Tools and implementation best practices have been under continuous development and refinement since 2005. IT security, privacy and many other risk professionals have contributed their knowledge and expertise in the area of third party risk assessment and management to the Program since its inception. These same professionals keep the Program’s Tools and training current with yearly updates and frequent workshops on current third party risk threats and trends.

Shared Assessments’ robust set of tools and training provides the perfect solution for institutions that do not have the resources to develop and maintain a comprehensive third party risk program. Rather than try to develop and maintain third party questionnaires and onsite assessment procedures, smaller institutions can leverage the expertise and best practices that has been (and continues to be) put into the Shared Assessments Tools for use in their own third party risk programs.

Smaller institutions do not have to go it alone. By joining the Shared Assessments Program they have access to current third party risk management best practices and a network of risk professionals eager to share their experience in addressing third party risks.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad or on LinkedIn.

Heartbleed Bug Sparking Concer...

04-11-2014

A newly discovered bug found in widely used web encryption technology was uncovered by researchers, prompting an announcement from Homeland Security and other regulatory agencies to review technology [...]

A newly discovered bug found in widely used web encryption technology was uncovered by researchers, prompting an announcement from Homeland Security and other regulatory agencies to review technology environments to determine if the bug posed any potential risk to their customers or data. The bug, named the Heartbleed bug, affected security technology, Open SSL, which is used by millions of websites.

The internet and social media are a buzz over the Heartbleed bug. If you are on Facebook, Twitter, or any other social media channel, it’s impossible to miss the posts and comments. You have to be careful who you take advice from though as there is a lot of bad advice out there.
I am not surprised to see such a reaction since we’ve been through so much with the recent data breaches, but the reality is that much of the initial response is creating confusion.
What is the Heartbleed bug?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. There are known and published fixes to this vulnerability, which is not a design flaw in SSL/TLS, but a vulnerability that can be exploited based on how the encryption technology is implemented or deployed.

To learn more about what the basics of the bug visit heartbleed.org.

What should you do?
A quick google search for “Heartbleed bug” will produce over 51,000 results already so there is a plethora of information about what it is and what to do. One of the better consumer facing responses I’ve seen is from the USAToday. I wanted to take a few moments to share some tips on addressing concerns about the risks:

    1. Don’t change all your passwords immediately. Yes eventually you’ll want to change passwords at affected sites as a precaution but there is an order and protocol all companies need to follow. Changing your password before the technology provider has completed their assessment process or deployed a fix could leave you more vulnerable. Mark Schloesser, a security researcher with Rapid7, based in Amsterdam, Netherlands added that doing so “could even increase the chance of somebody getting the new password through the vulnerability,” because logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker. Never share passwords across applications, it creates more risk for you when one site may be affected. You should only change your password in response to the Heartbleed bug after a website or internet company has:

    • Checked to see if it is vulnerable
    • Patched its systems
    • Grabbed a new SSL certificate
    • Told you it is fixed

    2. Don’t force companies to respond before they know an accurate answer. This type of vulnerability requires technology organization’s IT and Security teams to conduct a thorough review of operating system vendors and distribution, software vendors, including appliance vendors to assess and determine the need to install a fix. Service providers will need to identify how the technology is used or configured. Nothing is more dangerous in a situation like this than getting incorrect information. Your partners are all working diligently to assess their level of vulnerability but until they know 100%, wait patiently to hear from them.
    3. Partner with your service providers to understand the risk potential. Assessing vulnerability potential is a standard process for threat and vulnerability management. Systems that are not safe will need a patch and then they will need to apply a new SSL certificate. Once their risk mitigation steps are complete they will provide and notification to their clients
    The FFIEC has also released an OpenSSL “Heartbleed” Vulnerabiltiy Alert setting expectations for financial institutions. In the guidance, the following key steps were identified:

    • Ensure that third party vendors that use OpenSSL are aware of the vulnerability, and are taking appropriate action steps;
    • Monitor the status of their vendor’s efforts;
    • Identify and upgrade vulnerable internal systems and services; and
    • Follow appropriate patch management practices and test to ensure a secure configuration

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Forward Banker

FFIEC Issues OpenSSL “Heartb...

The Federal Financial Institutions Examination Council (FFIEC) has issued an advisory to its member institutions advising a material security vulnerability in the OpenSSL cryptographic library that ma[...]

The Federal Financial Institutions Examination Council (FFIEC) has issued an advisory to its member institutions advising a material security vulnerability in the OpenSSL cryptographic library that may put systems that use this encryption method at risk. OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols commonly used to protect data in transit.

The FFIEC is specifically advising financial institutions to take the following steps with respect to their third party service providers:

  • Monitor the status of their vendors’ efforts;
  • Identify and upgrade vulnerable internal systems and services; and
  • Follow appropriate patch management practices3 and test to ensure a secure configuration.

Read full press release here

Shining the Flashlight on Priv...

04-07-2014

Privacy notices are under scrutiny whether due to the new California “Do Not Track” disclosure requirements for web sites; or the recent FTC Settlement with a smartphone developer on a “Flashlig[...]

Privacy notices are under scrutiny whether due to the new California “Do Not Track” disclosure requirements for web sites; or the recent FTC Settlement with a smartphone developer on a “Flashlight” application that collected and shared geo-location information without the customers consent. Today’s technologies make it more challenge to get and keep web privacy statements in synch with emerging consumer protection requirements. Privacy notices are a key part of any financial institution’s program for compliance to not only privacy regulations, but in getting and keeping customer’s trust.

Recent media headlines make it challenging for organizations of all sizes to figure out the best method of achieving transparency in customer disclosures about privacy and information sharing, while still leveraging the benefits of technology to deliver valued functionality to their customers.

Here are my thoughts on a bit of the privacy discussion with some ideas to consider in designing your privacy statements to avoid your privacy notice from being in the spotlight:

Do Not Track Disclosures

California is a leading state advocate for privacy rights, creating the first “Shine the Light” focus on web privacy statements and disclosures. California has required that web sites or online services that collect PII about California residents post a privacy policy, identity the effective date, describing the categories of PII that are collected, sharing practices, and notifications about changes to the policy. In 2014, California has expanded the web privacy statement requirements for its residents to require more explicit disclosures about how web sites respond to “web browser” or “do not track” requirements. The goal is to enable consumers to exercise choice about collection of PII for online services or across third party web sites. While a state requirement – in our borderless internet and digital marketplace, it creates a new standards for electronic commerce. Transparency on options for online behavioral advertising, and advertising network preferences are evolving from being simply icons on the web site, but linked in practice to the web privacy statement.

Transparency for Location Information

Smartphones and social media have location tracking capabilities. They power some of the best apps and functionality that consumer like and value. However, location information can be highly personal, and the collecting and sharing of that needs to be explicit, based on the consumer’s consent. Consumers understand location information in using GPS, or sharing on FaceBook their location at the local restaurant in a post. Those are contextual uses, and consumers are getting familiar with apps asking “can we use your location information?”.

The recent FTC case against a smartphone app developer brought to light a situation where the average consumer would never realize that location information was being collected or shared, but left consumers in the dark. In this example, the consumers who used the “Flashlight” application did not realize that location data was being shared with third parties and advertising networks regardless of what preference the user conveyed in their acceptance of the licensing agreement. The resulting settlement requires a “Just in Time” privacy disclosure for explicit notice to users for what, how, when, and where geo-location information is collected or used.

Third Party Sharing Considerations

Privacy disclosures have evolved since the early days of definition and enforcement of the key requirements driven by Gramm-Leach-Bliley Act (GLB). While GLB created the basic foundation, the rules have evolved with each advancement in internet technology. Consumers can’t opt out of all information sharing – there are allowable exceptions. However the language that describes those parameters can be misunderstood, or conveyed to be less than transparent. While the obvious privacy disclosures – third party sharing for marketing purposes are easier to identify, other uses of collection and sharing are more challenging. If your organization uses third parties to deliver functional – be up front and transparent; directly address customer concerns. Be up front on the limitations of the third party’s use of the information. GLB anticipated service provider relationships – that’s an allowable sharing situation, especially for processing transactions the consumer has requested or authorized.

I’ve seen in the rush to make a very restrictive privacy policy, that some financial institutions’ have put their organization in a corner, with limitations on using third parties, even for marketing campaigns for the bank’s own products and services. Be careful on using language like “we never share data”, while your intent is to satisfy a customer concern, you may create greater liabilities without considering your service provider relationships. If you use, or anticipate using third parties for marketing your own products and services, make sure your privacy notice does not create a conflict. Ensure you address clearly the restrictions to that sharing, and the limitations of the usage of the information. Leveraging the model forms in your annual privacy notice is a good start, but consider increasing the frequency by which you address updating the web privacy statement.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Forward Banker

Be Wary of All of the New “E...

04-02-2014

With the recent increased focus of the regulatory agencies and standards bodies on third party risk management, the market is being flooded with companies offering to provide solutions in this area. T[...]

With the recent increased focus of the regulatory agencies and standards bodies on third party risk management, the market is being flooded with companies offering to provide solutions in this area. The Shared Assessments Program has been focused on third party risk issues since the launch of our Tools – the SIG and AUP – in 2005. These Tools execute the Shared Assessments approach of “Trust but Verify” to determine whether a vendor is providing an appropriate risk control environment for your systems and confidential/customer data. This approach allows an organization to obtain IT/data security and privacy information in a cost effective manner through the use of vendor questionnaires, yet validate the accuracy of that information through on site assessments when additional due diligence is required.

As the risk of outsourcing products and services has grown over the years, so has the scope of risks addressed by the Shared Assessments Tools. With continued refinement by our members since 2005, the Shared Assessments Tools now cover third party issues related to cloud computing, mobile devices, software application security, and other key third party risks.

The most recent addition to the Shared Assessments’ tool set is the Vendor Risk Management Maturity Model (VRMMM). The VRMMM sets forth the best practices that should be followed to develop a comprehensive third party risk program. In addition, it allows a company to evaluate the maturity of each of their program’s components against stated development goals.

An exciting supplement to the VRMMM is the upcoming release of the third party risk management benchmarking study. Shared Assessments has teamed up with Protiviti to develop the first comprehensive benchmarking study on third party risk programs. The goal is to provide companies with the ability to evaluate their maturity of their own third party risk program against their industry peers. The release of this study is scheduled to coincide with the Shared Assessments Summit May 19 – 21 in Boston.

As the trusted authority on third party risk assessment and management, the Shared Assessments Program goes well beyond providing Tools for third party risk. Shared Assessments also provides workshops and training on how to implement our Tools and address all of the key issues in the third party risk lifecycle. We have training and educational materials that begin with vendor selection, continue to assessment and remediation, and conclude with vendor termination and replacement.

So, make sure you’re comfortable with the depth and breadth of the experience a company has in this area before you trust them to help solve your third party risk issues. When conducting your due diligence make sure you remember that the software solution providers who license Shared Assessments content, and all of our assessment firm members, are all beneficiaries of the Program’s decade of knowledge in addressing third party risks.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad.

Data Breaches and Third Party ...

03-27-2014

Materiality and Mitigation Approaches Although most data breach headlines have centered on retail organizations continuing to expose payments related data, the reality is that data breaches are a fac[...]

Materiality and Mitigation Approaches

Although most data breach headlines have centered on retail organizations continuing to expose payments related data, the reality is that data breaches are a fact of life in almost every economic sector. In its 2013 Data Breach Investigation Report ((http://www.verizonenterprise.com/DBIR/2013/)) Verizon notes that it saw breaches in restaurants, media companies, multi-national corporations, utilities, defense contractors, and governments among many others. Of course reasons for attacks are as varied as the data that’s being stolen. But the common element is that whether it’s intellectual property, medical records, payments related data or something else, that data is valuable to the fraudster. To date, industry has fought attacks by honing internal security and operating procedures (including outsourcing contracting) and system architectures. And now, especially as it relates to payments data, firms are beginning to take steps that will diminish the value any data that might be stolen in successful attacks.

Third party participation in data breaches can be viewed from many perspectives and unfortunately that’s clouded the role third parties have played in attacks. How big a threat are third parties? By one measure, not very big at all. Verizon’s 2013 analysis, for example, reported that in only one percent of the instances it examined did third parties play a direct causal role, taking on the label of what Verizon calls “threat actor.” But that measure assesses only one of the many ways third parties can play a role in triggering breach events.

The Trustwave Global Security Report ((2012 Trustwave Global Security Report, Page 6)) report, in a stinging condemnation of outsourced system administration practices , reported that in 76% of the cases it investigated a third party responsible for system support, development or maintenance introduced the security deficiencies later exploited by attackers.

Even the presence of sophisticated internal IT security teams are not a guarantee against a third party role of some type in successful hacks. In the recent Target data breach, credible reports indicated that hackers found their way into the company through credentials stolen from an HVAC contractor that had worked for the retailer and had network access. ((https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/)) But that intrusion path isn’t the complete story. More than a year before the recent breach Target had purchased sophisticated malware detection software (FireEye) that successfully detected the intrusion and could have automatically eliminated the malware, but did not. Why? Target’s internal security team had turned that specific feature off, an action not as unusual as it may sound. ((http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data))

The important lesson is that third party roles in a successful breaches can be subtle, can come from the most unexpected directions, and most often represent only one of a number of factors that in combination open the door to successful malware incursions.

Most data breaches will not approach the expected hundred million dollar threshold that experts predict Target will see as a result of its recent attacks, but even smaller breaches can be quite expensive. The just released Fourth Annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute calculated that the average economic impact of data breaches for the health care organizations it studied was two million dollars. ((Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 2014, Page 2)) And in Ponemon’s 2013 Cost of Data Breach Study, it found that U.S. companies paid an average of $188/record for data breaches during its study period. ((https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf)) Organizations would not be paying such a high price for data breaches if preventing them was easy – in today’s technology environment it’s anything but.

Preventing data breaches requires not only good third party vendor management, but good ongoing data security hygiene and operations risk management practices within the firms for whom third parties work. How can you evaluate your firm’s readiness to deal with today’s threatening technology environment? One place to start an evaluation is with the Shared Assessment Program’s Vendor Risk Management Maturity Model, which provides an excellent framework around five high level categories of vendor management: contract provision oversight, ongoing monitoring of service level agreements, potential changes due to the external environment, self-assessment and audit readiness, and independent testing. The model can help management better understand the gap between best practice and today’s practice reality.

Financial institutions (and others) will also benefit from the OCC’s updated October 31st 2013 Guidance on Third Party Relationship Risk Management. The OCC’s guidance explores key management practices through the third party risk management life cycle, and a summary of those elements is available here.

One of the biggest issues in third party risk management has been the natural tenancy for organizations to focus around periodic examinations, be they from regulators, internal or external auditors, Qualified Security Assessor (QSA) organizations, or others. Firms see these periodic exercises as tests to be passed or failed but not, unfortunately, as the periodic evaluations of ongoing process they should be. The good news is that there is broad acknowledgement of this issue, and as relevant regulatory guidance and security standards are being modified they are increasingly sensitive to ensuring appropriate ongoing risk management process.

Third party program risk management is an essential component of any organization’s risk assurance program. Although it may never be possible to completely stop data breaches, by leveraging an increasingly robust set of Third Party related risk management tools from Shared Assessments and others we can make real progress in limiting both the frequency and impact of these events.

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

Tokens Move Up Front...

03-24-2014

We might be forgiven for thinking that tokens have been the Rodney Dangerfield of the payments business, but that label is changing fast. Tokens have been used in the payments business for years, most[...]

We might be forgiven for thinking that tokens have been the Rodney Dangerfield of the payments business, but that label is changing fast. Tokens have been used in the payments business for years, mostly in the back room where they have been a preferred tool for securing customer information for merchants who require a more assured method for handling exception items. Since last summer, however, we’ve seen a number of efforts designed to move token functionality to the front end of payment transactions, culminating with EMVCo’s draft payment tokenization framework release the week of March 10th (a full draft tokenization specification is promised for June 2014 ). The Clearing House, EMVCo, MasterCard, VISA and major banks are all moving quickly to use tokens in place of long-standard account identifiers to help reduce the risk associated with data breaches, and that’s a welcome development.

So what, exactly, is a token? Tokens are simply surrogate values that can be used in place of specific information that for one reason or another is best kept private. In the payments business, tokens are rapidly becoming a preferred tool to increase the security of individual transactions where they will be used to replace the Personal Account Number (PAN), primarily in the virtual world.

For transactions at the physical point of sale, efforts are underway to close gaps that allow PAN and other data to be exposed in some EMV implementations. That kind of exposure can happen inside of a POS terminal memory device where PAN and other data may be unencrypted for an instant, but long enough to be compromised. A new PCI 3.0 requirement, 6.5.6 (Insecure Handling of PAN and SAD in Memory) effective mid-year 2015, tightens requirements around this issue. That said, the incentive to harvest transaction data at the point of sale would be reduced tremendously in an EMV environment if that information could not be used in the virtual world to easily compromise accounts. That’s where payment tokens assume such significance.

Tokens will be key to limiting the very rapid migration of payments fraud from the physical to the virtual world that’s occurred in almost every country where EMV implementations have been successful in reducing fraud at the physical point-of-sale. That’s one reason The Clearing House and its twenty two members (including the largest U.S. banks) have been working on token based payment applications for more than two years, and last summer

SIG 2014 And Software Security...

03-10-2014

Ok, so you did everything right… you sent your vendor a Standard Information Gathering (SIG) scoped based on data and service type, you analyzed the responses, decided to perform an on-site assessme[...]

Ok, so you did everything right… you sent your vendor a Standard Information Gathering (SIG) scoped based on data and service type, you analyzed the responses, decided to perform an on-site assessment using the Agreed Upon Procedure (AUP), and helped identify security gaps that needed to be addressed. Everything seemed to be aligned with your risk management process and you were seeing progress… but then your vendor’s core software got breached and your customer data was exposed. You hadn’t focused heavily on the software security since this wasn’t generally in your purview and the basic information you had received back from the SIG seemed to indicate appropriate security controls were in place. You started wondering what had gone wrong and what you could have done differently.

Over the course of the last year, the Shared Assessment SIG Committee asked the same question. How can the SIG help you better understand a vendor’s software development security lifecycle with more dedicated software security questions? How could you, as a security and/or risk generalist get information to inform whether further assessment is necessary without having an advanced degree in application development?

As part of its effort, the SIG Committee formed a software security sub-committee made up of the leaders in software security including Veracode, Cigital, JP Morgan Chase, The Clearing House, and others to identify the relevant questions necessary to understand a 3rd party’s application security maturity. The goal was to offer SIG users a more in-depth view without creating a separate tool or going as deep as a vBSIMM or an actual code review (like those that are available from Cigital and Veracode); both recommended to help get more visibility into vendor development maturity and reduce risk.

The goal was to develop real-world questions in use at these top firms today, in-line with the SIG format, that could be leveraged by the rest of the membership.

The results of this effort are part of the SIG 2014 Software Security tab and represent a great step forward in helping to reduce what is one of the most challenging aspects of 3rd party risk management. The Software Security tab builds upon other SIG content to further highlight vendors that provide software as part of their offerings. I hope you will incorporate the new tab as part of your process and we would love feedback from members on whether this has been helpful in improving visibility and reducing application security risk. I would also like to thank everyone who participated in making the new tab a reality.

Prevalent Networks Managing Director and Vice-Chair Shared Assessments Steering Committee, Jonathan Dambrot, CISSP, works with the leading organizations in the world to help better manage third party and IT related risks. Prevalent develops Prevalent Vendor Risk Manager and provides compliance automation solutions from the cloud with its Prevalent Compliance as a Service. Jonathan is responsible for driving the direction of Prevalent, as well as managing the sales, project management, operations, legal, and marketing organizations at the company.

What’s Keeping Your CEO ...

03-03-2014

Data Breaches. Big Data. The Future of Privacy Media headlines and the blogosphere are in overdrive regarding privacy, security, and risk after recent events, as my fellow blogger Glen Sarvady pointe[...]

Data Breaches. Big Data. The Future of Privacy

Media headlines and the blogosphere are in overdrive regarding privacy, security, and risk after recent events, as my fellow blogger Glen Sarvady pointed out in his recent blog: Data breaches may accelerate move to new technology.

Leading the charge in the dialog are messages from the top CEO, The President of the United States about the need to assess and look at big data and the implications of the emergence of technology capabilities. Over the next 90 days, the discussion will continue with privacy experts, technology geeks, and C-suite focus on the balancing act of enabling technologies while maintaining a sufficient cyber-security infrastructure.

Recent testimony in the Senate regarding recent retailer breaches, will keep the C-suites at many companies on edge. A common thread throughout the dialog is the criticality of implementing the right set of controls: CEO’s can’t eliminate risk, but to provide the tone at the top within their organizations on how best to mitigate and manage risk.

Protecting company assets and securing information, while enabling functionality consumers want is a juggling act. The rapid evolution and consumption of technology involves the use of third party service providers regardless of industry. Financial service companies are feeling the pressure as multiple regulators are focusing attention as to the maturity level of third party or vendor risk management programs. Organizations are highly dependent on leveraging third parties to be profitable today – which is why it is critical to leverage thought leadership and resources across the industry to focus the debate on the right set of standards for third party risk assurance.

Three simple things any business leader can do to engage the dialog within their internal risk stakeholders:

  1. Conduct outreach to your employees & contractors on the importance of privacy & security in all aspects of their job. Lather, Rinse, Repeat the value of your organization’s privacy & security procedures
  2. Elevate the risk dialog in your own organization, by looking not just at technology solutions, but governance and management reporting
  3. Minimize third party risk by assessing your vendor risk management program and determining how to optimize resources and thought leadership from peers

While the polar vortex is making our reality ice cold, the debate on breaches, big data, and privacy are creating a chilly atmosphere for executives. Fueling the dialog will be vast opinions on where to invest, and what level of investment is needed to reduce the risks.

Collaboration is the key to success on most risk topics – everyone has the same stake in the game. A good example of collaboration is the recent release of new tools and resources for effectively managing the critical components of the vendor risk management lifecycle, announced by the Shared Assessments Program. Shared Assessment members are national and international organizations of all sizes that understand the value of leveraging the knowledge of their risk management peers in the definition and management of third party risk management programs. The collaborative organization brings together working groups, development committees, and special projects in the area of third party risk assurance.

Bottom line, the message is about Respecting Privacy, Safeguarding Data, and Enabling Trust

Linnea Solem is the Chair of the Shared Assessments Program and is Vice President and Chief Privacy Officer for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Forward Banker

What You Should Know About The...

02-24-2014

Background on the NIST Cybersecurity Framework On February 13, 2013, the Obama Administration released Executive Order 13636 calling for the development of a voluntary cybersecurity framework by the N[...]

Background on the NIST Cybersecurity Framework
On February 13, 2013, the Obama Administration released Executive Order 13636 calling for the development of a voluntary cybersecurity framework by the National Institute of Science and Technology (NIST) for “critical infrastructure” providers. (Critical infrastructure is defined in the Framework as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health and safety, or any combination of those matters.”)

What is NIST?
NIST is part of the U.S. Department of Commerce and the federal technology agency that works with industry to develop and apply technology, measurements, and standards.

What is the Core Framework?
The NIST Cybersecurity Framework seeks to protect the systems and assets most crucial to the safety of our country and ensure that all critical sectors uphold a certain level of cybersecurity.

  • It provides stakeholders with a risk-based approach when determining their current cybersecurity readiness, in accordance to the specific needs and characteristics of each business sector.
  • It is a summary of processes and best-practices that provides critical infrastructure providers with standard criteria for assessing the risks and liabilities posed by cyber threats.
  • Risks are organized around five core activities that a company’s management and IT security teams routinely must perform when dealing with security risks: identify, protect, detect, respond, and recover.

Who Does the Framework Apply To?
As defined by the Department of Homeland Security, “critical infrastructure” sectors include financial services, communications, critical manufacturing, the defense industrial base, energy, emergency services, food and agriculture, healthcare, information technology, utilities, and transportation systems. Compliance with the Framework is voluntary.

