Every small bank and credit union regardless of asset size has to perform yearly due diligence research on each of their critical vendors. We know as IT security professionals and you know as banking professionals that there has to be a more scalable way to manage these relationships, share the information across the organizations and ensure that everyone is held to the same standard.
What is Vendor Risk Management?
It is the process of ensuring that the use of external service providers and other vendors do not create unacceptable potential for business disruption or negative impact on business performance.
So how can you protect yourself from these 3rd party risks? In October 2014 the Gartner Report is quoted as:
Through 2016, despite being a top priority of CIOs, less than 15% of vendor management programs will leverage data analytics and business intelligence to identify and manage vendor risk.
Given the quote above and the current regulations, exactly what are the requirements in performing yearly inspection of vendors and suppliers? Rivial looked at both the NCUA and the FDIC requirements and we have carefully outlined the following items to ensure that your partners meet and exceed the guidelines.
Requirements
The regulatory requirements break down into 5 categories of information: Company Details, Reputation, Engagement, Financial Stability and Cybersecurity. Rivial has studied the details and the regulations boil down to some fundamental questions.
When you can answer each of the questions above clearly for each vendor and each year, then you are abiding by the principles of an excellent vendor management. More specifically, let’s talk about creating a successful IT VRM program within your institution. The key areas to managing the vendors is aligning them and follow these 6 simple steps
Whether you decide to perform this due diligence in house with existing staff, outsource the financial and reputation reviews or use a service like Vendor Intelligence you have options.
Rivial provides each of the due diligence areas through detailed analysis of company details, reputation, financial stability and provide a data security grade.
Review: Rivial Vendor Intelligence Sample Report - CenturyLink - 2015-02-23
A Closer Look at the Company Details
Take a look at the detailed reporting that an outsourcing company can provide. Rivial provides rich details including:
With all the data just what exactly should you be looking for?
Summary
If you have read this far down you have a solid knowledge of risk and how 3rd party vendor risk affects your institution. Rivial is taking this opportunity to automate your IT VRM program by outsourcing to a vendor (Rivial Security) the specialization in risk and reporting that is backed with a data partnership with Experian.
Next Steps
NCUA Link: http://www.ncua.gov/Resources/Documents/LCU2008-09ENC.pdf
FDIC – Guidance for Managing Third-Party Risk -https://www.fdic.gov/news/news/financial/2008/fil08044a.html
Vendor Intelligence
http://www.rivialsecurity.com/vi
If you run into any questions or issues please do not hesitate to contact your new security partner – Rivial Security.