How Is The Financial Services Sector Affected by the Framework?
Financial institutions are subject to rigorous and comprehensive cybersecurity regulations, supervisory guidance and are regularly examined by federal and state authorities. These include the Gramm-Leach-Bliley Act of 1999 (including the “Interagency Guidelines Establishing Information Security Standards” regulation), the Fair Credit Reporting Act, the Right to Financial Privacy Act as well as extensive regulations, and supervisory guidance from the Federal Financial Institutions Examination Council addressing information security, vendor management and business continuity risks. The Framework leverages the existing standards of the financial services sector and uses the current requirements as a model for other sectors. The Framework is consistent with these existing requirements but the Administration has asked the independent federal financial regulatory agencies to “align” and “harmonize” with the NIST Framework so we may see some adjustments to these requirements from the federal financial regulators at some point.

Author John Carlson is an Executive Vice President of BITS, FSR’s Technology Policy Division.

John’s blog was originally posted by the Financial Services Roundtable and was reposted with permission. To read the original article in it’s entirety, click here

ISO/IEC 27001:2013 – A New S...

yadzinski 02-19-2014

BSI ISO/IEC 27001:2005 is nearly 8 years old and information security threats have changed substantially during this time. As part of the normal revision cycle for standards, ISO/IEC 27001:2005 has be[...]

BSI ISO/IEC 27001:2005 is nearly 8 years old and information security threats have changed substantially during this time. As part of the normal revision cycle for standards, ISO/IEC 27001:2005 has been revised and the new version, ISO/IEC 27001:2013 was published September 26, 2013 with a release date of October 1, 2013.

The standard has been written in accordance with Annex SL; Directive 1, the new high level structure which will be common across all management systems allowing for much easier integration.

  • It does not emphasize the Plan-Do-Check-Act cycle in the same way that ISO/IEC 27001:2005 did – organizations can take a PDCA or a process approach.
  • Definitions in 2005 version have been removed and relocated to ISO/IEC 27000 (section 3) which is now a normative reference.
  • There have been changes to the terminology used, e.g. information security policy is used rather than ISMS policy.
  • Requirements for Management Commitments have been revised and are presented in the Leadership Clause and there is much more emphasis to require evidence that management is actually involved with the ISMS.
  • Preventive action has been replaced with “actions to address, risks and opportunities” and features earlier in the standard. This effectively puts preventive action as part of the risk process rather than just part of the corrective action process.
  • This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The risk assessment requirements are more general reflecting an alignment of ISO/IEC 27001 with ISO 31000.
  • Statement Of Applicability requirements are similar but with more clarity on the determination of controls by the risk treatment process. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in Annex A and potentially supplementing them with other extended control sets or compensating controls.
  • The new standard puts more emphasis on measuring and evaluating how well an organization’s ISMS is performing.

But more importantly the organization must now determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

There is emphasis on ensuring that the scope covers any and all issues (external or internal) including Interested Parties. In the past, the requirements around scope were a little broad allowing some organizations to have a scope that was very small and not covering some critical aspects.

Scope now has to be fit for purpose. The organization must now determine the boundaries and applicability of the information security management system to establish its scope. Taking into consideration interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations clearly must now be addressed within the ISMS. This should include legal and regulatory requirements and contractual obligations along with the supply-chain considerations.

Anyone currently certified to ISO 27001:2005 will find there is a little bit of work to do but will find the changes refreshing and user friendly. Much more holistic in nature, fewer documentation requirements and easy to integrate with other standards.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 28 years of successful experience in Management Systems and international standards.

Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.

NIST Releases Cybersecurity Fr...

02-13-2014

The NIST Cybersecurity Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based[...]

The NIST Cybersecurity Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. It may also help to ensure that third party providers adhere to baseline cybersecurity standards. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.

To read the Framework for Improving Critical Infrastructure Cybersecurity in its entirety, click here.

Scrutiny Increases on Third Pa...

02-11-2014

2013 will go down as an extremely unusual year as an unprecedented amount of attention was placed on a single risk area – third party risk. Beginning with the Consumer Financial Protection Bureau (C[...]

2013 will go down as an extremely unusual year as an unprecedented amount of attention was placed on a single risk area – third party risk. Beginning with the Consumer Financial Protection Bureau (CFPB) guidance in April and ending with the Federal Reserve guidance in December, both regulatory agencies and standards bodies alike found it necessary to sharpen their focus on the need to better manage outsourced services. The list of regulators and standards bodies expanding their look at third party risk is impressive: CFPB, ISO 27001/2, PCI’s Payment Application Data Security Standards 3.0, Office of the Comptroller of the Currency (OCC) Third Party Risk Guidance, and NIST’s Cybersecurity Framework. The importance of effectively managing outsourced services was further driven home by the most recent round of data breaches at Target, Neiman Marcus (and perhaps a half dozen additional retailers). Our newsletter Feature Article, written by Santa Fe Group Senior Consultant, Gary Roboff, provides an overview of last year’s third party risk changes, and takes a look at where both the OCC and CFPB are headed as they increase regulatory scrutiny on third party risk management and the likely consequences for financial institutions and service providers.

Never has there been a better time for Shared Assessments to release the newest version of its Program Tools. Shared Assessments just announced its 2014 release, including the Standard Information Gathering (SIG) questionnaire, Agreed Upon Procedures (AUP) and Vendor Risk Management Maturity Model (VRMMM). These Program Tools help companies:

  • Adhere to the above mentioned standards and guidances,
  • Assess third party risk
  • Understand the development and maintenance of third party risk management programs

More importantly, given the volatile data breach landscape where most breaches and security incidents happen at the service provider level, these new tools assess the risks and software security-readiness of third-party service providers. Shared Assessments Tools inject standardization, consistency, speed, efficiency and cost savings into the vendor risk assessment process.

The Standard Information Gathering (SIG) Questionnaire has been expanded to include an entirely new section, which covers software application security (including the type of software found on POS devices). This section lets you fully examine a service provider’s software security development lifecycle. In addition, coverage for the risks associated with service provider outsourcing have been expanded to ensure that 4th party risks are adequately covered.

Using the AUP as your on-site assessment tool lets you verify information provided in the SIG, or conduct an independent assessment of the controls a service provider should have in place to properly protect your data and systems. In addition, by specifying the procedures to be used to conduct controls testing, and recommending industry standard sampling parameters, the AUP allows you to obtain consistent and cost effective results.

The long awaited guidance from the Office of the Comptroller of the Currency (OCC) on third party risk management was finally issued October 31st. The primary focus of this guidance is to ensure that financial institutions properly manage third party risk throughout the full term of an outsourcing relationship. One of the most notable components of the OCC Guidance is the discussion of senior management’s active participation in the vendor risk management lifecycle. Shared Assessments Vendor Risk Management Maturity Model (VRMMM) is an invaluable resource in demonstrating a company’s focus on the entire vendor lifecycle, and documenting senior management’s active involvement in that process.

The VRMMM incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. The VRMMM has been substantially enhanced for 2014 and now provides a scoring dashboard and the ability to score program components on a scale of 0-5 in .5 increments. Incremental scoring allows users to indicate that program components are under development and provides better tracking of program improvements over time. The scoring dashboard displays scores for: each component; each foundational program area; and, an overall maturity score for the program.

While we are confident that the issues discussed in the recently released regulatory guidance’s and industry standards are already addressed by the Program’s Tools, Shared Assessment’s Working and Special Project Groups are currently working to insure that no gaps exist the risk controls and areas covered by our Tools. As soon as this effort is concluded revised versions of the Tools will be released should updates to the Tools be necessary.

In the interim, check our blog – Authorities on Risk Assurance – for timely discussions on third party risk management practices, threats and trends, and visit our website often for newly released articles, case studies and other information to help you manage third party risk.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad.

Climate Change Comes to the Wo...

While the debate about global warming and atmospheric climate change continues to rage, there is little doubt that the “climate” around banking risk and risk assurance is changing rapidly, driven [...]

While the debate about global warming and atmospheric climate change continues to rage, there is little doubt that the “climate” around banking risk and risk assurance is changing rapidly, driven primarily by national and state regulators, federal and state attorney generals, and a public that is tired and angry reading headlines about the latest banking misbehavior. The scope of these misdeeds is as important as the frequency with which they are reported. The issues range from serious, high value impact misconduct to consumer transactions of smaller individual impact repeated time and time again as standard operating practice. Said another way by example, the abuses have ranged from Libor currency fixing, mortgage backed security valuation falsifications and blatant credit default swap trading irregularities on one hand to deceptive marketing tactics meant to pressure or mislead consumers into paying for add-on products of questionable value, unfair and abusive debt collection practices, and insensitive and legally questionable foreclosure proceedings. Make no mistake – although behaviors with standalone national and international economic consequences and more local consumer level issues may seem unrelated, in today’s increasingly chilly regulatory environment, they are increasingly viewed with holistic lenses by the community at large.

What’s particularly interesting about many of the consumer related headlines we’ve seen is that questionable practices are often not housed within the bank itself but rather driven by third parties working under contract on behalf of a financial institution. FI’s increased use of third party service providers is one of the areas on which regulators have focused in this increasingly chilly regulatory environment, but this attention is not new – agency guidance in this area goes back to at least 1994. ((INTERAGENCY STATEMENT ON RETAIL SALES OF NONDEPOSIT INVESTMENT PRODUCTS (February, 1994): Arrangements with Third Parties. If a depository institution directly or indirectly, including through a subsidiary or service corporation, engages in activities as described above under which a third party sells or recommends nondeposit investment products, the institution should, prior to entering into the arrangement, conduct an appropriate review of the third party. The institution should have a written agreement with the third party that is approved by the institution’s board of directors. Compliance with the agreement should be periodically monitored by the institution’s senior management. At a minimum, the written agreement should: (a) describe the duties and responsibilities of each party, including a description of permissible activities by the third party on the institution’s premises, terms as to the use of the institution’s space, personnel, and equipment, and compensation arrangements for personnel of the institution and the third party; (b)  specify that the third party will comply with all applicable laws and regulations, and will act consistently with the provisions of this Statement and, in particular, with the provisions relating to customer disclosures; (c) authorize the institution to monitor the third party and periodically review and verify that the third party and its sales representatives are complying with its agreement with the institution; (d) authorize the institution and the appropriate banking agency to have access to such records of the third party as are necessary or appropriate to evaluate such compliance; (e) require the third party to indemnify the institution for potential liability resulting from actions of the third party with regard to the investment product sales program; (f)  provide for written employment contracts, satisfactory to the institution, for personnel who are employees of both the institution and the third party.)) Two regulatory organizations have sway. The Consumer Financial Protection Bureau (CFPB) has been leading the charge recently, and has focused primarily on unfair, deceptive, and abusive acts or practices (also known as UDAAP issues). But the OCC (Office of the Comptroller of the Currency), with wide ranging third party guidance on the books for well over a decade, made a splash of its own with the release OCC Bulletin 2013-29 on Third Party Relationships, which replaces the OCC’s earlier guidance (OCC Bulletin 2001-47), originally released in April of 2001.

Let’s take a look at where both regulatory organizations are headed and the likely consequences for financial institutions and service providers. Third party service provider issues were an early focus of the CFPB, and in April of last year the agency issued guidance, making it clear that financial institutions are responsible for:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law;
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and
  • Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

The CFBP by its charter has a natural focus on compliance with federal consumer protection law, and this agency’s guidance reflects that. The OCC’s concerns are broader, and extend to ensuring fundamental safety and soundness in an era where technology outsourcing is the rule and the threat environment is increasingly complex and menacing. How big is the OCC’s climate change around operational risk? In May of 2012, in a speech before the Exchequer Club in Washington, D.C., Comptroller Thomas Curry dimensioned the shift:

“Given the complexity of today’s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise.

This is an extraordinary thing. Some of our most seasoned supervisors, people with 30 or more years of experience in some cases, tell me that this is the first time they have seen operational risk eclipse credit risk as a safety and soundness challenge. Rising operational risk concerns them, it concerns me, and it should concern you.”

The OCC’s concentration on what it perceives as changes in the major elements of operational risk underlie its motivation to update its Third Party guidance. One of the OCC’s primary areas of focus in its upcoming guidance will be ongoing process – in other words to ensure that FIs properly manage third party risk throughout the full term of an outsourcing relationship. And when banks undertake outsourcing initiatives that are strategically important the OCC thinks even more is required. In an interview last August, the OCC’s deputy comptroller for operational risk said that in such circumstances, “Some level of independent review is necessary to assess on an ongoing basis whether [the FI] is doing this in a prudent way, in a sound way… We’re going to expect to see the right level of oversight and accountability, the right level of documentation and reporting.”

Although the underlying principles in the OCC’s forthcoming guidance are not new, the agency’s performance expectations are. Comptroller Curry raised the stakes even higher for larger FIs. As the American Banker reported on September 27th, as part of its “Heightened Expectations” program, large banks must maintain their internal controls and audit at a “strong’”, not a “satisfactory” level, and the OCC plans to formalize that standard.

Finally, as if to underscore that the industry should focus less on compliance as a check list and more on true risk mitigation process, the industry’s own Payments Card Industry (PCI) Council issued a new set of standards in November that are driven in part by ongoing third party security challenges and significant inconsistencies in PCI assessments. In the organization’s own words, “Changes planned for Version 3.0 are designed to help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.”

There are short term and longer term climate changes of course, but this regulatory shift seems to be settling in as a sustained effort to push the financial services industry toward a significantly higher level of risk mitigation effectiveness. That means more focus on risk related process, both inside firms and with third parties, and an ongoing ability to monitor effectiveness. There can be no doubt – it’s time to fundamentally up the industry’s risk assurance game, and soon.

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

Fourth-Party Data Breaches See...

02-04-2014

PRESS RELEASE FEBRUARY 4, 2014 Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508, lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com Fourth-Party Data Brea[...]

PRESS RELEASE
FEBRUARY 4, 2014
Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508,
lisam@mackenzie-marketing.com or Kelly Stremel, kellys@mackenzie-marketing.com

Fourth-Party Data Breaches Seen as Latest Threat to Customer Information; Healthcare and Financial Services Primary Targets

New 2014 Shared Assessment Program Tools Deliver Comprehensive Assessment of
IT, Privacy and Data Security Controls to Manage Threats

SANTA FE, N.M. — February 4, 2014 — Following one of the largest data breaches in history, The Shared Assessments Program today released an updated version of its Program Tools, to help address the latest threat to customers’ data: fourth-party data breaches. The new 2014 Tools—the Standard Information Gathering (SIG) questionnaire, Agreed Upon Procedures (AUP) and Vendor Risk Management Maturity Model (VRMMM) for 2014—have been updated to include the latest data protection, privacy and IT security standards and regulations around managing and protecting customer information, by leveraging best practices from vendor risk management professionals in financial services, healthcare and other industries.

The new Program Tools help financial institutions and healthcare organizations to assess and measure third parties’ (Business Associates’) security and compliance readiness and risks, including software security, cloud, mobile, and fourth-party risks. Updates to the tools address federal regulations, including HIPAA/HITECH, Office of the Comptroller of the Currency (OCC) and Federal Reserve guidances, along with industry standards and guidelines that organizations need to adhere to, in order to protect personally identifiable information (PII) and protected health information (PHI). By using the Shared Assessment Program Tools, organizations can conduct rigorous assessments of controls in order to evaluate IT, privacy, and data security risks.

“Organizations that are tasked with managing PII and PHI are facing unprecedented levels of risk compounded by a threat landscape that changes on a daily basis,” commented Catherine Allen, Chairman and CEO of the Santa Fe Group. “The updated Shared Assessment Program Tools for 2014 have been developed and rigorously tested by members representing a cross section of industry leaders in financial services, healthcare, retail, energy, telecommunications and others.”

The Latest Threat: Targeting Industry Service Providers
Risk managers are dealing with an extremely volatile data breach landscape where many breaches and security incidents happen at the service provider level. Service providers and Business Associates are now held to compliance requirements such as HIPAA/HITECH that require extreme diligence in the protection of PHI. These new tools assess the risks and software security-readiness of third-party service providers and their outsourcers, also referred to as fourth parties.

Shared Assessments is the trusted source for third-party risk management. “The Program’s Tools help us ensure rigor in our evaluations of vendors that touch private data”, said Tom Garrubba, Senior Manager, Technical Assessments Group, CVS Caremark.

Updates to Entire Shared Assessment Toolkit for 2014
The following updates are included in the new release:

  • The Standard Information Gathering Questionnaire (SIG) uses industry best practices to gather and assess information technology, operating and data security risks (and their corresponding controls) in an information technology environment. Among the enhancements to SIG 2014 is an entirely new section for assessing a vendor’s software security development lifecycle, and the expansion of questions related to service provider outsourcing (fourth-party risks).
  • The Agreed Upon Procedures (AUP) is used by companies to evaluate the controls their service providers have in place for information data security, privacy and business continuity. For 2014, a new AUP Report Template allows users of the AUP to track the results of an AUP assessment and generate a clear and concise report of assessment results.
  • The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. New enhancements to the VRMMM include the ability to score program components to indicate those areas that are currently under development and provide tracking of program improvements over time. The Model now includes a dashboard that displays scores for each component; each foundational program area; and, an overall maturity score for the program. In this new version, the optional functionality allows the user to set threshold maturity levels for program areas to indicate which areas require remediation, and demonstrate areas of improvement over time.

Pricing and Availability
The new tools are available now to all Shared Assessment Members and are included in the annual membership fee. Membership provides opportunities to deepen vendor risk management expertise through members-only meetings, events, teleconferences and regular cross-industry working groups that discuss the regulatory climate, including OCC, Federal Reserve, FFIEC, ISO 27001:27005, PCI, NIST, and HIPAA/HITECH. Non-members can purchase the Shared Assessment Tools either as a bundle or separately by visiting here.

About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third-party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle; creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; adopted globally across a broad range of industries both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Agreed Upon Procedures, Standard Information Gathering questionnaire and Vendor Risk Management Maturity Model), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico.

Balancing Compliance & ...

01-27-2014

According to a National Employment Law Project (NELP) report, nearly 65 million Americans have a criminal record that could be identified by a background check. That equates to roughly one in four cit[...]

According to a National Employment Law Project (NELP) report, nearly 65 million Americans have a criminal record that could be identified by a background check. That equates to roughly one in four citizens who may have limitations in applying for jobs. Employer job applications have routinely asked questions up front for applicants to self-disclose prior convictions regardless of the level of the job position, or what background checks will be conducted prior to employment. State by State variances for employment practices add complexity to the hiring process. For regulated industries, like financial services or healthcare, the hiring process requires compliance rigor in the vetting and background check process based on the role and function. As technology has evolved, so have the tools and service providers used in the hiring process. – See more at: http://fi.deluxe.com/community-blog/forwardbanker-blog/balancing-compliance-ban-box/#sthash.XIi9vBs4.dpuf

Momentum for “Ban the Box”

Across the United States, there are growing cities, counties, and now multiple states that have banned the practice of using simple “Yes or No” questions on criminal history on job applications in certain sectors. Motivations include enabling past offenders to be able to apply, position, or clarify vs. being automatically excluded. The checkerboard of differences across states, cities, and industries, adds complexity for employers to understand the rules and specific requirements that may apply. Where applicable, the “Ban the Box” movement will require hiring organizations to update their internal policies and hiring criteria by job function, advancing the implementation of a more mature risk based personnel pre-employment screening policy. The shift will require organizations to document and implement specific guidelines by job role for how they will use the information collected during the background check process. To ensure fairness and prevent discrimination, employers should implement processes to review and update their hiring guidelines on a periodic basis, providing specific guidelines on their hiring criteria and decision making process.

Evolving Guidance

Updated Equal Employment Opportunity Commission (EEOC) guidance clarified the use and interpretation of criminal records in the hiring process. Employers should review and assess their internal human resources policies, standards, and guidelines to assure compliance based on information they receive in background checks. FDIC regulations, including Section 19 require that any FDIC insured financial institution is not allowed to hire applicants that have been convicted or entered into pre-trial diversion for crimes involving dishonesty or breach of trust. Similar requirements for personnel screening can flow down to service providers based on the services performed for regulated companies. The recent Office of the Comptroller of the Currency (OCC) Bulletin on Third-Party Relationships highlighted the obligations of financial institution’s to evaluate if their service providers periodically conduct thorough background checks on its senior management and employees, as well as subcontractors who may have access to critical systems or confidential information. The guidance focused on qualifications, backgrounds and reputations of company principals. This may require increased scrutiny of internal procedures for existing employees, vs. pre-employment screening.

Compliance and Due Diligence

The shift to a “Trust but Verify” approach to service provider due diligence, requires financial institution’s to look beyond the actual Pre-Employment Screening policy of their service providers, but to verify evidence on the actual implementation of the policy. For service providers that serve multiple financial institutions, conducting sampling and testing with each client can be resource intensive. An option to assist with demonstrating compliance is to have an independent group, typically Audit, conduct a review of the implementation of the HR policies to demonstrate assurance.

Background checks remain a fundamental building block for risk management and compliance. Balancing the needs of compliance with trends including “Ban the Box” requires organizations and service providers to enhance their internal procedures and due diligence processes to address compliance.

Linnea Solem is the Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.

Reposted with permission from Forward Banker

Privacy Was The Word Of The Ye...

01-20-2014

2013 media headlines exposed data breaches, digital surveillance, & usage of location tracking to such an extent that Privacy was named Dictionary.Com’s word of the year. When you look back at 2013,[...]

2013 media headlines exposed data breaches, digital surveillance, & usage of location tracking to such an extent that Privacy was named Dictionary.Com’s word of the year. When you look back at 2013, its clear to see why, especially when looking at this compelling infographic, from Dictionary.com.

Shocking to look back at all the big events in privacy that happened in 2013, isn’t it? What was the biggest privacy breakthrough in 2013 in your opinion?

Data privacy in today’s digital age is trending in social media with the continued debate on our rights to control and monitor our personal information. Balancing the right of privacy to protecting national interests as sparked heated debate on constitutional grounds.

The Electronic Communications Privacy Act (ECPA) was forward-looking when enacted in 1986 – prior to the rise of the internet. It outlined standards for law enforcement access to electronic communication, and associated data, providing a level of privacy protection to users of emerging wireless and internet technologies. However, the law could not have anticipated the growth and evolution of the internet, social media, mobile banking or even cloud computer.

Today’s smart phones are more powerful than the computers we relied upon when ECPA was founded. Changes in technology have outpaced our laws & regulations. Email has become the primary communication channel for individuals and businesses. The power of mobile location data provides convenience and value; but also introduces privacy risk if misused. 2013′s “Snowden Effect” is bringing top of mind the question on governmental access to information and the protocol for digital surveillance, including a review of privacy settings.

Privacy themes are pervasive in promoting the need for transparency in the practice of collecting personal information. Social networking has replaced private communications. As we kick start a privacy dialog in 2014, who knows by January 2015 how our privacy landscape will emerge from the cloud.

Linnea Solem is the Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.

Reposted with permission from Forward Banker

OCC Proposes Formal Guidelines...

01-16-2014

FOR IMMEDIATE RELEASE January 16, 2014 WASHINGTON — The Office of the Comptroller of the Currency (OCC) today released a proposal setting forth new standards, based on the agency’s heightened ex[...]

FOR IMMEDIATE RELEASE
January 16, 2014

WASHINGTON — The Office of the Comptroller of the Currency (OCC) today released a proposal setting forth new standards, based on the agency’s heightened expectations program, for large national banks and federal savings associations that would be enforceable under part 30 of its regulations.

Following the financial crisis, the OCC developed a set of “heightened expectations” to strengthen the governance and risk management practices of large national banks and federal savings associations and to enhance the agency’s supervision of those institutions. The guidelines build upon and formalize those expectations to provide additional clarity and specificity to the large financial institutions that the OCC oversees.

“The standards announced today build on lessons learned from the financial crisis,” said Comptroller of the Currency Thomas J. Curry. “They will contribute to a safer financial system for all of us by providing clear and enforceable standards for the risk management and governance of our largest institutions. They provide additional supervisory tools to examiners of large national banks and federal savings associations, and they will measurably enhance our supervision of these institutions.”

The proposed standards, in the form of guidelines under 12 CFR part 30 of the agency’s regulations, would apply to any insured national bank, insured federal savings association, or insured federal branch of a foreign bank, with average total consolidated assets of $50 billion or more. The proposal would reserve the OCC’s authority to apply the guidelines to an institution with less than $50 billion in assets if the OCC determines that it is highly complex or otherwise presents a heightened risk.

The proposed guidelines set forth the minimum standards for the design and implementation of an institution’s risk governance framework and provide minimum standards for oversight of that framework by the board of directors. The guidelines include provisions regarding:

  • The roles and responsibilities of those organizational units that are fundamental to the design and implementation of the risk governance framework. These units are front line units, independent risk management, and internal audit. Together, these units should establish an appropriate system to manage risk taking.
  • A comprehensive written statement that articulates the bank’s risk appetite, which serves as a basis for the risk governance framework. This statement should include both qualitative components and quantitative limits.
  • Board of directors’ oversight of a bank’s compliance with safe and sound banking practices. The board should ensure that the bank establishes and implements an effective risk governance framework that complies with the guidelines.
  • Active board oversight of a bank’s risk-taking activities. This includes establishing accountability for management’s adherence to the risk governance framework. The board should also evaluate management’s recommendations and decisions by questioning, challenging, and, when necessary, opposing, management proposals that could lead to excessive risk taking or pose a threat to safety and soundness.
  • Composition of the board of directors. A board of directors should have at least two independent members who are not part of the bank’s or the parent company’s management.

The OCC is proposing these guidelines pursuant to section 39 of the Federal Deposit Insurance Act (FDIA), which authorizes the OCC to prescribe safety and soundness standards in the form of a regulation or guidelines. If a bank or savings association fails to meet a prescribed standard, the OCC may require the institution to submit a plan specifying the steps it will take to comply with the standard. The OCC may issue an enforceable order under section 8 of the FDIA, 12 U.S.C. § 1818(b), if the institution, after being notified that it is in violation of a safety and soundness standard, fails to submit an acceptable compliance plan or fails materially to comply with an OCC-approved plan.

As part of the agency’s efforts to integrate the former Office of Thrift Supervision’s regulations, the OCC is also requesting comment on its proposal to make part 30 and all of its appendices applicable to federal savings associations and to remove part 170, which contains comparable regulations that apply to federal savings associations.

Holiday Reading...

01-13-2014

One of the great things about the holiday season is the time it provides to read and explore items that might otherwise be passed over and forgotten. This season, payment gurus had lots of eye candy i[...]

One of the great things about the holiday season is the time it provides to read and explore items that might otherwise be passed over and forgotten. This season, payment gurus had lots of eye candy in the form of 187 responses to the Federal Reserve Board’s request for comments on its Payment System Improvement Public Consultation paper, which were due no later than December 13th, just in time for leisure reading.

Although I didn’t review every submission, I did pick a range that I felt would suggest what a broad cross section of responders were suggesting, with enough breadth to provide a sense of where there might be common perspectives. I read responses from large and small financial institutions, industry associations (both banks and retailers), retailers, payments industry consultants, payments providers, etc.

There were common perspectives where I thought I’d find them, and one or two areas where it’s clear the payments industry is converging on consensus that will drive step function improvement, most notably around the potential for ISO 20022, the standard for financial services messaging.

Not surprisingly, there seems to be no general agreement among respondents about whether the United States payments industry has fundamental problems or not. Legacy players, where they saw issues (and not all did), seem sure that the free market can solve them in a timely fashion. Others see the United States payment system slipping behind those of other developed countries with eventual significant economic consequences if no steps are taken to move forward in a decisive manner.

I found the divergence in perspectives around the Fed’s role in developing payment futures quite telling. Traditional payment system drivers (financial institutions, the major credit card brands, and most – but not all – financial services centric industry associations) believe the Fed might serve as a focus point and facilitator to one degree or another. But many others think the Fed should be firmly in the driver’s seat going forward, and believe that the payments environment in the United States is so fragmented that short of the Fed leading the charge toward a near real time payments environment any material progress will be elusive.

Another area of predictable disagreement is around the question of whether the kind of near real-time payments environment the Fed posited can be derived from existing infrastructure or requires new, purpose-built systems. Here, discussion tended to be more parochial, with respondents – where they had it – touting their particular infrastructure as the best go-forward alternative.

One area where there might have been far more discussion was around the fraud consequences of near real-time settlement in a ubiquitously available payments environment. Many respondents mentioned the issue, few really explored it, and that’s unfortunate because – at least in my view – it’s an overarching concern.

Finally, I’ll confess that I found one or two responses just plain fun, hard as that may be to believe. These tended to be sometimes novel-like in their narrative, occasionally highlighting industry events sometimes best left unexplored on websites like the Fed’s, all to make a point, and usually with great effectiveness. Who said payments reading has to be dull?

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

Adapting Your Vendor Complianc...

01-06-2014

Broadened Regulatory Guidance Recent regulatory guidance from multiple agencies is creating a focus on the need for broader risk management practices in the areas of operational risk of third-party s[...]

Broadened Regulatory Guidance

Recent regulatory guidance from multiple agencies is creating a focus on the need for broader risk management practices in the areas of operational risk of third-party service providers. Information Technology or Security controls provide a more black and white approach to compliance, while operational risk can feel more in the grey zone based on the scope and risk level. Building operational risk into your existing third-party or vendor risk management process is a key component to developing the holistic approach the regulators expect.

Almost every banking organization uses third-party vendors today to help accomplish their goals and objectives cost effectively. The presence of third-party vendors within financial institutions began with technology service providers. Now, outsourcing touches nearly all aspects of a financial institution’s business, from branch operations to marketing and web management. The OCC recently updated guidance on oversight of third-party risk in service provider relationships.

While the OCC has oversight for nationally chartered institutions, the guidance outlines the alignment to the expectations for community banking organizations to adopt a risk-based approach to adapt the principles in this guidance. Although a financial institution may successfully manage third-party relationships, it has much less control over vendor accountability – particularly when it comes to operational business or reputation risks. Your service provider is acting on your behalf, whether the regulatory driver is business continuity, information security, IT operations, consumer protection or direct marketing. As such, that vendor and its controls need to be integrated into your organization’s internal risk and compliance assessment.

Structuring and maintaining an ongoing vendor management program requires integration of multiple regulatory and risk drivers. In today’s market, vendors are a critical part of your overall security and risk assessment. Your organization should not only audit and review vendors objectively, but also look at ways in which the business partnership can help you meet the industry’s risk management expectations.

The Risk and Vendor Management Lifecycle

Most vendor management efforts focus on due diligence at vendor selection or during merger and acquisition efforts. However, effective vendor oversight requires ongoing due diligence for existing providers to adjust for changing market and organizational risks.
Regulatory expectations are focusing on the risk or vendor management lifecycle – building processes for each stage: planning, due diligence and selection; on-boarding of requirements; continuous monitoring; termination or off-boarding. The driver is to demonstrate more oversight of the lifecycle functions in how they are governed, with an assessment of process maturity.

Best Practice Focus Areas

Current market compliance trends show the uptick in compliance oversight across product lines. Organizations need to risk assess their offerings to see if they have triggered new compliance obligations or risk for consumer protection or Unfair and Deceptive and Abusive Practices (UDAAP). This requires an expansion of traditional “vendor risk” programs to address the non-IT activities that are more related to business processes and sales practices.
Documentation and Reporting

  • Identify your key third-party relationships that are not “IT” but have critical business functions.
  • Prioritize their function to your key performance indicators.
  • Establish a formal program with metrics, management reporting and service level agreements.
  • Identify your key compliance risk areas that need enhanced oversight based on what functions are outsourced.
  • Monitor your internal metrics and external reporting messages to demonstrate the shifts in risk focus areas to identify new trends
  • Define a strategy to expand management reporting for broader compliance topics than IT controls.
  • Assess what metrics work for your business to help you tell the compliance story.

Oversight and Accountability

  • Define in your organization’s accountability for operational risk.
  • Partner with internal technology or sourcing teams to classify third-party relationships based on risk that includes consumer protection and operational risk.
  • Expand your traditional program to include operational risk with revised metrics, management reporting and service level agreements.
  • Identify your key compliance risk areas that need enhanced oversight for consumer protection or operational risk, and prepare for governance audits
  • Integrate operational risk and consumer protection into management and board reporting.
  • Establish stage gate processes to address compliance risk with a focus on business enablement.

Independent Reviews

  • Define your organization’s ability to conduct independent reviews and for what risk focus areas.
  • Analyze artifacts from any external assurance sources of your third party provider.
  • Leverage vendor risk artifacts or testing results in your internal assessment preparation.
  • Identify your key compliance risk areas that need enhanced oversight.

To ensure effective, consistent oversight, your vendor management policy and governance framework should identify how you will inventory your vendors, the measures you will use to assess the activities they perform and the risk criteria you will apply to evaluate their controls.
The Maturity of Your Processes

Effective third-party assurance does not need to be overly complex, but should be repeatable, adaptable and formalized. For example:

  • Establish risk-based criteria that define the level of oversight. Not all vendors need to follow the same standards. Criteria are based on risks, vendor work function and the data to which the vendor has access. Develop criteria for the kind of oversight required for each vendor function. Prioritize higher risk functions, or those with accountholder interaction.
  • Develop a vendor lifecycle approach. Risks change as do your vendors. Establish criteria for when to review your organization’s vendor controls, such as accessibility or reporting. Be able to justify how often you evaluate a vendor and establish trigger events that require an updated vendor review. Implement processes for each phase of a vendor lifecycle.
  • Structure and review compliance documentation. Request independent audit results or monitoring where available. Develop a checklist for the documentation that you require annually and the documentation that should be provided upon request. Define your baseline of what you need from the service provider to attest to their controls.
  • Conduct lessons-learned reviews. Evaluate your toolset, track results from vendor reviews and update your vendor management program. Ensure you define and document any exception process to your vendor management program’s standards.
  • Address contract provisions. Define contract changes for operational risk and address contract provisions as market risks adjust, regulations evolve or service vendors change. Ensure your organizational roles define responsibilities and keep contracts updated.

Linnea Solem is the Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.

Reposted with permission from Forward Banker

Manage the Risk; Not the Line ...

12-17-2013

Operational risk management and compliance management today require levels of management and board reporting. Traditional risk management annual reporting was constructed of key status of compliance p[...]

Operational risk management and compliance management today require levels of management and board reporting. Traditional risk management annual reporting was constructed of key status of compliance programs, including approvals of policies and action plans.

Today, risk management and compliance teams need to provide more nimble and flexible responses to complaint management, compliance issues, and emerging risks. To stay on top of the issues requires a new approach in monitoring trends– and that starts with metrics.

There are leading and lagging metrics that are indicators of a potential risk or issue. As compliance expands to new strategic risks, operational risk, and consumer protection, there are new areas to monitor for triggering the need for action.

Data can be used to tell your story internally to justify business cases, or to quantify the implication of a risk. Data can also be used to balance the compliance perspective – monitoring credit/refund rates or complaint to order ratios can show the scale or importance of reported issues, based on the big picture.

Think about the story you need to tell when you create metrics:

Measure the data points that can help you quantify resource, costs, or time. Don’t get caught in the “track everything” trap.

  • Don’t track with free text fields in spreadsheets – it’s the death of your metrics. Standardize how you capture data, listed values in capturing data are your friends
  • Be aware of how Red/Yellow/Green convey risk based on audience. Don’t derail your message by making everything “Red”, but have clear criteria to escalate risk issues.

As you build metrics into your risk management program, focus on simple messages. Define the “whats” – what you want to measure. Define the “so whats” what the risks are and the implications to your business. Make sure your metrics then help you then define the “so whats” to take actions.

Linnea Solem is the Vice-Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.

Reposted with permission from Forward Banker

Federal Reserve Issues New Gui...

12-10-2013

On December 5th the Federal Reserve issued a new Guidance on Managing Outsourcing Risks. The Guidance identifies the six (6) primary types of risk and how they should be addressed. Read the Guidanc[...]

On December 5th the Federal Reserve issued a new Guidance on Managing Outsourcing Risks. The Guidance identifies the six (6) primary types of risk and how they should be addressed.

Read the Guidance on Managing Outsourcing Risk

NIST Perspective on Supply Cha...

yadzinski 12-09-2013

On November 14th and 15th, the National Institute of Standards and Technology (NIST) hosted its 5th Cybersecurity Framework workshop, to discuss the implementation and future governance of their Cyb[...]

On November 14th and 15th, the National Institute of Standards and Technology (NIST) hosted its 5th Cybersecurity Framework workshop, to discuss the implementation and future governance of their Cybersecurity Framework. Bringing together critical Infrastructure owners and operators and cybersecurity staff, the workshop and the Framework highlight the growing, urgent need for a voluntary framework for reducing cyber risks. To help foster international harmonization, the framework is aligned with most of the major international standards such as ISO/IEC 27001.

The constant theme throughout this workshop was supply-chain security, noting “you are only a strong as the weakest link”.

Supply-chain security is becoming one of the hottest topics leading into 2014….finally.

The National Association of Federal Credit Unions (NAFCU) recently asked Congress to hold breached retailers, processors and other third parties accountable when their lax security practices result in the leakage of card data.

Their Five-Point Plan for Regulatory Relief includes details for addressing third party accountability such as:

  • Establish national standards for safekeeping of all financial information.
  • Establish enforcement standards for data security that prohibit merchants from retaining
    financial data, and require merchants to disclose their data security policies to customers.
  • Hold merchants accountable for the costs of a data breach, especially when it was due to their own negligence; shift the burden of proof in data breach cases to the party that incurred a breach; and require timely disclosures in the event of a breach.

Banking regulators; following suit with the Healthcare regulators, contend the burden to ensure third-party security falls on the banking institutions. This has to be if we are to ensure good oversight.

The security of our banking institutions depends on the ability to secure, administrate, and navigate – the company’s network of business relationships. If we can effectively protect and manage our supply chains, the ability to productively respond to stresses can yield important benefits, such as:

  • Decreased losses and lower associated business costs
  • Improved business continuity via a more robust, resilient, and responsive supply chain
  • Greater end-to-end transparency for improved process management and efficiency
  • Competitive advantages over industry rivals when supply chain risks arise
  • Brand Protection
  • Customer satisfaction

The NIST Cybersecurity Framework has at least started the conversation around the importance of the supply-chain and the need more oversight of third parties. However, we need more transparency and accountability for those that do not employ adequate security measures. Without accountability and enforcement, there is no motivation for third parties to take security seriously.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 25 years of successful experience in Management System Development.

Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.

Smart Devices and Risk in the ...

12-02-2013

Despite Blackberry’s somewhat disappointing news recently, that it would take a capital infusion rather than a buyout from Fairfax, both Blackberry and Microsoft’s Office product are well-known an[...]

Despite Blackberry’s somewhat disappointing news recently, that it would take a capital infusion rather than a buyout from Fairfax, both Blackberry and Microsoft’s Office product are well-known and recognized tools of the workplace. Blackberry maintains a good portion of its government and corporate business by using a “symmetric key encryption algorithm that is designed to protect data in transit between a Blackberry server and a Blackberry device.” Though there may have been hiccups on the rollout of a new version of Office 365 to small and mid-sized companies, Microsoft Office maintains its lock on enterprise email through clever bundling and upgrades of both the operating system and integrated applications that Office provides.

Though these aspects of the workplace may be locked down on corporate laptops, workstations and Blackberry devices, we’re in a different world than we were five years ago. Though many still work on desktop computers connected to file servers, many companies have moved to third party applications served up from someone else’s servers; or to third party cloud services, making the data accessible to all kinds of mobile devices. Desktop computers and laptops have USB ports that allow users to plug into the secure corporate network and download data. Then too, the distinction between personal data (and where it is stored) and corporate data (and where it resides across multiple devices) has become increasingly blurred.

It’s not just that we love our Apple iPhones and iPads or our Android devices: Gartner estimates that by 2017, at least half of workers will be asked to supply their own device to work. The “convenience” of smart devices has changed the risk exposure for companies. If we look through the operational risk lens, here’s what we see: people risk = downloading corporate data and storing it on unmanaged devices or in the cloud in places like QuickOffice, iCloud or DropBox; process risk = bad or broken procedures for sharing information outside the office, in the field; systems risk = data is not encrypted or secure; and external events = employees vulnerable to “click here” scams in their email, which allow hackers access to the secure network.

A recent Ponemon Institute study, 2013 Fourth Annual Cost of Cyber Crime Study: United States, found that over half of the 60 companies from various companies in the survey had experienced a breach within the last two years. While the average cost has varied over the past three studies Ponemon has done, “the average annualized cost of cybercrime for 60 organizations in our study is $11.6 million per year, with a range of $1.3 million to $58 million.” As a result, Ponemon predicts that sales of cyber insurance will double over the next several years.

If we move away from external threats to look at the risk that Bring Your Own Device (BYOD) can pose from inside the network, then companies need to develop strong policies as well as solid training that goes to the heart of the risk, understanding that “convenience” is everything for the overworked employee. Employees move data off the corporate network for a number of reasons. They may be trying to get around file size limits so that they can get more work done at a remote location. Or they may be moving corporate data to the convenience of a personal device like a tablet because it is easier to work on that way or because it is difficult to connect remotely when away from the office. Those are both reasons connected with productivity rather than with devious or malign intent. There is, however, the risk of the loss of intellectual property when a departing employee gathers up everything that has already been moved off the corporate network and takes it to the new employer.

We’ve all heard stories where a laptop or smart device or USB device is lost or stolen; or where the device is hacked when used in a third place, like a coffee shop. Very few companies have installed sophisticated programs on devices to erase corporate data from lost or stolen laptops, particularly if it’s owned by the employee rather than the company.

Nonetheless, roughly half of employers legally monitor email and voice mail on the corporate network; and create policies that allow them to block sites that might be offensive or pornographic or inhibit productivity. Employers also have the ability to turn on security filtering and/or logging with parameters set to alert on the size of files being moved via email. On the New York Stock Exchange, for example, filters are used to detect illegal, unethical and offensive mail sent by brokers. Filtering is in place for both personal and business email, looking for such terms as “risk-fee” or for sexist/racist language.

Employees who use smart company devices may find themselves being monitored in other ways – turning on “location services” allows trucking companies to be able to find their drivers at any time; nurses and other medical professionals can be tracked by virtue of the badges they wear; and government employees may find that their cell phones are tracked so that employees can be found at any time.

If you’re a company trying to manage through the risk of smart devices, then strong policies and training is advised, to show an employee the risk and train them on how to keep their computer or device clean at work and at home. As a company, you may also be able to share some of the threat information on computer scams with other organizations and then jointly address the challenge. Finally, spend the time to create proactive security policies and build a strong incident response team that can educate employees and clients of the organization.

Annie Searle is Principal of ASA Risk Consultants, an independent consulting and research firm that provides confidential assessments of existing corporate plans, identifies gaps and offers customized road maps to increase resiliency. Searle is an affiliate faculty member at the University of Washington’s School of Information, where she teaches courses on operational risk, ethics, policy and law. She is a lifetime member of The Institute of American Entrepreneurs. She was inducted into the Hall of Fame for the International Network of Women in Homeland Security and Emergency Management in 2011.

Hands-on Assessment...

11-18-2013

In my previous blog, The SIG – The Swiss Army Knife of Risk Assessment, I commented on the versatility of the SIG, the Shared Assessments Program’s Standardized Information Gathering questionnaire[...]

In my previous blog, The SIG – The Swiss Army Knife of Risk Assessment, I commented on the versatility of the SIG, the Shared Assessments Program’s Standardized Information Gathering questionnaire. This month I want to discuss its complementary, on-site assessment tool: the Agreed Upon Procedures (AUP). If the SIG is the “trust” component of the “trust but verify” model key to the Shared Assessments Program, the AUP is the “verify” component. Although it is written to the AICPA attestation standard, the AUP report does not include an assessor’s opinion of the adequacy of the internal controls assessed. Rather, it reports the presence or absence of control attributes contained in each procedure. This lack of an opinion is key to the efficacy of the AUP within a shared environment since it allows each user of the report to review the report within the context of its own risk appetite and the services/functions the entity being assessed provides to it. Also key to the efficacy of the AUP is its objectivity and its clarity. Different assessors properly conducting the procedures will report the same observations. The current version of the AUP contains 72 procedures within 12 ISO-based domains as well as privacy. The AUP domains match those in the SIG.

Each iteration of the AUP is drafted by a committee of Program member volunteers, who respond to user feedback as well as regulatory changes. Draft AUP’s are reviewed by the Big 4 accounting firms to assure they comply with the AICPA standard.

As with the SIG, users apply the AUP in a variety of ways. Some users use a menu approach, taking individual procedures that meet their needs. Others use it to augment their proprietary on-site audit package. And, similar to some SIG users, some service providers use it as a self-assessment tool to help them prepare for their clients’ on-site assessments.

Taken together, then, the SIG and the AUP offer a comprehensive approach to assessing the security and privacy postures of third-party service providers.

Santa Fe Group Consultant Bob Jones has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.

An Important Week In Third Par...

11-14-2013

It’s been an exciting week in the 3rd party oversight arena, first with the OCC’s revised third party guidance released on October 31st and then, on November 7th, the formal release of the latest[...]

It’s been an exciting week in the 3rd party oversight arena, first with the OCC’s revised third party guidance released on October 31st and then, on November 7th, the formal release of the latest PCI DSS, version 3.0. As expected, both the OCC’s guidance and the latest PCI data security standard release will have a significant impact on third party security related governance, process, and evaluation, and that’s a very good thing. And as we’ve said before updates to both releases – at a high level – are designed to move the industry toward a much more purposeful focus on third party risks and security related process (including governance) and assuredness. Said another way, in terms of the Shared Assessments Vendor Risk Management Maturity Model, the OCC is pushing the industry to levels 4 and 5 performance.

The OCC’s updated guidance contains newly enhanced prescriptive guidance on the roles and responsibilities of three bank cohort groups (the board of directors, bank senior management, and bank employees who directly manage third party relationships – see Appendix. It’s worth focusing here on Board responsibilities for two reasons: first, the depth of roles as defined by the OCC for this activity is unusual, giving the board of directors in practice an ongoing management role at a level not previously seen, and second, because it would seem in today’s climate that boards would be unwise to “delegate” these responsibilities to senior management even in part, which might have been common at another time. The OCC is clearly trying to influence “tone at the top,” which is essential if the industry is to make step function strides in third party risk management.

Three board level responsibilities are particularly interesting, and let’s digest them one by one. First, the new guidance requires that boards review summaries of due diligence results and management’s recommendations to use third parties that involve critical bank activities. For third parties supporting those critical bank activities, boards will need to understand what management found when reviewing the third party’s hygiene in all relevant respects, as well as the economic and practical case for outsourcing those activities in the first place. That’s critical for the board to have the information required to approve these contracts, which is also a requirement. That process should lead to less rubber-stamping of management requests.

The new guidance also emphasizes the ongoing nature of third party due diligence, with the pace of periodic review intervals tied to the relative risk of the outsourced activity. Senior management is responsible for evaluating the results of those ongoing reviews with the board on an ongoing basis, thereby keeping the board focused on the relative risk associated with those critical activities and the company’s effectiveness in mitigating those risks.

And perhaps the most striking responsibility of them all is the expectation that boards will review the results of periodic and newly prescribed independent reviews of the bank’s third-party risk management process. The OCC now expects that banks will initiate regular third party reviews of their own third party risk management process, with board level review, and that is an enormously significant obligation. This new provision takes third party risk related full circle at the board level, anticipating external reviews of this critical risk mitigation activity, presumably even incorporating the board’s effectiveness in this revised role.
For years the industry has done a good job describing the characteristics of a properly functioning, mature corporate risk control environment (for example COSO Integrated Risk Management, COBIT, and others). With the latest OCC guidance, the industry should – at last – move at a much faster pace toward vendor risk management proficiency.

Appendix

OCC’s Third Party Relationship Roles and Responsibilities
OCC’s Third Party Relationships Guidance, October 30, 2013

Board of Directors

  1. Ensure an effective process is in place to manage risks related to third-party relationships in a manner consistent with the bank’s strategic goals, organizational objectives, and risk appetite.
  2. Approve the bank’s risk-based policies that govern the third-party risk management process and identify critical activities.
  3. Review and approve management plans for using third parties that involve critical activities.
  4. Review summary of due diligence results and management’s recommendations to use third parties that involve critical activities.
  5. Approve contracts with third parties that involve critical activities.
  6. Review the results of management’s ongoing monitoring of third-party relationships involving critical activities.
  7. Ensure management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring.
  8. Review results of periodic independent reviews of the bank’s third-party risk management process.

Senior Bank Management

  • Develop and implement the bank’s third-party risk management process.
  • Establish the bank’s risk-based policies to govern the third-party risk management process.
  • Develop plans for engaging third parties, identify those that involve critical activities, and present plans to the board when critical activities are involved.
  • Ensure appropriate due diligence is conducted on potential third parties and present results to the board when making recommendations to use third parties that involve critical activities.
  • Review and approve contracts with third parties. Board approval should be obtained for contracts that involve critical activities.
  • Ensure ongoing monitoring of third parties, respond to issues when identified, and escalate significant issues to the board.
  • Ensure appropriate documentation and reporting throughout the life cycle for all third-party relationships.
  • Ensure periodic independent reviews of third-party relationships that involve critical activities and of the bank’s third-party risk management process. Analyze the results, take appropriate actions, and report results to the board.
  • Hold accountable the bank employees within business lines or functions who manage direct relationships with third parties.
  • Terminate arrangements with third parties that do not meet expectations or no longer align with the bank’s strategic goals, objectives, or risk appetite.
  • Oversee enterprise-wide risk management and reporting of third-party relationships.

Bank Employees Who Directly Manage Third-Party Relationships

  • Conduct due diligence of third parties and report results to senior management.
  • Ensure that third parties comply with the bank’s policies and reporting requirements.
  • Perform ongoing monitoring of third parties and ensure compliance with contract terms and service-level agreements.
  • Ensure the bank or the third party addresses any issues identified.
  • Escalate significant issues to senior management.
  • Notify the third party of significant operational issues at the bank that may affect the third party.
  • Ensure that the bank has regularly tested controls in place to manage risks associated with third-party relationships.
  • Ensure that third parties regularly test and implement agreed-upon remediation when issues arise.
  • Maintain appropriate documentation throughout the life cycle.
  • Respond to material weaknesses identified by independent reviews.
  • Recommend termination of arrangements with third parties that do not meet expectations or no longer align with the bank’s strategic goals, objectives, or risk appetite.

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board. 

Shared Assessments Participate...

11-13-2013

Shared Assessments Program Director, Brad Keller, recently participated on an expert online panel discussion hosted by Prevalent Networks and Symantec. The panel of leading experts in 3rd party risk [...]

Shared Assessments Program Director, Brad Keller, recently participated on an expert online panel discussion hosted by Prevalent Networks and Symantec. The panel of leading experts in 3rd party risk reviewed the best practices in 3rd party risk and cybersecurity, answered attendee questions, and reviewed tools and methods to help better understand and mitigate your risk.

The panelists included:

Click here to view the panel discussion online.

PCI Council Releases the PCI D...

11-07-2013

Today the Security Standards Council (PCI) published the PCI Data Security Standard 3.0 (PCI DSS v3.0). Third Party Risk is now a focus. Version 3.0 will become effective on January 1, 2014. Per [...]

Today the Security Standards Council (PCI) published the PCI Data Security Standard 3.0 (PCI DSS v3.0). Third Party Risk is now a focus. Version 3.0 will become effective on January 1, 2014.

Per the PCI Press Release, Version 3.0 will help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

Overall updates include specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance; guidance from the Navigating PCI DSS Guide built in to the standard; and enhanced testing procedures to clarify the level of validation expected for each requirement.

To read the full press release click here

To download PCI DSS v3.0 click here

Insider Threats – A Need to ...

11-06-2013

Cybercriminals are targeting privileged network users in ways that are increasingly devastating to security efforts across the financial services industry. These types of insider threats have become m[...]

Cybercriminals are targeting privileged network users in ways that are increasingly devastating to security efforts across the financial services industry. These types of insider threats have become more prevalent in the past two years due to the combination of:

  • Increased network activity volumes that makes pinpointing anomalies more difficult:
  • The growing use of cloud computing which increases the attack surface for insider attacks; and
  • The fact that more employees and vendors have access to sensitive networks. ((Insider Threats Survey: The Ominous State of Insider Threats. September 2013. Commissioned by The Enterprise Strategy Group. retrieved October 4, 2013.))

And, while the threat is escalating, there is an industry-wide lack of awareness regarding this issue. According to the September 2013 Enterprise Strategy Group (ESG) Insider Threats Survey of data security executives at Fortune 1000 firms, just 39% of the survey’s financial services respondents acknowledge their firms’ vulnerability to insider fraud or theft. And just 10% identified abuse of legitimate privileged user access credentials as a serious threat.

Two insidious ways that advanced persistent threats (APTs) occur are:

    1. An employee or contractor who has legitimate access to high level data to do their job goes rogue. This is the Edward Snowden profile.
    2. A high level IT administrator, Security Staff, or C-level Executive with privileged information access has their identity socially engineered. This type of breach can be conducted through malware and may be exacerbated by the fact that servers are often unprotected.

Both means allow individuals to work their way through infrastructure and access valuable assets. And these types of breaches have become harder to detect and are not being adequately addressed. ESG’s report shows that while 53% of the security community surveyed indicated they will increase efforts to fight insider fraud, much of their effort is still being placed on advanced malware perimeter security―an effort that immediately fails at controlling fraud and theft that occurs through the use of legitimate credentials.

This report exposes an urgent need to rethink enterprise security in ways that protect against insider attacks at all levels of threat actors and attack vectors. Well designed security will use the ‘least privilege’ principle of granular access controls that allow IT staff to access the metadata required to perform their functions effectively, without compromising the datasets themselves. For example, ESG recommends data firewalls and monitoring that:

      • Afford IT staff with blind content of account files and transaction documents, such as account numbers, emails and financial statements;
      • Protect HR document data, such as social security numbers and other personally identifiable information;
      • Examine a mix of internal and external users.
      • Incorporate encryption technology use for all sensitive data.

The ESG survey provides a financial sector wake-up call―we are falling behind in balancing IT initiatives and risk management that prevent insider credential harvesting and distinguishing suspicious network behaviors. The time to act is now.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad

 

OCC Releases Guidance on Third...

10-31-2013

Yesterday the OCC released its long awaited Guidance on Third-Party Relationships (OCC 2013-29). Notably, this Guidance, posted below, rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk[...]

Yesterday the OCC released its long awaited Guidance on Third-Party Relationships (OCC 2013-29). Notably, this Guidance, posted below, rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles,” and OCC Advisory Letter 2000-9, “Third-Party Risk.”

The Guidance introduces the OCC’s interpretation of an acceptable  “Risk Management Life Cycle” for third-party relationships that reinforces the responsibility of senior management in all phases of the process. Additional details on how the Shared Assessments Program addresses the elements of the Guidance will be discussed in upcoming blogs and articles.

_________________

OCC 2013-29

Subject: Third-Party Relationships
Date: October 30, 2013

To: Chief Executive Officers and Chief Risk Officers of All National Banks and Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties

 

Description: Risk Management Guidance

Summary

This bulletin provides guidance to national banks and federal savings associations (collectively, banks) for assessing and managing risks associated with third-party relationships. A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise.1

The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.2

This bulletin rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles,” and OCC Advisory Letter 2000-9, “Third-Party Risk.” This bulletin supplements and should be used in conjunction with other OCC and interagency issuances on third-party relationships and risk management listed in appendix B. In connection with the issuance of this bulletin, the OCC is applying to federal savings associations (FSA) certain guidance applicable to national banks, as indicated in appendix B.

Highlights

  • A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
  • A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
  • An effective risk management process throughout the life cycle of the relationship includes
    • plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
    • proper due diligence in selecting a third party.
    • written contracts that outline the rights and responsibilities of all parties.
    • ongoing monitoring of the third party’s activities and performance.
    • contingency plans for terminating the relationship in an effective manner.
    • clear roles and responsibilities for overseeing and managing the relationship and risk management process.
    • Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
    • Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
Note for Community Banks

This guidance applies to all banks with third-party relationships. A community bank should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships. A community bank’s board and management should identify those third-party relationships that involve critical activities and ensure the bank has risk management practices in place to assess, monitor, and manage the risks.

Background

Banks continue to increase the number and complexity of relationships with both foreign and domestic third parties, such as

  • outsourcing entire bank functions to third parties, such as tax, legal, audit, or information technology operations.
  • outsourcing lines of business or products.
  • relying on a single third party to perform multiple activities, often to such an extent that the third party becomes an integral component of the bank’s operations.
  • working with third parties that engage directly with customers.3
  • contracting with third parties that subcontract activities to other foreign and domestic providers.
  • contracting with third parties whose employees, facilities, and subcontractors may be geographically concentrated.
  • working with a third party to address deficiencies in bank operations or compliance with laws or regulations.

The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. The OCC has identified instances in which bank management has

  • failed to properly assess and understand the risks and direct and indirect costs involved in third-party relationships.
  • failed to perform adequate due diligence and ongoing monitoring of third-party relationships.
  • entered into contracts without assessing the adequacy of a third party’s risk management practices.
  • entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues.
  • engaged in informal third-party relationships without contracts in place.

These examples represent trends whose associated risks reinforce the need for banks to maintain effective risk management practices over third-party relationships.

Risk Management Life Cycle

The OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structures. Therefore, the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that

  • could cause a bank to face significant risk4 if the third party fails to meet expectations.
  • could have significant customer impacts.
  • require significant investment in resources to implement the third-party relationship and manage the risk.
  • could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.

An effective third-party risk management process follows a continuous life cycle for all relationships and incorporates the following phases:

Planning: Developing a plan to manage the relationship is often the first step in the third-party risk management process. This step is helpful for many situations but is necessary when a bank is considering contracts with third parties that involve critical activities.

Due diligence and third-party selection: Conducting a review of a potential third party before signing a contract5 helps ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.

Contract negotiation: Developing a contract that clearly defines expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the bank’s liability, and mitigate disputes about performance.

Ongoing monitoring: Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship.

Termination: Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.

In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:

Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-party risk management process with its enterprise risk management framework enables continuous oversight and accountability.

Documentation and reporting: Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships.

Independent reviews: Conducting periodic independent reviews of the risk management process enables management to assess whether the process aligns with the bank’s strategy and effectively manages risk posed by third-party relationships.

Figure 1: Risk Management Life Cycle

Planning

Before entering into a third-party relationship, senior management should develop a plan to manage the relationship. The management plan should be commensurate with the level of risk and complexity of the third-party relationship and should

  • discuss the risks inherent in the activity.
  • outline the strategic purposes (e.g., reduce costs, leverage specialized expertise or technology, augment resources, expand or enhance operations), legal and compliance aspects, and inherent risks associated with using third parties, and discuss how the arrangement aligns with the bank’s overall strategic goals, objectives, and risk appetite.
  • assess the complexity of the arrangement, such as the volume of activity, potential for subcontractors, the technology needed, and the likely degree of foreign-based third-party support.
  • determine whether the potential financial benefits outweigh the estimated costs to control the risks (including estimated direct contractual costs and indirect costs to augment or alter bank processes, systems, or staffing to properly manage the third-party relationship or adjust or terminate existing contracts).
  • consider how the third-party relationship could affect other strategic bank initiatives, such as large technology projects, organizational changes, mergers, acquisitions, or divestitures.
  • consider how the third-party relationship could affect bank and dual employees6 and what transition steps are needed to manage the impacts when the activities currently conducted internally are outsourced.
  • assess the nature of customer interaction with the third party and potential impact the relationship will have on the bank’s customers—including access to or use of those customers’ confidential information, joint marketing or franchising arrangements, and handling of customer complaints—and outline plans to manage these impacts.
  • assess potential information security implications including access to the bank’s systems and to its confidential information.
  • consider the bank’s contingency plans in the event the bank needs to transition the activity to another third party or bring it in-house.
  • assess the extent to which the activities are subject to specific laws and regulations (e.g., privacy, information security, Bank Secrecy Act/Anti-Money Laundering (BSA/AML), fiduciary requirements).
  • consider whether the selection of the third party is consistent with the bank’s broader corporate policies and practices including its diversity policies and practices.
  • detail how the bank will select, assess, and oversee the third party, including monitoring the third party’s compliance with the contract.
  • be presented to and approved by the bank’s board of directors when critical activities are involved.

Due Diligence and Third-Party Selection

A bank should conduct due diligence on all potential third parties before selecting and entering into contracts or relationships. A bank should not rely solely on experience with or prior knowledge of the third party as a proxy for an objective, in-depth assessment of the third party’s ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.

The degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship. More extensive due diligence is necessary when a third-party relationship involves critical activities. On-site visits may be useful to understand fully the third party’s operations and capacity. If the bank uncovers information that warrants additional scrutiny, it should broaden the scope or assessment methods of the due diligence as needed.

The bank should consider the following during due diligence:

Strategies and Goals

Review the third party’s overall business strategy and goals to ensure they do not conflict with those of the bank. Consider how the third party’s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, joint ventures, or joint marketing initiatives) may affect the activity. Also consider reviewing the third party’s service philosophies, quality initiatives, efficiency improvements, and employment policies and practices.

Legal and Regulatory Compliance

Evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes, and controls to enable the bank to remain compliant with domestic and international laws and regulations. Check compliance status with regulators and self-regulatory organizations as appropriate.

Financial Condition

Assess the third party’s financial condition, including reviews of the third party’s audited financial statements. Evaluate growth, earnings, pending litigation, unfunded liabilities, and other factors that may affect the third party’s overall financial stability. Depending on the significance of the third-party relationship, the bank’s analysis may be as comprehensive as if extending credit to the third party.

Business Experience and Reputation

Evaluate the third party’s depth of resources and previous experience providing the specific activity. Assess the third party’s reputation, including history of customer complaints or litigation. Determine how long the third party has been in business, its market share for the activities, and whether there have been significant changes in the activities offered or in its business model. Conduct reference checks with external organizations and agencies such as the industry associations, Better Business Bureau, Federal Trade Commission, state attorneys general offices, state consumer affairs offices, and similar foreign authorities. Check U.S. Securities and Exchange Commission or other regulatory filings. Review the third party’s Web sites and other marketing materials to ensure that statements and assertions are in-line with the bank’s expectations and do not overstate or misrepresent activities and capabilities. Determine whether and how the third party plans to use the bank’s name and reputation in marketing efforts.

Fee Structure and Incentives

Evaluate the third party’s normal fee structure and incentives for similar business arrangements to determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank.

Qualifications, Backgrounds, and Reputations of Company Principals

Ensure the third party periodically conducts thorough background checks on its senior management and employees as well as on subcontractors who may have access to critical systems or confidential information. Ensure that third parties have policies and procedures in place for removing employees who do not meet minimum background check requirements.

Risk Management

Evaluate the effectiveness of the third party’s risk management program, including policies, processes, and internal controls. Where applicable, determine whether the third party’s internal audit function independently and effectively tests and reports on the third party’s internal controls. Evaluate processes for escalating, remediating, and holding management accountable for concerns identified during audits or other independent tests. If available, review Service Organization Control (SOC) reports, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 16 (SSAE 16). Consider whether these reports contain sufficient information to assess the third party’s risk or whether additional scrutiny is required through an audit by the bank or other third party at the bank’s request. Consider any certification by independent third parties for compliance with domestic or international internal control standards (e.g., the National Institute of Standards and Technology and the International Standards Organization).

Information Security

Assess the third party’s information security program. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology is necessary to support service delivery, assess the third party’s infrastructure and application security programs, including the software development life cycle and results of vulnerability and penetration tests. Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing.

Management of Information Systems

Gain a clear understanding of the third party’s business processes and technology that will be used to support the activity. When technology is a major component of the third-party relationship, review both the bank’s and the third party’s information systems to identify gaps in service-level expectations, technology, business process and management, or interoperability issues. Review the third party’s processes for maintaining accurate inventories of its technology and its subcontractors. Assess the third party’s change management processes to ensure that clear roles, responsibilities, and segregation of duties are in place. Understand the third party’s performance metrics for its information systems and ensure they meet the bank’s expectations.

Resilience

Assess the third party’s ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber attacks. Determine whether the third party maintains disaster recovery and business continuity plans that specify the time frame to resume activities and recover data. Review the third party’s telecommunications redundancy and resilience plans and preparations for known and emerging threats and vulnerabilities, such as wide-scale natural disasters, distributed denial of service attacks, or other intentional or unintentional events. Review the results of business continuity testing and performance during actual disruptions.

Incident-Reporting and Management Programs

Review the third party’s incident reporting and management programs to ensure there are clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents. Ensure that the third party’s escalation and notification processes meet the bank’s expectations and regulatory requirements.

Physical Security

Evaluate whether the third party has sufficient physical and environmental controls to ensure the safety and security of its facilities, technology systems, and employees.

Human Resource Management

Review the third party’s program to train and hold employees accountable for compliance with policies and procedures. Review the third party’s succession and redundancy planning for key management and support personnel. Review training programs to ensure that the third party’s staff is knowledgeable about changes in laws, regulations, technology, risk, and other factors that may affect the quality of the activities provided.

Reliance on Subcontractors

Evaluate the volume and types of subcontracted activities and the subcontractors’ geographic locations. Evaluate the third party’s ability to assess, monitor, and mitigate risks from its use of subcontractors and to ensure that the same level of quality and controls exists no matter where the subcontractors’ operations reside. Evaluate whether additional concentration-related risks may arise from the third party’s reliance on subcontractors and, if necessary, conduct similar due diligence on the third party’s critical subcontractors.

Insurance Coverage

Verify that the third party has fidelity bond coverage to insure against losses attributable to dishonest acts, liability coverage for losses attributable to negligent acts, and hazard insurance covering fire, loss of data, and protection of documents. Determine whether the third party has insurance coverage for its intellectual property rights, as such coverage may not be available under a general commercial policy. The amounts of such coverage should be commensurate with the level of risk involved with the third party’s operations and the type of activities to be provided.

Conflicting Contractual Arrangements With Other Parties

Obtain information regarding legally binding arrangements with subcontractors or other parties in cases where the third party has indemnified itself, as such arrangements may transfer risks to the bank. Evaluate the potential legal and financial implications to the bank of these contracts between the third party and its subcontractors or other parties.

Senior management should review the results of the due diligence to determine whether the third party is able to meet the bank’s expectations and whether the bank should proceed with the third-party relationship. If the results do not meet expectations, management should recommend that the third party make appropriate changes, find an alternate third party, conduct the activity in-house, or discontinue the activity. As part of any recommended changes, the bank may need to supplement the third party’s resources or increase or implement new controls to manage the risks. Management should present results of due diligence to the board when making recommendations for third-party relationships that involve critical activities.

Contract Negotiation

Once the bank selects a third party, management should negotiate a contract that clearly specifies the rights and responsibilities of each party to the contract. Additionally, senior management should obtain board approval of the contract before its execution when a third-party relationship will involve critical activities. A bank should review existing contracts periodically, particularly those involving critical activities, to ensure they continue to address pertinent risk controls and legal protections. Where problems are identified, the bank should seek to renegotiate at the earliest opportunity.

Contracts should generally address the following:

Nature and Scope of Arrangement

Ensure that the contract specifies the nature and scope of the arrangement. For example, a third-party contract should specifically identify the frequency, content, and format of the service, product, or function provided. Include in the contract, as applicable, such ancillary services as software or other technology support and maintenance, employee training, and customer service. Specify which activities the third party is to conduct, whether on or off the bank’s premises, and describe the terms governing the use of the bank’s information, facilities, personnel, systems, and equipment, as well as access to and use of the bank’s or customers’ information. When dual employees will be used, clearly articulate their responsibilities and reporting lines.

Performance Measures or Benchmarks

Specify performance measures that define the expectations and responsibilities for both parties including conformance with regulatory standards or rules. Such measures can be used to motivate the third party’s performance, penalize poor performance, or reward outstanding performance. Performance measures should not incentivize undesirable performance, such as encouraging processing volume or speed without regard for accuracy, compliance requirements, or adverse effects on customers. Industry standards for service-level agreements may provide a reference point for standardized services, such as payroll processing. For more customized activities, there may be no standard measures. Instead, the bank and third party should agree on appropriate measures.

Responsibilities for Providing, Receiving, and Retaining Information

Ensure that the contract requires the third party to provide and retain timely, accurate, and comprehensive information such as records and reports that allow bank management to monitor performance, service levels, and risks. Stipulate the frequency and type of reports required, for example: performance reports, control audits, financial statements, security reports, BSA/AML and Office of Foreign Asset Control (OFAC) compliance responsibilities and reports for monitoring potential suspicious activity, reports for monitoring customer complaint activity, and business resumption testing reports.

Ensure that the contract sufficiently addresses

  • the responsibilities and methods to address failures to adhere to the agreement including the ability of both parties to the agreement to exit the relationship.
  • the prompt notification of financial difficulty, catastrophic events, and significant incidents such as information breaches, data loss, service or system interruptions, compliance lapses, enforcement actions, or other regulatory actions.
  • the bank’s materiality thresholds and procedures for notifying the bank in writing whenever service disruptions, security breaches, or other events pose a significant risk to the bank.
  • notification to the bank before making significant changes to the contracted activities, including acquisition, subcontracting, off-shoring, management or key personnel changes, or implementing new or revised policies, processes, and information technology.
  • notification to the bank of significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures, or other business activities that could affect the activities involved.
  • the ability of the third party to resell, assign, or permit access to the bank’s data and systems to other entities.
  • the bank’s obligations to notify the third party if the bank implements strategic or operational changes or experiences significant incidents that may affect the third party.

The Right to Audit and Require Remediation

Ensure that the contract establishes the bank’s right to audit, monitor performance, and require remediation when issues are identified. Generally, a third-party contract should include provisions for periodic independent internal or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions to monitor performance with the contract. A bank should include in the contract the types and frequency of audit reports the bank is entitled to receive from the third party (e.g., financial, SSAE 16, SOC 1, SOC 2, and SOC 3 reports, and security reviews). Consider whether to accept audits conducted by the third party’s internal or external auditors. Reserve the bank’s right to conduct its own audits of the third party’s activities or to engage an independent party to perform such audits. Audit reports should include a review of the third party’s risk management and internal control environment as it relates to the activities involved and of the third party’s information security program and disaster recovery and business continuity plans.

Responsibility for Compliance With Applicable Laws and Regulations

Ensure the contract addresses compliance with the specific laws, regulations, guidance, and self-regulatory standards applicable to the activities involved, including provisions that outline compliance with certain provisions of the Gramm-Leach-Bliley Act (GLBA) (including privacy and safeguarding of customer information); BSA/AML; OFAC; and Fair Lending and other consumer protection laws and regulations. Ensure that the contract requires the third party to maintain policies and procedures which address the bank’s right to conduct periodic reviews so as to verify the third party’s compliance with the bank’s policies and expectations. Ensure that the contract states the bank has the right to monitor on an ongoing basis the third party’s compliance with applicable laws, regulations, and policies and requires remediation if issues arise.

Cost and Compensation

Fully describe compensation, fees, and calculations for base services, as well as any fees based on volume of activity and for special requests. Ensure the contracts do not include burdensome upfront fees or incentives that could result in inappropriate risk taking by the bank or third party. Indicate which party is responsible for payment of legal, audit, and examination fees associated with the activities involved. Consider outlining cost and responsibility for purchasing and maintaining hardware and software. Specify the conditions under which the cost structure may be changed, including limits on any cost increases.

Ownership and License

State whether and how the third party has the right to use the bank’s information, technology, and intellectual property, such as the bank’s name, logo, trademark, and copyrighted material. Indicate whether any records generated by the third party become the bank’s property. Include appropriate warranties on the part of the third party related to its acquisition of licenses for use of any intellectual property developed by other third parties. If the bank purchases software, establish escrow agreements to provide for the bank’s access to source code and programs under certain conditions (e.g., insolvency of the third party).

Confidentiality and Integrity

Prohibit the third party and its subcontractors from using or disclosing the bank’s information, except as necessary to provide the contracted activities or comply with legal requirements. If the third party receives bank customers’ personally identifiable information, the contract should ensure that the third party implements and maintains appropriate security measures to comply with privacy regulations and regulatory guidelines. Specify when and how the third party will disclose, in a timely manner, information security breaches that have resulted in unauthorized intrusions or access that may materially affect the bank or its customers. Stipulate that intrusion notifications include estimates of the effects on the bank and specify corrective action to be taken by the third party. Address the powers of each party to change security and risk management procedures and requirements, and resolve any confidentiality and integrity issues arising out of shared use of facilities owned by the third party. Stipulate whether and how often the bank and the third party will jointly practice incident management plans involving unauthorized intrusions or other breaches in confidentiality and integrity.

Business Resumption and Contingency Plans

Ensure the contract provides for continuation of the business function in the event of problems affecting the third party’s operations, including degradations or interruptions resulting from natural disasters, human error, or intentional attacks. Stipulate the third party’s responsibility for backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans. Include provisions—in the event of the third party’s bankruptcy, business failure, or business interruption—for transferring the bank’s accounts or activities to another third party without penalty.

Ensure that the contract requires the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements, and when appropriate, regulatory requirements. Stipulate whether and how often the bank and the third party will jointly practice business resumption and disaster recovery plans.

Indemnification

Consider including indemnification clauses that specify the extent to which the bank will be held liable for claims that cite failure of the third party to perform, including failure of the third party to obtain any necessary intellectual property licenses. Carefully assess indemnification clauses that require the bank to hold the third party harmless from liability.

Insurance

Stipulate that the third party is required to maintain adequate insurance, notify the bank of material changes to coverage, and provide evidence of coverage where appropriate. Types of insurance coverage may include fidelity bond coverage, liability coverage, hazard insurance, and intellectual property insurance.

Dispute Resolution

Consider whether the contract should establish a dispute resolution process (arbitration, mediation, or other means) to resolve problems between the bank and the third party in an expeditious manner, and whether the third party should continue to provide activities to the bank during the dispute resolution period.

Limits on Liability

Determine whether the contract limits the third party’s liability and whether the proposed limit is in proportion to the amount of loss the bank might experience because of the third party’s failure to perform or to comply with applicable laws. Consider whether a contract would subject the bank to undue risk of litigation, particularly if the third party violates or is accused of violating intellectual property rights.

Default and Termination

Ensure that the contract stipulates what constitutes default, identifies remedies and allows opportunities to cure defaults, and stipulates the circumstances and responsibilities for termination. Determine whether it includes a provision that enables the bank to terminate the contract, upon reasonable notice and without penalty, in the event that the OCC formally directs the bank to terminate the relationship. Ensure the contract permits the bank to terminate the relationship in a timely manner without prohibitive expense. Include termination and notification requirements with time frames to allow for the orderly conversion to another third party. Provide for the timely return or destruction of the bank’s data and other resources and ensure the contract provides for ongoing monitoring of the third party after the contract terms are satisfied as necessary. Clearly assign all costs and obligations associated with transition and termination.

Customer Complaints

Specify whether the bank or third party is responsible for responding to customer complaints. If it is the third party’s responsibility, specify provisions that ensure that the third party receives and responds timely to customer complaints and forwards a copy of each complaint and response to the bank. The third party should submit sufficient, timely, and usable information to enable the bank to analyze customer complaint activity and trends for risk management purposes.

Subcontracting

Stipulate when and how the third party should notify the bank of its intent to use a subcontractor. Specify the activities that cannot be subcontracted or whether the bank prohibits the third party from subcontracting activities to certain locations or specific subcontractors. Detail the contractual obligations—such as reporting on the subcontractor’s conformance with performance measures, periodic audit results, compliance with laws and regulations, and other contractual obligations. State the third party’s liability for activities or actions by its subcontractors and which party is responsible for the costs and resources required for any additional monitoring and management of the subcontractors. Reserve the right to terminate the contract without penalty if the third party’s subcontracting arrangements do not comply with the terms of the contract.

Foreign-Based Third Parties

Include in contracts with foreign-based third parties choice-of-law covenants and jurisdictional covenants that provide for adjudication of all disputes between the parties under the laws of a single, specific jurisdiction. Understand that such contracts and covenants may be subject, however, to the interpretation of foreign courts relying on local laws. Foreign courts and laws may differ substantially from U.S. courts and laws in the application and enforcement of choice-of-law covenants, requirements on banks, protection of privacy of customer information, and the types of information that the third party or foreign governmental entities will provide upon request. Therefore, seek legal advice to ensure the enforceability of all aspects of a proposed contract with a foreign-based third party and other legal ramifications of each such arrangement. 

OCC Supervision

In contracts with service providers, stipulate that the performance of activities by external parties for the bank is subject to OCC examination oversight, including access to all work papers, drafts, and other materials. The OCC treats as subject to 12 USC 1867(c) and 12 USC 1464(d)(7), situations in which a bank arranges, by contract or otherwise, for the performance of any applicable functions of its operations. Therefore, the OCC generally has the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself on its own premises.8

Ongoing Monitoring

Ongoing monitoring for the duration of the third-party relationship is an essential component of the bank’s risk management process. More comprehensive monitoring is necessary when the third-party relationship involves critical activities. Senior management should periodically assess existing third-party relationships to determine whether the nature of the activity performed now constitutes a critical activity.

After entering into a contract with a third party, bank management should dedicate sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third party commensurate with the level of risk and complexity of the relationship. Regular on site visits may be useful to understand fully the third party’s operations and ongoing ability to meet contract requirements. Management should ensure that bank employees that directly manage third-party relationships monitor the third party’s activities and performance. A bank should pay particular attention to the quality and sustainability of the third party’s controls, and its ability to meet service-level agreements, performance metrics and other contractual terms, and to comply with legal and regulatory requirements.

The OCC expects the bank’s ongoing monitoring of third-party relationships to cover the due diligence activities discussed earlier. Because both the level and types of risks may change over the lifetime of third-party relationships, a bank should ensure that its ongoing monitoring adapts accordingly. This monitoring may result in changes to the frequency and types of required reports from the third party, including service-level agreement performance reports, audit reports, and control testing results. In addition to ongoing review of third-party reports, some key areas of consideration for ongoing monitoring may include assessing changes to the third party’s

  • business strategy (including acquisitions, divestitures, joint ventures) and reputation (including litigation) that may pose conflicting interests and impact its ability to meet contractual obligations and service-level agreements.
  • compliance with legal and regulatory requirements.
  • financial condition.
  • insurance coverage.
  • key personnel and ability to retain essential knowledge in support of the activities.
  • ability to effectively manage risk by identifying and addressing issues before they are cited in audit reports.
  • process for adjusting policies, procedures, and controls in response to changing threats and new vulnerabilities and material breaches or other serious incidents.
  • information technology used or the management of information systems.
  • ability to respond to and recover from service disruptions or degradations and meet business resilience expectations.
  • reliance on, exposure to, or performance of subcontractors; location of subcontractors; and the ongoing monitoring and control testing of subcontractors.
  • agreements with other entities that may pose a conflict of interest or introduce reputation, operational, or other risks to the bank.
  • ability to maintain the confidentiality and integrity of the bank’s information and systems.
  • volume, nature, and trends of consumer complaints, in particular those that indicate compliance or risk management problems.
  • ability to appropriately remediate customer complaints.

Bank employees who directly manage third-party relationships should escalate to senior management significant issues or concerns arising from ongoing monitoring, such as an increase in risk, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, service or system interruptions, or compliance lapses. Additionally, management should ensure that the bank’s controls to manage risks from third-party relationships are tested regularly, particularly where critical activities are involved. Based on the results of the ongoing monitoring and internal control testing, management should respond to issues when identified including escalating significant issues to the board.

Termination

A bank may terminate third-party relationships for various reasons, including

  • expiration or satisfaction of the contract.
  • desire to seek an alternate third party.
  • desire to bring the activity in-house or discontinue the activity.
  • breach of contract.

Management should ensure that relationships terminate in an efficient manner, whether the activities are transitioned to another third party or in-house, or discontinued. In the event of contract default or termination, the bank should have a plan to bring the service in-house if there are no alternate third parties. This plan should cover

  • capabilities, resources, and the time frame required to transition the activity while still managing legal, regulatory, customer, and other impacts that might arise.
  • risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party relationship.
  • handling of joint intellectual property developed during the course of the arrangement.
  • reputation risks to the bank if the termination happens as a result of the third party’s inability to meet expectations.

The extent and flexibility of termination rights may vary with the type of activity.

Oversight and Accountability

The bank’s board of directors (or a board committee) and senior management are responsible for overseeing the bank’s overall risk management processes. The board, senior management, and employees within the lines of businesses who manage the third-party relationships have distinct but interrelated responsibilities to ensure that the relationships and activities are managed effectively and commensurate with their level of risk and complexity, particularly for relationships that involve critical activities:9

 

Board of Directors

  • Ensure an effective process is in place to manage risks related to third-party relationships in a manner consistent with the bank’s strategic goals, organizational objectives, and risk appetite.
  • Approve the bank’s risk-based policies that govern the third-party risk management process and identify critical activities.
  • Review and approve management plans for using third parties that involve critical activities.
  • Review summary of due diligence results and management’s recommendations to use third parties that involve critical activities.
  • Approve contracts with third parties that involve critical activities.
  • Review the results of management’s ongoing monitoring of third-party relationships involving critical activities.
  • Ensure management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring.
  • Review results of periodic independent reviews of the bank’s third-party risk management process.

Senior Bank Management

  • Develop and implement the bank’s third-party risk management process.
  • Establish the bank’s risk-based policies to govern the third-party risk management process.
  • Develop plans for engaging third parties, identify those that involve critical activities, and present plans to the board when critical activities are involved.
  • Ensure appropriate due diligence is conducted on potential third parties and present results to the board when making recommendations to use third parties that involve critical activities.
  • Review and approve contracts with third parties. Board approval should be obtained for contracts that involve critical activities.
  • Ensure ongoing monitoring of third parties, respond to issues when identified, and escalate significant issues to the board.
  • Ensure appropriate documentation and reporting throughout the life cycle for all third-party relationships.
  • Ensure periodic independent reviews of third-party relationships that involve critical activities and of the bank’s third-party risk management process. Analyze the results, take appropriate actions, and report results to the board.
  • Hold accountable the bank employees within business lines or functions who manage direct relationships with third parties.
  • Terminate arrangements with third parties that do not meet expectations or no longer align with the bank’s strategic goals, objectives, or risk appetite.
  • Oversee enterprise-wide risk management and reporting of third-party relationships.

Bank Employees Who Directly Manage Third-Party Relationships

  • Conduct due diligence of third parties and report results to senior management.
  • Ensure that third parties comply with the bank’s policies and reporting requirements.
  • Perform ongoing monitoring of third parties and ensure compliance with contract terms and service-level agreements.
  • Ensure the bank or the third party addresses any issues identified.
  • Escalate significant issues to senior management.
  • Notify the third party of significant operational issues at the bank that may affect the third party.
  • Ensure that the bank has regularly tested controls in place to manage risks associated with third-party relationships.
  • Ensure that third parties regularly test and implement agreed-upon remediation when issues arise.
  • Maintain appropriate documentation throughout the life cycle.
  • Respond to material weaknesses identified by independent reviews.
  • Recommend termination of arrangements with third parties that do not meet expectations or no longer align with the bank’s strategic goals, objectives, or risk appetite.

Documentation and Reporting

A bank should properly document and report on its third-party risk management process and specific arrangements throughout their life cycle. Proper documentation and reporting facilitates the accountability, monitoring, and risk management associated with third parties and typically includes

  • a current inventory of all third-party relationships, which should clearly identify those relationships that involve critical activities and delineate the risks posed by those relationships across the bank.10
  • approved plans for the use of third-party relationships.
  • due diligence results, findings, and recommendations.
  • analysis of costs associated with each activity or third-party relationship, including any indirect costs assumed by the bank.
  • executed contracts.
  • regular risk management and performance reports required and received from the third party (e.g., audit reports, security reviews, and reports indicating compliance with service-level agreements).
  • regular reports to the board and senior management on the results of internal control testing and ongoing monitoring of third parties involved in critical activities.
  • regular reports to the board and senior management on the results of independent reviews of the bank’s overall risk management process.

Independent Reviews

Senior management should ensure that periodic independent reviews are conducted on the third-party risk management process, particularly when a bank involves third parties in critical activities. The bank’s internal auditor or an independent third party may perform the reviews, and senior management should ensure the results are reported to the board. Reviews may include assessing the adequacy of the bank’s process for

  • ensuring third-party relationships align with the bank’s business strategy.
  • identifying, assessing, managing, and reporting on risks of third-party relationships.
  • responding to material breaches, service disruptions, or other material issues.
  • identifying and managing risks associated with complex third-party relationships, including foreign-based third parties and subcontractors.
  • involving multiple disciplines across the bank as appropriate during each phase of the third-party risk management life cycle.11
  • ensuring appropriate staffing and expertise to perform due diligence and ongoing monitoring and management of third parties.
  • ensuring oversight and accountability for managing third-party relationships (e.g., whether roles and responsibilities are clearly defined and assigned and whether the individuals possess the requisite expertise, resources, and authority).
  • ensuring that conflicts of interest or appearances of conflicts of interest do not exist when selecting or overseeing third parties.
  • identifying and managing concentration risks that may arise from relying on a single third party for multiple activities, or from geographic concentration of business due to either direct contracting or subcontracting agreements to the same locations.

Senior management should analyze the results of independent reviews to determine whether and how to adjust the bank’s third-party risk management process, including policy, reporting, resources, expertise, and controls. Additionally, the results may assist senior management’s understanding of the effectiveness of the bank’s third-party risk management process so that they can make informed decisions about commencing new or continuing existing third-party relationships, bringing activities in-house, or discontinuing activities. Management should respond promptly and thoroughly to significant issues or concerns identified and escalate to the board if the risk posed is approaching the bank’s risk appetite limits.

Supervisory Reviews of Third-Party Relationships

The OCC expects bank management to engage in a robust analytical process to identify, measure, monitor, and control the risks associated with third-party relationships and to avoid excessive risk taking that may threaten a bank’s safety and soundness. A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.

When reviewing third-party relationships, examiners should

  • assess the bank’s ability to oversee and manage its relationships.
  • highlight and discuss material risks and any deficiencies in the bank’s risk management process with the board of directors and senior management.
  • carefully review the bank’s plans for appropriate and sustainable remediation of such deficiencies, particularly those associated with the oversight of third parties that involve critical activities.
  • follow existing guidance for citing deficiencies in supervisory findings and reports of examination, and recommend appropriate supervisory actions. These actions may range from citing the deficiencies in Matters Requiring Attention to recommending formal enforcement action.
  • consider the findings when assigning the management component of the Federal Financial Institutions Examination Council’s (FFIEC) Uniform Financial Institutions Rating System (CAMELS ratings).12 Serious deficiencies may result in management being deemed less than satisfactory.
  • reflect the associated risks in their overall assessment of the bank’s risk profile.

When circumstances warrant, the OCC may use its authority to examine the functions or operations performed by a third party on the bank’s behalf. Such examinations may evaluate safety and soundness risks, the financial and operational viability of the third party to fulfill its contractual obligations, compliance with applicable laws and regulations, including consumer protection, fair lending, BSA/AML and OFAC laws, and whether the third party engages in unfair or deceptive acts or practices in violation of federal or applicable state law. The OCC will pursue appropriate corrective measures, including enforcement actions, to address violations of law and regulations or unsafe or unsound banking practices by the bank or its third party. The OCC has the authority to assess a bank a special examination or investigation fee when the OCC examines or investigates the activities of a third party for the bank.

Further Information

Please contact John Eckert, Director, Operational Risk and Core Policy, at (202) 649-7163.

John C. Lyons Jr.
Senior Deputy Comptroller and Chief National Bank Examiner

Appendix A: Risks Associated With Third-Party Relationships
Appendix B: References

 

APPENDIX A: Risks Associated With Third-Party Relationships 

Use of third parties reduces management’s direct control of activities and may introduce new or increase existing risks, specifically, operational, compliance, reputation, strategic, and credit risks and the interrelationship of these risks. Increased risk most often arises from greater complexity, ineffective risk management by the bank, and inferior performance by the third party. Refer to the “Bank Supervision Process” booklet of the Comptroller’s Handbook for an expanded discussion of banking risks and their definitions.

Operational Risk

Operational risk is present in all products, services, functions, delivery channels, and processes. Third-party relationships may increase a bank’s exposure to operational risk because the bank may not have direct control of the activity performed by the third party.

Operational risk can increase significantly when third-party relationships result in concentrations. Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations and that of its third parties and subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.

Compliance Risk

Compliance risk exists when products, services, or systems associated with third-party relationships are not properly reviewed for compliance or when the third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures. Such risks also arise when a third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service. Compliance risk may arise when a bank licenses or uses technology from a third party that violates a third party’s intellectual property rights. Compliance risk may also arise when the third party does not adequately monitor and report transactions for suspicious activities to the bank under the BSA or OFAC. The potential for serious or frequent violations or noncompliance exists when a bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones, when activities are further subcontracted, when activities are conducted in foreign countries, or when customer and employee data is transmitted to foreign countries.

Compliance risk increases when conflicts of interest between a bank and a third party are not appropriately managed, when transactions are not adequately monitored for compliance with all necessary laws and regulations, and when a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records. Compliance failures by the third party could result in litigation or loss of business to the bank and damage to the bank’s reputation.

Reputation Risk

Third-party relationships that do not meet the expectations of the bank’s customers expose the bank to reputation risk. Poor service, frequent or prolonged service disruptions, significant or repetitive security lapses, inappropriate sales recommendations, and violations of consumer law and other law can result in litigation, loss of business to the bank, or negative perceptions in the marketplace. Publicity about adverse events surrounding the third parties also may increase the bank’s reputation risk. In addition, many of the products and services involved in franchising arrangements expose banks to higher reputation risks. Franchising the bank’s attributes often includes direct or subtle reference to the bank’s name. Thus, the bank is permitting its attributes to be used in connection with the products and services of a third party. In some cases, however, it is not until something goes wrong with the third party’s products, services, or client relationships, that it becomes apparent to the third party’s clients that the bank is involved or plays a role in the transactions. When a bank is offering products and services actually originated by third parties as its own, the bank can be exposed to substantial financial loss and damage to its reputation if it fails to maintain adequate quality control over those products and services and adequate oversight over the third party’s activities.

Strategic Risk

A bank is exposed to strategic risk if it uses third parties to conduct banking functions or offer products and services that are not compatible with the bank’s strategic goals, cannot be effectively monitored and managed by the bank, or do not provide an adequate return on investment. Strategic risk exists in a bank that uses third parties in an effort to remain competitive, increase earnings, or control expense without fully performing due diligence reviews or implementing the appropriate risk management infrastructure to oversee the activity. Strategic risk also arises if management does not possess adequate expertise and experience to oversee properly the third-party relationship.

Conversely, strategic risk can arise if a bank does not use third parties when it is prudent to do so. For example, a bank may introduce strategic risk when it does not leverage third parties that possess greater expertise than the bank does internally, when the third party can more cost effectively supplement internal expertise, or when the third party is more efficient at providing a service with better risk management than the bank can provide internally.

Credit Risk

Credit risk may arise when management has exercised ineffective due diligence and oversight of third parties that market or originate certain types of loans on the bank’s behalf, resulting in low-quality receivables and loans. Ineffective oversight of third parties can also result in poor account management, customer service, or collection activities. Likewise, where third parties solicit and refer customers, conduct underwriting analysis, or set up product programs on behalf of the bank, substantial credit risk may be transferred to the bank if the third party is unwilling or unable to fulfill its obligations.

Credit risk also may arise from country or sovereign exposure. To the extent that a bank engages a foreign-based third party, either directly or through subcontractors, the bank may expose itself to country risk.

 

APPENDIX B: References 

Additional guidance about third-party relationships and risk management practices can be found in the following documents.13

OCC Guidance

Issuance

Date

Subject

Description/Applicability to FSAs

Comptroller’s Handbook Various Asset Management series Each of the booklets in the Comptroller’s Handbook Asset Management series provides guidance on oversight of third-party providers. Applies to FSAs.
Comptroller’s Handbook September 2013 Other Real Estate Owned Provides guidance on managing foreclosed properties, including risk management of third-party relationships.Applies to FSAs.
Comptroller’s Handbook April 2012 SAFE Act Provides procedures for examining mortgage loan originator (MLO) activities for compliance with the Secure & Fair Enforcement & Licensing Act of 2008, which mandates a nationwide licensing and registration system for residential MLOs. MLOs may be employees of a bank or third-party vendors. Applies to FSAs.
Comptroller’s Handbook May 2011 Servicemembers Civil Relief Act of 2003 (SCRA) Provides guidance on SCRA requirements applicable to banks and servicers, as a large number of banks outsource loan-servicing functions such as credit administration to third-party servicers.
Comptroller’s Handbook December 2010 Truth in Lending Act Provides guidance to banks and servicers on the content and timing of disclosures; interest rate calculations; and prohibited activities.
Comptroller’s Handbook September 2010 Real Estate Settlement Procedures Provides guidance to banks and servicers on the content and timing of pre-settlement and settlement disclosures to borrowers and on prohibited practices.
Comptroller’s Handbook January 2010 Fair Lending Provides guidance on indicators of potential disparate treatment in loan servicing and loss mitigation; use of vendor-designed credit scorecards; and guidance on evaluating third parties.
Comptroller’s Handbook April 2003 Internal and External Audits Provides guidelines for banks that outsource internal audit.
Comptroller’s Handbook December 2001 Merchant Processing Provides guidance on risk management of third-party processors.
Comptroller’s Handbook February 1994 Retail Nondeposit Investment Sales Provides guidance on risk management and board oversight of third-party vendors selling nondeposit investment products. (See OCC Bulletin 1994-13)
Alert 2012-16 December 21, 2012 Information Security: Distributed Denial of Service Attacks and Customer Account Fraud Highlights the risks related to these attacks; raises awareness for banks to be prepared to mitigate associated risks. Preparation may include ensuring sufficient resources in conjunction with pre-contracted third-party servicers that can assist in managing the internet-based traffic flow. Applies to FSAs.
Alert 2001-4 April 24, 2001 Network Securities Vulnerabilities Alerts banks to review contracts with service providers to ensure that security maintenance and reporting responsibilities are clearly described.
News Release 2013-116 July 17, 2013 OCC Statement Regarding Oversight of Debt Collection and Debt Sales Appendix provides guidance on the due diligence and ongoing monitoring of third parties to which banks sell consumer debt.Applies to FSAs.
News Release 2012-93 June 21, 2012 Regulators Issue Joint Guidance to Address Mortgage Servicer Practices that Affect Servicemembers Provides guidance to banks and mortgage servicers, including ensuring that their employees are adequately trained about the options available for homeowners with permanent change of station orders. Applies to FSAs.
Bulletin 2013-10 March 29, 2013 Flood Disaster Protection Act: Interagency Statement on Effective Dates of Certain Provisions of the Biggert–Waters Act and Impact on Proposed Interagency Questions and Answers Provides guidance to lenders or their servicers regarding the contents of notifications to borrowers about flood insurance renewals, force placement to ensure continuity of coverage, use of private flood insurance policies, related insurance fees, and escrow accounts. Provides summaries of new requirements for disclosure contents and timing. Applies to FSAs.
Bulletin 2011-39 September 22, 2011 Fair Credit Reporting and Equal Credit Opportunity Acts—Risk-Based Pricing Notices: Final Rules Provides guidance on notification requirements (timing, content) when adverse credit decision relies on a credit score, including those generated by third-party vendors (i.e., consumer reporting agencies). Applies to FSAs.
Bulletin 2011-30 July 6, 2011 Counterparty Credit Risk Management: Interagency Supervisory Guidance Addresses some of the weaknesses highlighted by the recent financial crisis and reinforces sound governance of counterparty credit risk (CCR) management practices through prudent board and senior management oversight and an effective CCR management framework. Applies to FSAs with the issuance of this bulletin.
Bulletin 2011-29 June 30, 2011 Foreclosure Management: Supervisory Guidance Discusses third-party vendor management and reaffirms expectations that management should properly structure, carefully conduct, and prudently manage relationships with third-party vendors, including outside law firms assisting in the foreclosure process. Applies to FSAs.
Bulletin 2011-27 June 28, 2011 Prepaid Access Programs: Risk Management Guidance and Sound Practices Highlights the risks and provides risk management guidance concerning prepaid access programs. Applies to FSAs.
Bulletin 2011-26 June 28, 2011 Authentication in an Internet Banking Environment: Supplement Reinforces the guidance’s risk management framework and updates expectations regarding banks’ authentications systems and practices whether they are provided internally or by a technology service provider. Applies to FSAs.
Bulletin 2011-12 April 4, 2011 Sound Practices for Model Risk Management: Supervisory Guidance Includes guidance on the use of third-party models. Applies to FSAs.
Bulletin 2011-11 March 29, 2011 Risk Management Elements: Collective Investment Funds and Outsourcing Arrangements Expands upon long-standing guidance on sound risk management and beneficiary/participant protections for bank-offered collective investment funds (CIF). The focus is on supervisory concerns that arise if a bank delegates responsibility for a bank CIF to a third-party service provider, such as a registered investment adviser. Applies to FSAs with the issuance of this bulletin.
Bulletin 2010-42 December 10, 2010 Sound Practices for Appraisals and Evaluations: Interagency Appraisal and Evaluation Guidelines Provides guidance regarding a bank’s responsibility for selecting appraisers and people performing evaluations based on their competence, experience, and knowledge of the market and type of property being valued. Applies to FSAs.
Bulletin 2010-30 August 16, 2010 Reverse Mortgages: Interagency Guidance Provides guidance on managing the compliance and reputation risks when making, purchasing, or servicing reverse mortgages through a third party, such as a mortgage broker or correspondent. Applies to FSAs.
Bulletin 2010-7 February 18, 2010 Tax Refund Anticipation Loans: Guidance on Consumer Protection and Safety and Soundness Provides guidance to enhance, clarify, and increase awareness regarding the measures the OCC expects to see in place for tax refund-related products offered by banks, including issues related to reliance on third-party tax return preparers who interact with consumers.
Bulletin 2010-1 January 8, 2010 Interest Rate Risk: Interagency Advisory on Interest Rate Risk Management Includes guidance on selection, control frameworks, and validation of third-party asset liability management models.Applies to FSAs.
Bulletin 2009-15 May 22, 2009 Investment Securities: Risk Management and Lessons Learned Provides guidance for banks that use the services of third parties who compile and provide investment analytics for bank management.
Bulletin 2008-12 April 24, 2008 Payment Processors: Risk Management Guidance Provides guidance to banks regarding relationships with third-party processors and requirements for effective due diligence, underwriting, and monitoring. Applies to FSAs with the issuance of this bulletin.
Bulletin 2008-5 March 6, 2008 Conflicts of Interest: Risk Management Guidance—Divestiture of Certain Asset Management Businesses Provides guidance for banks that contemplate divestiture of affiliated funds and associated advisers, whether directly, or through their broader corporate organizations.
Bulletin 2008-4 February 2, 2008 Flood Disaster Protection Act: Flood Hazard Determination Practices Provides guidance to banks that outsource flood hazard determinations to third-party servicers to ensure that appropriate information is used when performing flood determinations and that revision dates be included in the determination form. Applies to FSAs with the issuance of this bulletin.
Bulletin 2006-47 December 13, 2006 Allowance for Loan and Lease Losses (ALLL): Guidance and Frequently Asked Questions (FAQs) on the ALLL Includes guidance for when some or the entire loan review function and the validation of the ALLL methodology is outsourced to a qualified external party, and identifies the minimum objectives of a loan review program. Applies to FSAs.
Bulletin 2006-39 September 1, 2006 Automated Clearing House Activities: Risk Management Guidance Provides guidance for banks and examiners on managing the risks of automated clearing house (ACH) activity, which can include new and evolving types of ACH transactions as well as new participants in the ACH network, including certain merchants and third parties known as third-party senders.Applies to FSAs with the issuance of this bulletin.
Bulletin 2005-35 October 12, 2005 Authentication in an Internet Banking Environment: Interagency Guidance Highlights requirements for banks to use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a technology service provider. Applies to FSAs.
Bulletin 2005-27 August 4, 2005 Real Estate Settlement Procedures Act (RESPA): Sham Controlled Business Arrangements Provides guidance on determining if a RESPA settlement service provider (often a third-party servicer or vendor) is a “controlled business arrangement” and therefore entitled to certain exemptions. Applies to FSAs with the issuance of this bulletin.
Bulletin 2005-22 May 16, 2005 Home Equity Lending: Credit Risk Management Guidance Sets forth regulatory expectations for enhanced risk management practices, including management of third-party originations. Applies to FSAs.
Bulletin 2005-13 April 14, 2005 Response Programs for Unauthorized Access to Customer Information and Customer Notice: Final Guidance: Interagency Guidance Provides guidance on banks implementing a response program to address unauthorized access to customer information maintained by the institution or its service providers. Applies to FSAs.
Bulletin 2005-1 January 12, 2005 Proper Disposal of Consumer Information: Final Rule Sets standards for information security. Requires agreements with service providers on disposal. Describes duties of users of consumer reports regarding identity theft. Applies to FSAs with the issuance of this bulletin.
Bulletin 2004-47 October 27, 2004 FFIEC Guidance: Risk Management for the Use of Free and Open Source Software (FOSS) Provides guidance for institutions considering using or deploying FOSS regardless of whether it will be provided internally or by a third-party service provider. Applies to FSAs.
Bulletin 2004-20 May 10, 2004 Risk Management of New, Expanded, or Modified Bank Products and Services: Risk Management Process Reminds banks of the risk management process they should follow to prudently manage the risks associated with new, expanded, or modified bank products and services, including those provided by third parties.
Bulletin 2003-15 April 23, 2003 Weblinking: Interagency Guidance on Weblinking Activity Provides guidance to institutions that develop and maintain their own Web sites, as well as institutions that use third-party service providers for this function. Applies to FSAs.
Bulletin 2003-12 March 17, 2003 Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing: Revised Guidance on Internal Audit and Its Outsourcing Reflects developments within the financial, audit, and regulatory industries, particularly the Sarbanes–Oxley Act of 2002 that established numerous independence parameters for audit firms that provide external audit, outsourced internal audit, and other non-audit services for financial institutions.Applies to FSAs.
Bulletin 2002-16 May 15, 2002 Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance Provides guidance on managing the risks that may arise from outsourcing relationships with foreign-based third-party service providers, and addresses the need for banks to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to timely access data or information needed for supervisory activities.Applies to FSAs with the issuance of this bulletin.
Bulletin 2002-03 January 15, 2002 Real Estate Settlement Procedures Act: Examiner Guidance—Mark-ups of Settlement Service Fees Provides guidance on determining if a RESPA settlement service provider (often a third-party servicer or vendor) is charging more for a settlement service provided by a third party than is actually paid to the third party and the third party is not involved in the mark-up, which is prohibited by RESPA Section 8(b) (implemented by Regulation X) in most but not all states. Applies to FSAs with the issuance of this bulletin.
Bulletin 2001-51 December 12, 2001 Privacy of Consumer Financial Information: Small Bank Compliance Guide Includes guidance for banks to evaluate agreements with nonaffiliated third parties that involve the disclosure of consumer information. Applies to FSAs.
Bulletin 2001-12 February 28, 2001 Bank-Provided Account Aggregation Services: Guidance to Banks Includes guidance for banks that offer aggregation services through third-party service providers.
Bulletin 2001-8 February 15, 2001 Guidelines Establishing Standards for Safeguarding Customer Information: Final Guidelines Alerts banks that oversight program of service providers should include confirmation that the providers have implemented appropriate measures designed to meet the objectives of the guidelines. Applies to FSAs with the issuance of this bulletin.
Bulletin 2000-25 September 8, 2000 Privacy Laws and Regulations: Summary of Requirements Includes guidance for banks to evaluate agreements with third parties that involve the disclosure of consumer information.Applies to FSAs with the issuance of this bulletin.
Bulletin 2000-14 May 15, 2000 Infrastructure Threats—Intrusion Risks: Message to Bankers and Examiners Provides guidance on how to prevent, detect, and respond to intrusions into bank computer systems, including outsourced systems.
Bulletin 1999-14 March 29, 1999 Real Estate Settlement Procedures Act: Statement of Policy—Lender Payments to Mortgage Brokers Provides guidance on services normally performed in loan origination, including those often performed by a third-party servicer or vendor. Applies to FSAs with the issuance of this bulletin.
Bulletin 1998-3 March 17, 1998 Technology Risk Management: Guidance for Bankers and Examiners Includes a short description of a bank’s responsibility with regard to outsourcing its technology products and services.Applies to FSAs with the issuance of this bulletin.
Bulletin 1996-48 September 3, 1996 Stored Value Card Systems: Information for Bankers and Examiners Provides basic information to assist banks in identifying and managing risks involved in stored value systems. Applies to FSAs with the issuance of this bulletin.
Advisory Letter 2004-6 May 6, 2004 Payroll Card Systems Advises banks engaged in payroll cards systems involving nonbank third parties to fully comply with OCC guidance on third-party relationships.
Advisory Letter 2002-3 March 22, 2002 Guidance on Unfair or Deceptive Acts or Practices Describes legal standards and provides guidance on unfair or deceptive acts and practices. Cross references other OCC guidance on: selecting a third-party vendor; monitoring vendor performance; maintaining proper documentation about vendor management; review of contractual arrangements; compensation concerns; monitoring consumer complaints; payment procedures; and loan collection activities.
Advisory Letter 2000-11 November 27, 2000 Title Loan Programs Alerts banks to OCC concerns over title loan programs, including the involvement of third-party vendors.
Advisory Letter 2000-10 November 27, 2000 Payday Lending Alerts banks to OCC concerns over payday lending programs, including the involvement of third-party vendors. Applies to FSAs.
Banking Circular 181 August 2, 1984 Purchases of Loans in Whole or in Part-Participations Describes prudent purchases of loans from and loan participations with third parties. Applies to FSAs with the issuance of this bulletin.

 

FFIEC Handbooks

Issuance

Date

Subject

Description

FFIEC Bank Secrecy Act/ Anti-Money Laundering Examination Manual April 29, 2010 Bank Secrecy Act and Anti-Money Laundering Provides guidance on identifying and controlling risks associated with money laundering and terrorist financing, including third-party payment processors and professional service providers.
FFIEC Information Technology Examination Handbook Various “Outsourcing Technology Services” and “Supervision of Technology Service Providers” Provides guidance on managing risks associated with the outsourcing of IT services. Several other booklets of the FFIEC IT Examination Handbook also provide guidance addressing third-party relationships.

 

1 Third-party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records. Affiliate relationships are also subject to sections 23A and 23B of the Federal Reserve Act (12 USC 371c and 12 USC 371c-1) as implemented in Regulation W (12 CFR 223). Third-party relationships generally do not include customer relationships.

2 An OCC-supervised bank that provides services to another OCC-supervised bank is held to the same standards of due diligence, controls, and oversight as is a non-bank entity.

3 For example, in franchising arrangements, the bank lends its name or regulated entity status to activities originated or predominantly conducted by others. Thus, the bank is permitting its attributes to be used in connection with the products and services of a third party. The risks to the bank from these franchising arrangements vary based on the terms of the agreement between the bank and the third party and the nature of the services offered. When a bank is offering products and services originated by third parties as its own, the bank can be exposed to substantial financial loss and damage to its reputation if it fails to maintain adequate quality control over those products and services and adequate oversight over the third-party activities. Risk may also increase when the third party relies on the bank’s regulated entity status and offers services or products through the bank with fees, interest rates, or other terms that cannot be offered by the third party directly.

4 Refer to appendix A for a discussion of risks associated with third-party relationships.

5 Except for nondisclosure agreements that may be required in order for the bank to conduct due diligence.

6 Dual employees are employed by both the bank and the third party.

7 If the bank enters into a written arrangement under which a broker registered under the securities laws offers brokerage services on or off the premises of the bank, the bank should ensure that the arrangement qualifies for the exception in the Securities and Exchange Act of 1934, 15 USC 78c(a)(4)(B)(i), and Regulation R, 12 CFR 218.700-701 and 17 CFR 247.700-701, for third-party brokerage arrangements. Otherwise, the bank may be required to register as a securities broker under the federal securities laws. The bank also should ensure compliance with regulatory requirements if bank employees receive fees for referrals to the third-party broker.

8 Before conducting an examination of a third party that is a functionally regulated affiliate (FRA), the OCC is required to give notice to and consult with the FRA’s primary regulator and, to the fullest extent possible, avoid duplication of examination activities, reporting requirements, and requests for information. See 12 USC 1831v.

9 When a third-party relationship involves critical activities, a bank may need to consider appointing a senior officer to provide oversight of that relationship.

10 Under 12 USC 1867(c)(2), national banks are required to notify the OCC of the existence of a servicing relationship. FSAs are subject to similar requirements set forth in 12 USC 1464(d)(7)(D)(ii) and 12 USC 1867(c)(2). The OCC implements this notification requirement by requiring banks to maintain a current inventory of all third-party relationships and make it available to examiners upon request.

11 In addition to the functional business units, this may include information technology, identity and access management, physical security, information security, business continuity, compliance, legal, risk management, and human resources.

12 The CAMELS rating is an overall assessment of a bank based on six individual ratings; the word CAMELS is an acronym for these individual elements of regulatory assessment (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk).

13 All guidance applies to national banks. Guidance not currently applicable to FSAs (as noted in this appendix) is undergoing review through the OCC’s policy integration efforts.

 

Grade Your Compliance Etiquett...

10-28-2013

Reputation risk and corporate ethics are top of mind for Boards of Directors and Executive Management. However, expectations for financial service organization’s “compliance manners” are gettin[...]

Reputation risk and corporate ethics are top of mind for Boards of Directors and Executive Management. However, expectations for financial service organization’s “compliance manners” are getting a makeover in responsible business conduct based on a recent bulletin from the Consumer Financial Protection Bureau (CFPB).

The CFPB has set out a menu of protocols that come into play prior to an enforcement action. The nature, extent, severity of a violation + the past record of the organization combined with the actual/potential harm, equate to how harsh the penalty or action could be.

There’s no magic grading formula, but organizations that clearly demonstrate a proactive commitment to prompt corrective action, may be given extra credit but only if their actions exceed the standards required by law. To get an “A” in compliance manners, organizations need to structure compliance management systems for consumer protection to include: Self Policing, Self Reporting, Remediation & Cooperation.

While the regulations provide the curriculum for testing compliance, the etiquette or compliance attitude or tone at the top are just as important.

Grade your compliance etiquette by thinking about these questions:

  • What’s your organizations compliance culture grade?
  • Has your organization had repeat offenses?
  • Are mistakes or violations isolated or pervasive?
  • How quickly are violations detected & corrected?
  • Do you have mechanisms to self-test your procedures?
  • Does the organization take proactive measures to self report, or wait until they are examined?
  • How thoroughly do you implement preventative measures?

Grading on the curve will only get organization’s so far in meeting today’s consumer protection report card.

Organizations need to align not only the right answers, but the right etiquette and protocol for how they handle consumer protection today. So mind your compliance manners and remember to say thank you; you’re welcome; pretty please, and when needed, I’m sorry.

Linnea Solem is the Vice-Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.

Reposted with permission from Forward Banker

PCI 3.0...

10-21-2013

Although it seems as if the Payment Card Industry Data Security Standard (PCI DSS) was launched yesterday, the standards organization was in fact created in 2006 to consolidate and better promulgate t[...]

Although it seems as if the Payment Card Industry Data Security Standard (PCI DSS) was launched yesterday, the standards organization was in fact created in 2006 to consolidate and better promulgate the major credit card organizations’ then overlapping data security requirements. The PCI Council updated its original requirements in 2010 (with Version 2.0) and now, in November 2013, the Council will release version 3.0.

The PCI standards sometimes have been controversial – some (too many) in the industry have viewed the requirements as simply a compliance checklist to be certified on an annual basis, and the headlines have been filled with examples of breached merchants who were “just recently” certified to be PCI compliant. As the years went by, it became all too apparent that there were significant inconsistencies in the way PCI assessments were executed, and in the security hygiene PCI certified organizations maintained in between yearly assessments.

Last month’s PCI 3.0 Highlights preview document suggests that modifications planned for Version 3.0 could be very helpful. The document states that:

Changes planned for Version 3.0 are designed to help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.

That’s exactly the right goal, and some of the emphases appear to be particularly significant for Shared Assessments members. PCI 3.0, for example, will have the increased emphasis on security as a shared responsibility that’s appropriate in today’s more complex payments environment. Changes to the requirements will mandate that companies maintain records about which PCI DSS requirements are maintained by the contracting entities and which are managed by service providers. The new standards will require that service providers acknowledge their responsibility to maintain applicable PCI DSS requirements.

In the financial services sector, in particular relationships between financial institutions and their business partners have come under increased regulatory scrutiny. Earlier this week Comptroller Thomas Curry gave notice that the Office of the Comptroller of the Currency (OCC) will issue enhanced supervisory standards for large national banks. He said “As part of this ‘heightened expectations’ program, we are insisting that internal controls and audit be raised to the standard of ‘strong’ and we are making it clear that satisfactory ratings are not acceptable.” That’s a big deal of course, and we might reasonably hope that FIs of all sizes will step up to the plate as they educate and help supervise the PCI 3.0 compliance of their merchant partners moving forward.

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board. 

The Ever Present Need for Effe...

10-16-2013

The FDIC Advisory Committee on Community Banking meeting in July 2013 included an extensive discussion of the responsibility of banks in ensuring their vendors consistently meet privacy and other info[...]

The FDIC Advisory Committee on Community Banking meeting in July 2013 included an extensive discussion of the responsibility of banks in ensuring their vendors consistently meet privacy and other information security regulations and requirements. ((Established in May 2009, the Advisory Committee on Community Banking discusses and provides input to the FDIC on a wide variety of topics, including current examination policies and procedures, credit and lending practices, deposit insurance assessments, insurance coverage and regulatory compliance.)) One of the greatest takeaways from these committee sessions is that while regulators examine financial services vendors that contract for core bank services or other third party services that are covered under the Bank Service Company Act, they are not allowed to make direct report of findings to the banks that contract with these vendors. ((The Bank Service Company Act of 1962 requires insured financial institutions to notify regulators of relationships with certain third party agencies. This notification helps alert the government to potential security violations and conflicts of interest.)) The Committee advised that bank’s need to do more due diligence to determine that their vendors are capable of meeting their compliance obligations adding additional auditing of their third party relationships.

The serious need for more effective due diligence is evidenced by the 2011 case of a hacker break in at Fidelity National Information Services (FIS). FIS reportedly found no red flags through its due diligence, but ultimately had a significant data breach. The recent (June 2013) disclosure that this breach was far more extensive than FIS had previously revealed “highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.” ((FDIC: 2011 FIS Breach Worse Than Reported. )) Given that FIS provides a range of services to more than 14,000 financial institutions in over 100 countries, the impact of this breach is quite significant.According to the Advisory Committee on Community Banking, financial institutions can be more effective and proactive ensuring vendors identify and address security gaps by becoming more thorough in their monitoring procedures by:

      1. Requesting reports from their vendors on all audits and examinations on an ongoing basis
      2. Carefully and regularly reviewing reports.
      3. Ensuring that contract language covers all regulations and requirements that vendors must meet to allow institutions to remain in compliance at all times.

Well designed due diligence can help drive vendor compliance―demanding a high standard of accountability be maintained by all vendors encourages the industry to hold its members accountable. Up front investments in improving vendor monitoring will also result in companies being less likely to use a vendor that would later be costly to replace. Your organization can begin to accomplish both goals by:

  • Establishing a company-wide culture of dedicated, forward thinking due diligence.
  • Establishing a contracting process that includes automated audit request and reporting review.
  • Training all employees on security and privacy issues and processes.
  • Reinforcing training with ongoing awareness emails and other postings.

Dedicating the appropriate level of resources for vendor risk assessment becomes a wining proposition for financial institutions, vendors, and customers alike.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad

It’s Game Time – Be Your O...

10-07-2013

Managing your suite of regulatory compliance programs today requires a game day strategy to keep all the moving parts working together to achieve the end goal of meeting the external regulators expect[...]

Managing your suite of regulatory compliance programs today requires a game day strategy to keep all the moving parts working together to achieve the end goal of meeting the external regulators expectations.

While financial institutions can prepare for examination reviews by assessing published guidance; the hard part is applying the guidance to your own internal teams.

With emerging areas of compliance, including consumer protection, organizations have to be prepared in their compliance game-book to make adjustments.

Gone are the days where looking to the published rule and effective date was sufficient. In today’s landscape, compliance program management requires close monitoring of complaints, enforcement actions, and monitoring CFPB research reports to spot areas of focus even before the rulemaking.

  • Structure special teams or risk committees for specific areas of compliance. Can you show how the teams work together?
  • Monitor your scorecard with compliance metrics you can use to demonstrate “how” you structured your compliance playbook. Can you tell your compliance story to an auditor?
  • Develop oversight mechanisms and designate decision making authority for reviewing your compliance program for effectiveness. Who is your internal compliance umpire?
  • Know your audience for board of director and management reporting. Operational metrics are important, but strategic metrics can be game changers in getting approvals for investments. Do you know how to “pitch” your business case?
  • Practice with confidence how to share the insights and reasons why you structured your compliance program the way you did. Can you show “why” your meets your compliance risks?

Compliance Program management requires more flexibility today, to adapt to changing rules and interpretations of what is expected.

Single hit wins, and doubles are good, but in the area of consumer protection and operational risk, you need some home runs to succeed over the long term.

If you want to be in the game, play by the rules. Keep in mind the rules of the game will change during play.

Be prepared for your role as your own compliance umpire, and call the shots internally.

Linnea Solem is the Vice-Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.

Reposted with permission from Forward Banker

2013 Financial Services Cyber ...

yadzinski 10-01-2013

Booz Allen Hamilton released their Top 10 Financial Services Cyber Risk Trends for 2013. They did a great job on identifying trends and provide a bit of insight into what is happening in the field, wh[...]

Booz Allen Hamilton released their Top 10 Financial Services Cyber Risk Trends for 2013. They did a great job on identifying trends and provide a bit of insight into what is happening in the field, while providing some advice and predictions. I would like to highlight some key words that stand out to me and provide you with my personal take from a “Standards” or Management Systems perspective.

1. Business/Information risk protection is not just a technology issue―Technology alone is not the answer you must involve an integrated strategy of People, Processes and Technology.

2. Data disruption attacks may become data destruction attacks (i.e. vulnerability)― One of Clint Eastwood’s famous lines was “A man’s got to know his limits.” An organization can never expect to eliminate the constant barrage of attacks, but by identifying their individual vulnerabilities and knowing their systems limits, effective planning can avoid exposing vulnerabilities reduce them or increase monitoring.

3. Nation states and threat actors are becoming more sophisticated―You have to know your threats to identify your vulnerabilities. Knowing the enemy allows you to plan and deploy the proper resources, technology and of course, plan for business continuity in the event of disruptions; nothing is 100% and you have to be prepared if things go wrong.

4. Legislation could push industry standards around cyber risks and improve threat intelligence information sharing―On February 12th of this year, President Obama issued Executive Order: 13636 Improving Critical Infrastructure Cybersecurity. It acknowledges the need for public private partnership in preparing for, preventing, and mitigating threats. The order directs federal agencies and departments to share cyber threat information with critical infrastructure owners. The order also requires these agencies and departments to work with businesses to develop IT security best practices and international standards that infrastructure owners could voluntarily adopt. It looks like there is increasing support for incentive programs for those who choose to adopt the new framework, especially from insurance industry companies.

5. Predictive threat intelligence analytics will create a more effective risk management capability (monitoring)― All information an organization collects and processes is subject to threats of attack, error, and nature and to the vulnerabilities inherent in its use. An organization must establish and maintain a good monitoring process to be more predictive and make appropriate changes to its practices and technology at the right time to stay ahead of the bad guys. As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to:

a) monitor and evaluate the effectiveness of implemented controls and procedures;
b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed. ((ISO/IEC 27000:2012(E) Information technology—Security techniques—Information security management systems: Overview and vocabulary. Second edition. 27000 Security. 2013. http://www.iso27001security.com/html/27000.html))

6. Vendor Risk Management (supply-chain management)―This is becoming an increasingly important concern among firms; We are only as strong as the weakest link. There is a growing concern about the continued increase in higher business environment volatility that continually makes the task of managing global supply chains tougher every day. Changes over the last few years in the social, political, technology, environment and economic domains around the world, suggest that the business landscape and paradigm of supply-chain management has transformed permanently.

Uncertainty is the road block to flawless execution. You can read my complete article on the subject, A Critical Need In Any Business Continuity Management System: Addressing the Supply Chain.

7. Cyber risk continues to be a board-level issue (top management involvement)― How does leadership articulate its expectations to the organization’s as a whole? All levels of relevant management throughout the organization should demonstrate commitment and leadership in implementing policy and objectives that support a culture of proactive risk management. Demonstration of commitment and leadership may be achieved using education, motivation, engagement and empowerment.

8. Firms must continue to embrace and adapt to the new “boundless network,” which includes Bring Your Own Device (BYOD) use and must also invest in training its workforce to properly access and protect corporate data―All mainstream management system standards ask you to define and show evidence of effectiveness measures that evaluate individual organizational training programs. Further you are asked to define how you measure competence in your evaluation of training program success. No workplace is immune from security threats. Employees are often the target of these threats as well as the organization’s first line of defense. Threats endanger the confidentiality, integrity, and security of your workplace, as well as your virtual workplace and computer systems and must be addressed with a correspondingly appropriate level of training and continuous quality improvement in training programs.

9. Identity and access management is becoming a key security control area in which firms will continue to invest heavily―Due to global privacy concerns, identity and access management is fast becoming one of the most important components of an organization’s security infrastructure. With the advent of new and tougher regulations, how well you protect your enterprises’ information assets is directly related to your organization’s reputation, legal responsibility and financial well-being.

10.The Financial Services industry will rely more heavily on cyber benchmarking―The soon to be released National Institute of Standards and Technology (NIST) Cybersecurity framework in answer to the Improving Critical Infrastructure Cybersecurity Executive Order, will become the benchmark by which all critical infrastructures are measured. Many of the leaders in the financial industry agree with the concept provided it ties in with already accepted industry standards and presents smarter regulation rather than simply more regulation. Please reference my previous blog on the topic for more detail: Information Security in the Financial Industry. More Regulation or Better Regulation.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 25 years of successful experience in Management System Development

Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.

Vendor Risk Assessment: How Of...

09-25-2013

The need to go beyond calendar based assessments. The frequency of vendor risk assessments is generally driven by the level of risk associated with the type of services provided by the vendor. A go[...]

The need to go beyond calendar based assessments.

The frequency of vendor risk assessments is generally driven by the level of risk associated with the type of services provided by the vendor. A good approach for companies to follow is the approach taken by most financial institutions who review critical/ high risk vendors annually. This approach will adequately address the need for periodic assessments, but may not be sufficient to address the need for “event triggered” assessments.

The need for an assessment can be triggered by events outside the scope of your relationship with the vendor. A merger, acquisition, change in management, or a data breach are all examples of “external” events that could trigger the need to conduct an interim assessment of the vendor. At the very least such events require some level of scrutiny and due diligence to determine if they have an impact on the services provided by the vendor.

Contract provisions which require vendors to proactively notify you when certain changes occur can help identify these events. Unfortunately, many contracts do not contain provisions that address these issues, or provide for timely notification of the event. Therefore, it becomes important to consider the implementation of your own monitoring program to be able to identify the need for, and respond to, changes in the vendor’s environment that could trigger the need for an additional assessment. The question becomes what type of monitoring should you consider to help you identify when these events occur?

There are several steps you can take, in addition to proactive notification requirements in your vendor contracts, to significantly increase your ability to identify “triggering events”:

  • Subscribe to a service that monitors geographic based events. Companies who provide these services monitor geopolitical, environmental/weather related incidents as well as incidents related to infrastructure failures
  • Monitor news services for business announcements concerning these vendors
  • Monitor changes in regulations that could impact your vendors or the services they provide
  • Monitor social media, Internet sites and discussion forums for comments related to your vendors or the services they provide

Essentially you should include your critical/high risk vendors in the same monitoring you perform for your own institution in these areas.

Make sure that your vendor risk assessment process includes the monitoring necessary to identify events involving your critical vendors; and, that your vendor contracts include the right to conduct additional assessments based on these events. Doing so will help you avoid unexpected operational interruptions, unanticipated revenue loss, and the potential for negative impact on your reputation.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad

Regulatory Compliance – How ...

09-16-2013

Compliance regulations are increasingly dictating the choices that businesses are making regarding revenue generation strategies across all sectors. As a result, strategies that focus on revenue stre[...]

Compliance regulations are increasingly dictating the choices that businesses are making regarding revenue generation strategies across all sectors. As a result, strategies that focus on revenue streams are being directly impacted by the cumbersome technicalities of meeting the legal and privacy requirements of today’s compliance regulations.

The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is a prime example of the growing tapestry of regulatory compliance. It affects players across a broad spectrum, including many not normally considered to be in the health care industry (banks, lawyers and accountants to name a few). HIPAA’s purpose is to “provide health care coverage continuity, ensure greater accountability and simplify administrative functions within the health care industry.” It reaches much farther than that and frequently results in complicating administrative functions, rather than simplifying them. Companies must now divert a substantial amount of resources away from the development of innovative solutions, and apply them to regulatory compliance and other legal requirements. While a necessary expense, compliance and legal departments are all too often viewed as dead weight, since they are perceived to provide no direct tie to the creation of revenue.

With that as a background, it is critically important to focus your compliance efforts on what really matters – ensuring that you are getting the information you need into your security, privacy, and fraud management systems as effectively as possible. Key to accomplishing this task is to incorporate your compliance and legal staff as part of the solution rather than part of the problem. This means that legal, compliance and risk management should be involved at the earliest stages of new business development. They should also be an integral part of every project team whose focus is on the development of new products and services.

To address this:

    1) Conversations with legal departments have to become more equal. This means that executive level staff must gain a stronger understanding of the real risks and benefits of regulation and compliance. Familiarity will even the playing field and allow decision makers to listen and act from a point of understanding rather than from a place of fear. Bigger legal departments do not equate with excellence in compliance. In short, make sure that you ask the right questions when addressing compliance requirements.
           a. Why was this requirement put into place?
           b. How was it dictated (by what body)?
           c. What is the cost versus the benefit of this requirement?
           d. How does it affect other stakeholders?
           e. Can I streamline this process through better work flow management or and other technologies?

    2) Compliance requirements must be considered at the earliest stages of new product/service development. Incorporating regulatory requirements into the planning stages of business development efforts allows them to become a seamless component of the development process. Thus, in place of later compliance reviews being seen as impediments to new business development (as they often impose new project requirements), compliance needs are simply another planned for and anticipated element in the project development lifecycle.

The biggest benefit of effective compliance planning lies in gaining a stellar reputation with regulators, customers, and business partners. The product development process can be restructured in ways that support innovation. This includes a view of compliance as a component part of business development and innovation in which legal, regulatory, technology, and vendor risk management costs are viewed as a normal part of the business development process.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad

Annie Searle Reports on the 20...

09-09-2013

The Department of Homeland Security (DHS) presented its 3rd Annual “Building Resilience through Public-Private Partnerships”,conference on July 30-31, in Washington D.C.  Third party risk issues [...]

The Department of Homeland Security (DHS) presented its 3rd Annual “Building Resilience through Public-Private Partnerships”,conference on July 30-31, in Washington D.C.  Third party risk issues were discussed in depth around three themes:  emergency management/preparedness, campus resilience, and cybersecurity.

Welcoming remarks came from both Jane Holl Lute, former DHS deputy secretary, and FEMA administrator Craig Fugate, who spoke strongly on behalf of the private sector’s reluctance to make investments in resilience “unless it’s in their interest and makes money.”  He pointed out that most power utilities are investor-owned, with fiduciary requirements.  He stressed the need to find what he called “our common interests,” given that public-private partnerships sometimes operate like a “big dysfunctional family.”  He’s clearly a “whole of community” professional, who is looking for what he calls “teammates” rather than “more partners.”

The most inspiring speaker for the conference was Jacob Wood, founder of Team Rubicon, a disaster response veterans service organization, which provided 350 veterans over five weeks to assist with recovery from Hurricane Sandy.  He pointed out that the organization is two pronged, helping disaster victims but also helping military vets deploy skills in situations where it’s clear that they help and that they “will change the world.”  Teams are now engaged in learning the National Incident Management System (NIMS) and Internal Controls Service (ICS) “with a military flavor.”

One of the crispest panels focused on supply chain, and was organized by Bryan Strawser from Target. We met three new companies –Sears Holding Corporation, Global Food Exchange, and Menlo Worldwide Logistics—and learned more about the remarkable programs they have each put in place and continue to improve.  Richard Jabara from Menlo made everyone’s point when he emphasized how important it is to physically map the supply chain, not just map it on paper.  Stories abounded from Hurricane Sandy, including the realization that drivers of big trucks often had to offload their own trucks when they arrived at the destination; and on the inefficiencies in water filtration so that food delivered could be cooked.  An earlier panel chaired by Russ Paulsen from the American Red Cross had elicited key resources for early stage recovery:  transportation, credentials, and information needed to determine where to locate corporate generators (Target); and transportation as well as communications on where temporary facilities can be set up (Grainger).

On the second day of the conference, two panels in particular stood out.  DHS Acting Undersecretary for the National Protection and Programs and Program Directorate, spoke at length on efforts underway to implement Presidential Policy Directive 21, on physical and cyber risks.  She emphasized that cross sector and cascading consequences in physical security are now connected to the cyber side; that the NIST framework being developed has had significant private sector input; and that the group is also working on developing incentives for voluntary participation in the new framework for information sharing.  On that same panel on enhancing cyber infrastructure security and resiliency, Marlene Allison from Johnson & Johnson Services, Inc. spoke highly of the valuable information sharing through the Overseas Security Advisory Council (OSAC) organization, created as a partnership between the Department of State and the private sector.

The final panel was the one I chaired, and all four panelists – Bill Raisch from NYU, Brian Tishuk from ChicagoFIRST, Alan D. Cohn from DHS, and Jim Thompson from the White House – spoke to several questions I asked:  Are partnerships the best vehicle for enhancing and maintaining critical infrastructure resilience, or should the private sector be left to its own devices?  (Yes and no.) Should regulation be employed to ensure the achievement of minimal levels of resilience and fair treatment across industries? (Better to try to accomplish without, but sometimes required.) Are sectors the proper focus of partnership activities, or would it be better to address interdependencies instead? (Sectors seem to be identifying the interdependencies.)  If we continue down the partnership path, what natural limitations exist and how might their negative effects be mitigated? (It is still to be seen what progress the executive order on voluntary information sharing on cyber threats will yield, which is best example.)  DHS is putting together an after action report which will be publicly available, and which will cover all the panels, not just the ones I selected here to discuss.

Annie Searle is Principal of ASA Risk Consultants, an independent consulting and research firm that provides confidential assessments of existing corporate plans, identifies gaps and offers customized road maps to increase resiliency. Searle is an affiliate faculty member at the University of Washington’s School of Information, where she teaches courses on operational risk, ethics, policy and law. She is a lifetime member of The Institute of American Entrepreneurs. She was inducted into the Hall of Fame for the International Network of Women in Homeland Security and Emergency Management in 2011.

 

The SIG – The Swiss Army...

09-03-2013

In 2005, the Shared Assessments program was born to serve the financial services industry and its major service providers. The intent was to achieve economies of scale by sharing the expense and time [...]

In 2005, the Shared Assessments program was born to serve the financial services industry and its major service providers. The intent was to achieve economies of scale by sharing the expense and time in conducting on-site assessments.  A group representing six major banks and the Big Four accounting firms met to draft an on-site assessment tool built to the AICPA’s Agreed Upon Procedures attestation standards. While developing that tool, the group discussed many control questions that didn’t fit into an on-site assessment framework, so they built a “parking lot” for control questions that didn’t make it into the Agreed Upon Procedures.  By 2007, in its third iteration, the parking lot of questions had developed into an assessment tool in its own right, and was named the Standardized Information Gathering (“SIG”) questionnaire and was presented as a free, closed-question questionnaire covering ISO-based control domains for use by outsourcing financial institutions to send to their third-party service providers.  The SIG represents the “trust” in the Shared Assessments Program’s “trust-but-verify” model and the AUP represents the “verify”.

Over the intervening years, SIG users have found it to have far greater utility than its original purpose.

Many outsourcers use the abbreviated version of the SIG, the SIG Lite, as a gating tool to assess potential new providers and determine if a more thorough assessment is necessary. They also use the SIG in a modular fashion, selecting the domains relevant to the particular services provided by a vendor. And, depending on the sensitivity of the services provides or the data shared, the SIG serves as either a standalone assessment tool (where “trust” is sufficient), or as a precursor for an on-site assessment to verify the answers to the SIG’s questions.

Service providers have also found the SIG to be a useful artifact to include in their RFP fulfillment packages. The completed SIG can speed the vendor selection process because it describes to the potential customer the prospective provider‘s security and control environment. Service providers also use it to vet their downstream partners.

And, participants on all sides of the outsourcing process have also found the SIG to be an effective self-assessment tool.

So, like the trusty, red, multi-function pocket knife, the SIG has made itself a handy tool.

Santa Fe Group Consultant Bob Jones has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.

CFPB Ups the Ante on Third Par...

08-26-2013

With its broad focus on consumer protection, the Consumer Financial Protection Bureau ("CFPB") is holding companies directly responsible for the actions of their service providers. Responding to consu[...]

With its broad focus on consumer protection, the Consumer Financial Protection Bureau (“CFPB”) is holding companies directly responsible for the actions of their service providers. Responding to consumer complaints about unfair and/or deceptive practices the CFPB has handed out over $100M in penalties and fines in the past year. The new regulatory thrust on unfair, deceptive or abusive acts or practices (“UDAAP”) creates a new challenge for any entity that outsources services which require customer interaction.

Companies, particularly those in financial services, have become accustomed to assessing their vendors’ ability to provide suitable risk controls for information security and data protection. Vendor risk rating and risk scoring frameworks have been developed to address the level and frequency that vendor practices in these areas should be scrutinized and assessed. The focus on UDAAP creates a new element in vendor risk management – the need to extend vendor reviews into vendor business practices and procedures that involve customer interaction. It is no longer sufficient to rely on contract provisions which require service providers to operate within appropriate guidelines. It is now necessary to conduct a level of due diligence that allows you to confirm that your vendors are capable of understanding and executing these requirements.

An informal survey of companies that have recently conducted pre-examination engagements reveals that their expectation is that over 80% of CFPB scrutiny will be placed on vendor business practices related to consumer interaction; with the remaining 20% reserved for information and data security practices. While the CFPB has yet to provide meaningful guidance on how these vendor business practices are to be assessed, certain methodologies currently used to evaluate the adequacy of information and data security practices can be extended into this area:

  • Determine what training is provided to employees who interact with your customers
    • What training is provided at hiring?
    • Is training updated and at what frequency?
  • What is the extent of customer interaction?
    • Are additional products and services offered as part of customer service?
      • How are required disclosures addressed?
    • Are payments collected? How is payment information handled?
  • How is customer information obtained as part of customer service treated?
    • Are calls recorded for quality control? If so, customer privacy issues must be considered
  • How are customer complaints handled?
    • Vendor contracts should include disclosure of customer complaints
  • Right to audit must now be extended to include vendor business practices

Perhaps the most important action you can take is to develop a dialogue with your service providers on how to collectively address this new regulatory focus. A proactive approach will allow you to take a reasoned and timely approach to addressing this new area of regulatory scrutiny.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad

Consumer Protection and 3rd Pa...

08-19-2013

Why should a Third Party Service Provider (TPSP) care about consumer protection regulatory issues? Because your client cares and your client’s examiner and regulator cares. Examiners and regulat[...]

Why should a Third Party Service Provider (TPSP) care about consumer protection regulatory issues? Because your client cares and your client’s examiner and regulator cares.

Examiners and regulators are holding financial institutions accountable for the actions of their TPSPs through enforcement actions, regulatory requirements and examinations. In turn, financial institutions are requiring their TPSPs to meet consumer protection requirements for functions performed on behalf of the supervised financial institution.

Post Dodd-Frank, the industry has seen increased focus on third party risk, across vertical segments including health care, financial services and other regulated industries. Concerns for privacy, cyber security, data protection, online privacy, cloud computing and ethical marketing have all been heightened, particularly consumer protection.

Since July 2012, enforcement actions from the Consumer Financial Protection Bureau (CFPB) and other federal prudential regulators have resulted in $430 million in refunds to consumers and over $100 million in penalties. The focus has been on practices that were deemed unfair, deceptive or abusive (UDAAP) to consumers.

In some instances, these practices were performed by TPSPs and the financial institution was held accountable for the actions of its TPSP resulting in amplified oversight by financial institutions of their TPSPs.

In addition, regulatory requirements for vendor management have been issued by the CFPB, FFIEC and OCC, requiring greater oversight. Expect to see this oversight manifested in contract requirements, increased focus on operational risk, on-site audits, and call center operations.

Questions to ask your service providers (or yourself if you are a TPSP) include:

  • Does your TPSP interact with your end customers or accountholders?
  • Does your TPSP support call center services?
  • Does your TPSP act on your behalf to “sell” financial products or services?
  • Does your TPSP handle end customer complaints?
  • How do you collect payment from consumers and does it involve a TPSP?
  • Does your TPSP conduct marketing activities directly to end consumers?
  • Does your TPSP enroll consumers in financial products or services?

If the answer is yes, then your TPSP needs awareness of consumer protection requirements and you need to ensure that your TPSPs create no harm to your accountholders. This includes conducting due diligence to verify your TPSP understands and is capable of complying with federal consumer protection law.

Due diligence includes review of service providers’ policies, procedures, controls and training materials for processes with direct customer interaction. Your TPSP contract should address expectations and enforcement consequences for violations, including UDAAP issues.

You should establish controls and on-going monitoring to determine whether your service provider is complying with these requirements and take prompt action to address problems, including termination of the relationship where appropriate.

The bottom line is enhanced scrutiny on consumers so that service providers do no harm to consumers. Look at your practices with consumers and expect the same from your clients, regulators and examiners.

Linnea Solem is the Vice-Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.

How Shared Assessment Is Helpf...

08-13-2013

I find it interesting that most people look at security frameworks as an either/or proposition. Should I use SOC2 or ISO-27001 or FedRAMP? I think the better question is how can I use multiple diffe[...]

I find it interesting that most people look at security frameworks as an either/or proposition. Should I use SOC2 or ISO-27001 or FedRAMP? I think the better question is how can I use multiple different security frameworks to my advantage?

Recently during an Information Security Management System (ISMS) Internal Audit for one of our ISO-27001 certified customers one of those opportunities to leverage an additional “framework” (in this case Shared Assessment) presented itself. What we found during the audit was that their vendor risk management practices were not as “robust” as they likely should be considering the risk associated with several of their vendors. Under ISO-27002 there are several controls that focus on Vendor Risk Management; 6.2 address identification and communication of risks associated with externals parties and 10.2 addresses ongoing monitoring of the risk/relationship. While they had the basics in place what they really lacked was a formal/robust program – which was increasingly becoming a problem due to hyper growth and an increasing reliance on “the cloud”.

We suggested that leveraging the Shared Assessment Program might be simpler and more effective than developing their own:

  • The Program easily scales to vendors with different risk profiles (e.g., SIG-Lite, SIG, AUP).
  • The Program is based around the ISO standards which they are already using.
  • Should they need third party support (e.g., to conduct a third party audit on their behalf) there are dozens of firms familiar with the Program.
  • The tools to conduct and score the audits and manage the program across vendors already exist.

One other positive of the Program for ISO-27001 certified companies is the new Shared Assessment Vendor Risk Management Maturity Model (VRMMM). It can be used to assess (score) the current maturity of your vendor risk management program. This is a great way to achieve the security metrics and continuous principles of an ISO-27001 ISMS.

So rather than ISO-27001 OR Shared Assessment we ended up with ISO-27001 AND Shared Assessment. To me it’s a 1 + 1 = 3 situation.

John Verry, Security Sherpa for Pivot Point Security, has led hundreds of high-profile security assessments across a diverse cross-section of noteworthy systems in the government, legal, telecommunications, critical infrastructure, finance and transportation sectors over the last dozen years. Verry takes his role as “Sherpa” (guide) quite seriously, believing that security is a path not a destination; he is committed to helping entities of all sizes and shapes achieve their security goals. As a certified ISO 27001 Lead Auditor, John is a proponent of the ISO framework to help companies establish, maintain and continuously improve a robust Information Security Management System (ISMS).

The NSA, Snowden and Third-Par...

08-05-2013

Remember this: Edward Snowden Worked for a Third-Party Vendor. While it remains uncertain what exactly Mr. Snowden shared with other nations, we do know this: he wasn’t authorized to disclose class[...]

Remember this: Edward Snowden Worked for a Third-Party Vendor. While it remains uncertain what exactly Mr. Snowden shared with other nations, we do know this: he wasn’t authorized to disclose classified information. Some may believe he is a hero, others believe he is a villain. It is clear, though, that his employer, consulting firm Booz Allen, is the recipient of unwanted publicity. The company is one of the more prominent government contractors supplying personnel to the intelligence community.

It is also clear that the third-party background investigation firm that vetted Mr. Snowden is under examination. Northern Virginia-based USIS, which advertises that it is “the leader in federal background investigations ” is on the hot seat. U.S. Senator Claire McCaskill (D-Mo.) said during a Senate hearing in June that USIS is “under active criminal investigation.”

The Senator also noted that there appears to be “systemic failure to adequately conduct investigations under its contract.” In a statement that should resonate with every company engaging with third-party background investigation services, Sen. McCaskill commented that this should serve as “a reminder that background investigations can have real consequences for our national security.” The problem extends to companies outside of the Washington Beltway and the defense and intelligence arena.

While it is unlikely that third-party employee behavior will rise to the level of policy violation exhibited by Mr. Snowden, it doesn’t have to in order to compromise information integrity, breach corporate governance and contracts, and violate regulatory requirements in the forms of identity theft, trade secret theft, brand hijacking, blackmail, and extortion. The background investigation doesn’t always work.

The annals of background investigation history are rich with examples of failed policy, procedures, and even strategies associated with understanding the truth about a candidate’s past. Criminals have passed background checks. There is a reason that top secret security clearances can take up to nearly two years to conduct and may cost several thousands of dollars—and sometimes much more–depending on a number of variables relative to each case. Of course, not every candidate needs this level of background investigation. But companies should examine the background investigation process used by third-parties that have physical, logical, or administrative access to information.

It’s always good to conduct a more extensive background investigation on the basis of access. Sometimes organizations initiate background checks only on some candidates. One executive remarked that “we only conduct checks on positions with the title of vice president or above.” This can convey a false sense of security. While senior executives may have access to critical sensitive information, many lower level positions come with high level of access to this same information.

Here are ten background investigation considerations:

  1. Assess how the third-party under consideration may pose risk to your company, not by the title or level of a position, but rather the level of access to information.
  2. Make sure the third-party is open and responsive to questioning about the background check process. Trust but verify, as the saying goes.
  3. Ask about their background investigation vendors, and then conduct your own due diligence on those firms used by the third-parties. Examine the processes and methods used to investigate candidates.
  4. Don’t hesitate to ask to see background check forms. We’ve seen background reports where certain information contained in the report didn’t seem right—and it wasn’t. Maybe it was a phone number that didn’t seem correct, perhaps an area code that doesn’t exist. Yes, people actually make up telephone numbers and addresses. It may be worth knowing what type of telephone number was used by the candidate. Is it a temporary, prepaid number? Is it a registered mobile number, a home telephone, or maybe even a business telephone number? Is it the number of a family member, a friend, or other person?
  5. Have the third-party firm supply references. And make sure that the references are consistent with your company. For example, if the third-party is going to handle regulated data, check out companies that have engaged the third-party to manage that type of information. The security and privacy requirements may be industry or jurisdiction specific.
  6. Check the third-party breach history and the cause of any breaches. Were any breaches linked to failures in the background investigation process?
  7. Ask what lessons were learned after any breaches and if those lessons were incorporated into the background analysis process.
  8. Are employees ever reinvestigated?
  9. What is the reinvestigation frequency and scope?
  10. Are reinvestigations triggered by certain life events, or corporate events, such as a merger or acquisition?

The accuracy and effectiveness of background investigations of third-party employees is one of the best defenses against a breach and its consequences. Knowing who has access to your data, and whether they are trustworthy, is a mandatory tenant of strong corporate governance.

MacDonnell Ulsch is the CEO and Chief Analyst at ZeroPoint. He advises a wide range of clients in the private and public sectors. The author of the book “THREAT! Managing Risk in a Hostile World,” and is currently writing “CYBER THREAT! How to Control the Growing Risk of Cyber Attacks,” to be published in 2014 by John Wiley & Sons Inc.

Information Security in the Fi...

07-29-2013

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, was recently interviewed by John DiMaria, Product Marketing Manager, BSI Management Systems. Brad, along with members fr[...]

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, was recently interviewed by John DiMaria, Product Marketing Manager, BSI Management Systems. Brad, along with members from BITS and the Financial Services Roundtable, share their perspective on the recent Executive Order and offer strong position for industry and government partnership to improve security.

The article, Information Security in the Financial Industry. More regulation or better regulation?, is now available on the BSI Management Systems website. Click here to read the full article.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 25 years of successful experience in Management System Development

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships.

Shared Assessments member Prev...

07-26-2013

Shared Assessments member Prevalent Networks, announced the release of their flagship solution, Prevalent Vendor Risk Manager (PVRM), which leverages Shared Assessment content for controls-based asses[...]

Shared Assessments member Prevalent Networks, announced the release of their flagship solution, Prevalent Vendor Risk Manager (PVRM), which leverages Shared Assessment content for controls-based assessment, schedule regular vendor risk evaluations, and obtain risk scoring per vendor against a set standard. Click here to read the press release.

Pivot Point Security, discusse...

07-23-2013

Shared Assessments member, Pivot Point Security, recently discussed Shared Assessments on their Information Security blog. The blog discusses the benefits of Pivot Point Security's involvement as a pa[...]

Shared Assessments member, Pivot Point Security, recently discussed Shared Assessments on their Information Security blog. The blog discusses the benefits of Pivot Point Security’s involvement as a participating member and the various aspects of our Program. Learn more by visiting the Pivot Point Information Security blog.

The Consumer Financial Protect...

07-22-2013

On July 12, 2013, the Consumer Financial Protection Bureau (CFPB) updated its definitions regarding what constitutes an "unfair" practice by a debt collector under the Fair Debt Collection Practices A[...]

On July 12, 2013, the Consumer Financial Protection Bureau (CFPB) updated its definitions regarding what constitutes an “unfair” practice by a debt collector under the Fair Debt Collection Practices Act (FDCPA). ((Consumer Financial Protection Bureau (CFPB), Fair Debt Collections Practices Act. http://business.ftc.gov/documents/fair-debt-collection-practices-act July, 2010. p. 2.)) Debt collections regulations govern all consumer debt including: mortgages; bank account credit cards and service fees; private student, auto, and other consumer loans; and medical bills.

CFPB may review collection efforts for potential violations of this and other federal consumer financial laws. A thorough understanding of this Act is extremely important as the CFPB looks closely at the conduct of third party service providers’ conduct in debt collection and loan servicing.

The FDCPA restricts debt collectors from unfair, deceptive, or abusive practices (UDAAPs). Practices that are deemed “false, deceptive, or misleading” include a collection representative:

  • Falsely representing themselves as an attorney.
  • Threatening to do things they do not intend to follow through on or to commit illegal acts (imprisonment, bodily harm, etc.).
  • Attempting to collect charges in addition to the debt amount that are not allowed by written contract and/or state law.
  • Harass a debtor. Consumers are entitled to prevent continued contact from unwanted or inappropriate collections activities.
  • Contacting a debtor at what is known to be an inconvenient time.
  • Contacting a debtor instead of their attorney once the debtor has indicated they have engaged an attorney to handle the matter.
  • Refusing to validate a debt that they are trying to collect.
  • Knowingly mislead the consumer, including attempting to collect debt that has become obsolete or misrepresenting the amount owed.
  • Using visible (publically visible information outside of the envelope) symbols or language on any correspondence indicating that they are a debt collection. This includes using a postcard.
  • Making claims regarding how the collection of the debt will affect a consumer’s credit report, score, or creditworthiness.

The collection company also must refrain from:

  • Taking possession of property without legal right.
  • Revealing the debt, without the consumer’s consent.
  • Misrepresenting that a debt could be waived upon settlement when that is not intended.
  • Failing to post payment in a timely manner.

Examples of FTC determination of non-compliance can be seen on the FTC website.

The FDCPA was originally enacted in response to significant evidence of use of such practices and the fact that these were shown to contribute directly to the number of personal bankruptcies, loss of employment, marital instability, and in many cases constituted invasion of personal privacy laws. As many debt collectors carry out business activities through interstate commerce, this law is intended to provide a level platform for these activities. There are also other state and federal laws that prohibit generally unfair, deceptive, or abusive business practices/acts. This broad range of laws must always be taken into account when designing and implementing collection policies and procedures.

Both the CFPB and the FTC provide ongoing information updates and resources related to debt collection practices, as does each State Attorney General’s office.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships.

Why Risk Management Matters...

07-19-2013

Risk is a tricky thing. Without it, growth is impossible. But it’s not just about taking more risks, it’s about understanding and controlling the risks you take. Entrepreneurs’ biggest threats [...]

Risk is a tricky thing. Without it, growth is impossible. But it’s not just about taking more risks, it’s about understanding and controlling the risks you take.

Entrepreneurs’ biggest threats take many forms, including strategic, operational, financial and compliance risks. Individually or combined, these can jeopardize a company’s financial and operational stability.

By EYVoice, Forbes.com, July 18, 2013

Click here to read the full article and learn more.

CFPB: What is New Regulator...

07-18-2013

The Consumer Financial Protection Bureau, established under Dodd-Frank, is the newest member of the Federal Financial Institutions Examination Council. What that means for some U.S. banking instituti[...]

The Consumer Financial Protection Bureau, established under Dodd-Frank, is the newest member of the Federal Financial Institutions Examination Council.

What that means for some U.S. banking institutions is an additional layer of regulatory oversight. But how are the CFPB’s policies expected to impact information security and risk management?

What Price Reputation?...

07-15-2013

Talk about a teaching moment! The theft of highly classified information from the National Security Agency by Booz Allen Hamilton employee Edward Snowden brings front and center issues that outsourcer[...]

Talk about a teaching moment! The theft of highly classified information from the National Security Agency by Booz Allen Hamilton employee Edward Snowden brings front and center issues that outsourcers and their service providers face every day:

  • Do I have in place policies, procedures, and systems that adequately protect my customers’ information and my organization’s proprietary information?
  • Do my service providers have in place policies, procedures, and systems that adequately protect my customers’ information and my organization’s proprietary information?
  • And how do I find out what those protections are and how well they are managed ?

NSA’s mandate for producing and analyzing signal intelligence requires it to protect its sources and methods. When I worked for the agency more than 40 years ago, compartmentalization and need-to-know were the words of the day … every day. I suspect they still are, though both tenets seem to have broken down in this instance.

I obviously don’t know what services Booz Allen Hamilton was contracted to provide the NSA. I also obviously don’t know if the NSA has systems in place to conduct assessments of its service providers’ information security policies, procedures, and practices. But I do know that the agency’s failure to prevent Snowden from accessing and removing the information he is now disclosing is likely resulting in the degradation of its intelligence gathering methods and presenting the United States a diplomatic brouhaha, the extents to which are difficult to predict.

One can argue that the NSA’s breach is an order of magnitude more damaging to the nation than a breach suffered by a commercial organization. However, many Shared Assessments members and non-member users of the Program’s Tools present systemic threats because of their being part of critical infrastructure segments, including financial services, electric power generation and transmission, and telecommunications. And every organization has the same need to protect its customers’ information and its proprietary information. And, while damage to brand, loss of market share, and loss of market capitalization aren’t issues for intelligence agencies; they are of significant importance to private sector organizations. Thus, a formal third-party assessment program is a key component of effective governance.

So, with apologies to John Donne, “… never send to know for whom the bell tolls …”.

Santa Fe Group Consultant Bob Jones has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.

Impact of Third Party Risk Man...

07-08-2013

While there are often significant non-financial benefits to understanding your vendors’ controls, many executives are still “fuzzy” on why they need a third party or vendor risk management progr[...]

While there are often significant non-financial benefits to understanding your vendors’ controls, many executives are still “fuzzy” on why they need a third party or vendor risk management program. Generally, an organization outsources a business function to a service provider because it is less expensive than staffing the expertise and building the infrastructure internally. Building oversight (and additional cost) to manage the risks posed by these relationships into the budget seemingly reduces the ROI. However, not fully understanding these risks can cost the organization significantly more during and after a data breach. Once the decision is made to outsource, the sharing of sensitive information is a requirement; and due diligence becomes one of the only mechanisms to understand whether the third party has the necessary controls in place to protect your data.

Until recently it was difficult to understand the factor third party error plays in a data breach. In May, the Ponemon Institute published its 2013 Cost of a Data Breach Study sponsored by Symantec. Based on its research, Ponemon identified that the number one factor influencing the cost of a data breach is third party error. Additionally, the report maps this factor to an average cost of $43 per record (in the U.S.) when the breach is caused or influenced by a third party error. Based on simple arithmetic, this means that in an average data breach influenced by third party error, the additional cost is over $1,200,000 per incident.

Although third party risk management is not called out specifically as a mechanism to reduce this data breach cost by Ponemon, based solely on my experience, a third party risk program can reduce these costs by 20-80%. This number is clearly influenced by the maturity and scale of the program as well as incident response plans. For example, if only a very small percentage of critical vendors are assessed this will have less significance than organizations that are able to assess most or all of their vendor population. Asking the right questions, collecting the right evidence, consistency in the process, a strong toolset, and other maturity factors also play key roles.

I am interested in hearing what your experience has been. Have you seen the occurrence and/or cost of data breaches reduced as you have matured your third party risk program?

Prevalent Networks Managing Director and Shared Assessments Steering Committee Member, Jonathan Dambrot, CISSP, works with the leading organizations in the world to help better manage third party and IT related risks. Prevalent develops Prevalent Vendor Risk Manager and provides compliance automation solutions from the cloud with its Prevalent Compliance as a Service. Jonathan is responsible for driving the direction of Prevalent, as well as managing the sales, project management, operations, legal, and marketing organizations at the company.

Examiners’ Growing Misus...

07-02-2013

After the recent downturn, examiners have been placing more emphasis on reputation risk. This emphasis, however, is being applied paternalistically, in a way that is limiting legitimate transactions.[...]

After the recent downturn, examiners have been placing more emphasis on reputation risk. This emphasis, however, is being applied paternalistically, in a way that is limiting legitimate transactions.

Continuous Vigilance: The New ...

06-27-2013

“Its more fun to be a pirate, than to join the Navy,” - Steve Jobs Global sourcing has developed into an intricate web of complex professional relationships that span oceans and continents alike, [...]

Its more fun to be a pirate, than to join the Navy,” – Steve Jobs

Global sourcing has developed into an intricate web of complex professional relationships that span oceans and continents alike, as companies seek to optimize their operations through outsourcing, offshoring, and cloud-based services. This increase in complexity in globalization is accompanied by a new tide of risks, greater than ever before in volume and variety.

As one example, cyber risk continues to grow, as modern day pirates are drawn to attacking companies wherever in the world they may let down their guard.

Far from seeing the glass as half empty, there is no reason for companies to turn the clock back on globalization or give up on further gains. The need of the hour, instead, is a proactive and effective risk-monitoring mechanism and strategy to manage these new levels of risk and complexity.

The unity and diversity of risks

So who’s to blame for the growing risks in globalization? The simple answer is: geography and scale. It is this unity that binds globalization risks, while the diversity of the risks comes from the distinct vulnerabilities of each location and the scale at which sourcing is performed.

A decade ago, outsourcing was largely dominated by giant nations such as China and India. Today, the globalization landscape has expanded to include over 50 countries with at least modest scale in regions such as Latin America and Eastern Europe. These offer lower costs as well as a proximity and increased time-zone overlap for developed markets in North America and Europe respectively. Important factors for such things as agile development in the software patch. This geographic sprawl is partially responsible for the higher risks.

Geographic risks encompass much more than natural disasters, regional politics, regional financial policy, local (city- or region-specific) culture, and legal risks. Despite the increase in the variety of risks even the worst of risks can be fully assessed in advance, avoiding service disruptions, financial losses and, potentially, brand dilution.

In our Neo Group model, for example, risks are monitored by continuously collecting data in real-time across 500+ parameters at the Country, City and Supplier levels and analyzed using an analytical engine to help inform critical decision-making. And the types of risk monitored must be constantly updated: last year we added cyber attacks and corresponding changes to jurisdictional cyber crime law to the parameters we watch.

We don’t advocate our model exclusively, but over the past two years clients have used it in the real world with encouraging results. In one case, this model helped pick up early warning signals on a policy decision in India – termination of the Software Technology Parks of India (STPI) scheme, which offered tax breaks. Based on the recommendations one of our clients, a leading semiconductor company proactively renegotiated a deal with a partner to locate in a Special Economic Zone (SEZ), ahead of the policy announcement. This “operational arbitrage” helped the client realize annual approximately 11% savings.

Conclusion

For global minded companies, the point is that the world has changed, becoming abundantly more complex, and the tools we use to manage it should therefore change too.

Firms leveraging global services can help avoid a different kind of anxiety by adapting a risk management approach and system to ensure the stability of operations and avoid significant disruptions.

It may not be as fun as being a pirate, but monitoring and managing global risks continuously is the new norm.

Atul Vashistha is Chairman and Alan Hanson is SVP of Neo Group Inc., a leading Global Advisory and Supply Analytics and Monitoring firm that provides Global Supply Risk MonitoringSM as a service for dynamically monitoring, managing and predicting country, city and supplier risks. Please visit Global Supply Risk Monitor for more details on GSRMSM.

BYOD: The Why And The How...

06-24-2013

Today's organizations struggle with providing employees with access to the latest technologies. It's common practice for employees to use their own devices at work for a number of reasons. Some believ[...]

Today’s organizations struggle with providing employees with access to the latest technologies. It’s common practice for employees to use their own devices at work for a number of reasons. Some believe BYOD is the answer to a lot of problems, others see it as a complex security issue that introduces a variety of difficulties. What are the pros and cons of BYOD in a large organization?

Learn about the challenges involved in evaluating, deploying and maintaining BYOD programs in large organizations.

By Brad Keller and Robin Slade, Senior Vice Presidents at The Santa Fe Group.

Risk Management: Establishing ...

06-19-2013

As companies strive to strengthen their organizations through the outsourcing of products and services, close attention must also be paid to the additional risk implications of these practices. One is[...]

As companies strive to strengthen their organizations through the outsourcing of products and services, close attention must also be paid to the additional risk implications of these practices. One issue emblematic of these additional risks is the increasingly common practice of subcontracting by outsourced vendors, which creates the opportunity for vastly increased risks, especially with the third and fourth order of outsourcing beginning to occur in today’s business ecosystem. This practice has led to a growing trend of hackers using techniques that target a vendor to gain access to a higher tier of information from their customers. Such a breach almost always directly affects the reputation of the company (as opposed to the vendor) in both the public eye and in the eye of regulators.

In today’s climate, decision-makers must apply the same risk analysis to their third party service providers that they use in their own IT environment to protect against outside threats. Assume a breach at a third party service provider is inevitable and respond proactively. While this may seem obvious, many naturally trust their internal IT staff and Risk Committee assessments. But, in reality, over 75% of all companies breached have to be told they have an “Advanced Persistent Threat” on their network by outside sources, such as third party benchmarking study contractors or law enforcement.

In addition to the monitoring of key vendors and timely follow through, banks can and should create a culture of opportunity for their staff at all levels, from the Board through senior executives to on-the-ground IT and Operations staff members. This requires a coordinated campaign of education targeted toward the increased threats that occur during such vendor events as geographic diversification, merger, acquisition, management changes and/or subcontracting. Such a campaign must clearly:

  • Demonstrate the financial value of data, not just in its use as an economic tool, but also as a means of establishing public and regulatory trust so essential to future marketplace growth.
  • Convey the specific and serious nature of the risks that multiple layers of vendors present and how to recognize them.
  • Motivate and provide staff with the tools to proactively search for and act upon threats.

Dedicating resources to create this culture of opportunity that both educates staff and protects data is not as costly as may be assumed and the return on investment in these resources in the form of goodwill can more than compensate organizations for their efforts.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships.

Welcome to Authorities on Assu...

06-12-2013

As a leader in third party risk management, the Shared Assessments Program welcomes you to Authorities on Assurance. Our blog will feature discussions on current issues, trends and challenges in third[...]

As a leader in third party risk management, the Shared Assessments Program welcomes you to Authorities on Assurance. Our blog will feature discussions on current issues, trends and challenges in third party risk assurance from the perspective of the people who confront these challenges on a daily basis. We will address the most pressing issues faced by today’s third party risk managers and assessors, and provide practical solutions to those problems whenever possible.

Contributors will include knowledge experts from all areas of the third party arena – vendors, service providers, assessment firms, and, of course, the companies who utilize these services – helping to insure that issues are covered from all relevant perspectives.

We invite you to join the conversation and help further everyone’s ability to address third party risk issues.

Mobile Devices: What To Do If ...

06-10-2013

Driven by employee demand and the perception of better efficiency, the use of mobile devices in the workplace continues to grow. So, not only must today’s IT security managers determine how to manag[...]

Driven by employee demand and the perception of better efficiency, the use of mobile devices in the workplace continues to grow. So, not only must today’s IT security managers determine how to manage these devices in their own environment, they must also determine if their third party service providers’ are allowing employees to access their data and/or systems through the use of a mobile device as well. This is particularly important if your vendors’ follow the Bring Your Own Device “BYOD” approach to mobile device implementation.

Unfortunately only the most recently executed vendor contracts will tend to address the issue of mobile devices. Even if your vendor agreements do cover the use of mobile devices to access your systems and data, you must be able to determine if your vendor can meet your contract’s requirements for a secure mobile device environment.

The foundation for effectively controlling mobile devices, like almost all other IT services, is the development and implementation of a thorough and easily understandable set of policies and guidelines. Keep in mind that what you are looking for is how your vendor allows their employees to use mobile devices to access your data and/or systems. How they choose to allow employees to perform other tasks unrelated to the execution of their contractual obligations (like accessing company email accounts) may reveal their understanding of mobile device risk, but it is not directly relevant to how they discharge their obligations to protect your data and systems. When assessing your vendor you should determine if their mobile device policy contains at least the following provisions:

  • Security awareness training/education
  • Acceptable use
  • Operating system security
  • User responsibilities
  • Access control
  • Data handling
  • Individual responsibility if co-mingling personal and organization data on the mobile device
  • Constituent accountability
  • Secure disposal of device at end of life
  • Vulnerability management
  • Responsibility for ensuring mobile device operating system is updated
  • Responsibility for ensuring mobile device applications are updated
  • Reporting information security incidents in the event of loss or theft
  • Prohibit sharing a mobile device with other users, including family and friends
  • Ownership of data on the device
  • Legal ownership and rights of the mobile device
  • Specific actions that organization may take in the event of a lost/stolen or compromised mobile device (e.g., remote disable, remote wipe, confiscation)
  • Data sanitization of (organization) data, settings and accounts on the mobile device at end of life
  • Creation and use of mobile hotspots on an organization’s premise (BYON – Bring Your Own Network)
  • Consequences for non-compliance with mobile device policy
  • User authentication on the device
  • Device encryption

While a vendor may be unwilling to provide you with the full content of their mobile device policy, they should be agreeable to providing you with the policy’s table of contents, or other documentation to confirm all of the areas addressed by their mobile policy. Ultimately, the adequacy of your vendors’ mobile device policy, and the provisions it should include, will be determined by what your vendors’ allow their employees to do with mobile devices, your company’s risk tolerance, and, to a large extent, the regulatory environment in which you operate.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships.

“Right-Sizing” Your Vendor...

05-10-2013

Balancing the weights of risk, compliance and governance in today’s regulatory landscape. By Linnea Solem, Deluxe[...]

Balancing the weights of risk, compliance and governance in today’s regulatory landscape.

By Linnea Solem, Deluxe

New Shared Assessments Tools O...

02-23-2013

The Shared Assessments Program released to the public the new Standard Information Gathering (“SIG”) questionnaire, Agreed Upon Procedures (“AUP”) and Vendor Risk Management Maturity Model ([...]

The Shared Assessments Program released to the public the new Standard Information Gathering (“SIG”) questionnaire, Agreed Upon Procedures (“AUP”) and Vendor Risk Management Maturity Model (“VRMMM”) for 2013. The Tools will be available beginning Tuesday, February 19th. Read Press Release

Visit our store to learn more »

Shared Assessments Questionnai...

10-10-2012

The Shared Assessments Program announced that one of its primary risk assessment Tools, the Standard Information Gathering (“SIG”) questionnaire, is now included as one of the authorities mapped b[...]

The Shared Assessments Program announced that one of its primary risk assessment Tools, the Standard Information Gathering (“SIG”) questionnaire, is now included as one of the authorities mapped by Network Frontiers’ Unified Compliance Framework (UCF), as part of their 3rd Quarter update. Read More »

Pivot Point Security Joins Sha...

04-16-2012

Pivot Point Security, a leading Information Security Assurance firm, announces that it has recently joined The Santa Fe Group's Shared Assessments Program as an assessment firm member. Read More »[...]

Pivot Point Security, a leading Information Security Assurance firm, announces that it has recently joined The Santa Fe Group’s Shared Assessments Program as an assessment firm member. Read More »

The Financial Impact of Breach...

03-05-2012

PHI data breaches are growing in frequency and in magnitude. Protecting valuable health data is an important business decision for all health care organizations. Authored by more than 100 health care[...]

PHI data breaches are growing in frequency and in magnitude. Protecting valuable health data is an important business decision for all health care organizations.

Authored by more than 100 health care industry leaders, this free report includes PHIve—a 5-step method to assess specific security risks and build a business case for the appropriate level of investment needed to safeguard PHI.

A free download is available at http://webstore.ansi.org/phi

ANSI and Shared Assessments La...

03-23-2011

Healthcare organizations are struggling with two key concerns today: how to protect patient information and how to better understand the financial harm caused when protected health information (PHI) i[...]

Healthcare organizations are struggling with two key concerns today: how to protect patient information and how to better understand the financial harm caused when protected health information (PHI) is lost or stolen.

Download the PDF