Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

Published byLewis Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions."— Presentation transcript:

1 Vendor Management from a Vendor’s Perspective

2 Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions The Vendor Perspective Best Practices for Effective Vendor Management

3 Exclusive to the financial institution market Over 500 financial institutions 99% client retention & renewal rate SOC 2 Type II audited solutions Experts in banking technology A strong regulatory compliance knowledge base Multi-layered approach to enterprise security Multiple core processors and applications Single point of contact for IT and regulatory guidance Most Innovative Solution 2011–2013

4

5 Regulatory Trends Increased Regulatory Scrutiny Examiners realize the trend in outsourcing more Solutions still have to be managed as if they were created and managed in-house Increased focus on cyber security Institution Vendor

6 Regulatory Trends Institutions continue to increase the use and scope of solution providers Increased findings from regulators on concerns they find during vendor exams FFIEC Webinar on Cyber Security Cyber Security Toolkit FFIEC updates Appendix J FDIC FIL https://www.fdic.gov/news/news/financial/201 4/fil14013.pdf https://www.fdic.gov/news/news/financial/201 4/fil14013.pdf

7

8 FFIEC Update – Appendix J Third-party management – Due Diligence Right to audit Subcontracting Foreign-based service providers BCP testing Data governance TSP updates Security issues – Contracts – Ongoing Monitoring Third-party capacity – Significant Technology Service Provider Continuity Scenarios

9 Appendix J – Continued Testing with third-party Technology Service Providers – Testing Scenarios TSP outage or disruption FI outage or disruption Simultaneous cyber attacks – Testing Complexity Cyber resilience – Risks Malware Insider Threats Data or Systems Destruction and Corruption Communications Infrastructure Disruption Simultaneous Attack in FI and TSP

10 FFIEC Outsourcing Technology Appendix D Managed Security Services Network Boundary Protection Management of Intrusion Detection and Prevention for Networks and Hosts Event Log Management and Alerting Anti-Virus and Web Content Filtering Services Patch Management and Security Software Management Security Incident Response and Management Data Leak Prevention Secure Messaging Information Security Consulting Services

11 MSSP Update Critical considerations include… availability, integrity, and confidentiality… …of Financial Institution Data.

12 The Compliance Process Simplified

13 Examination Trends Focus on Management “M” in CAMELS rating Layered Defense to Security Threats Vendor Management Focus Business Continuity Planning not Disaster Recovery Segmentation of duties and backup for key personnel Oversight and Validation of IT Vendors having wrong or limited SOC reporting

14 Technology Trends We have to do more with less resources Leverage the cloud Core / third party applications Structure of services Hybrid/ Private / Public Heavy fintech focus on mobile and customer relationship enhancement Increase leverage of solutions to assist in verifying adherence to policies and procedures

15 The Vendor’s Perspective The difference between buying solutions and being sold solutions Sales Ethics Technical Understanding vs High Level Functionality Multiple Decision Makers – Technical – Senior Level – Tech Committee Request for Proposal

16 Common Issues and Misconceptions SOC 1,2 &3 vs Type 1 &2 SOC 2 (and others) Vendor can define what services are reviewed Review Timing Third Party Providers / Contractors Lack of understanding outside of fintech companies Risk Assessments Not Completed

17 Best Practices Review Vendors at Least Annually Define Reporting Process Centralize Key Components of Contracts Renewal Dates Auto Renewal Dates Last Risk Assessment Review Risk Rate Vendors Inherent Risk Residual Risk

18 Risk Review Categories Access to NPI – Core Access to NPI – Non-Core Access to confidential Information Criticality of the service Complexity and Availability of the Service Concentration Risk Cloud Based Foreign Based

19 Reducing Inherent Risk Is the Vendor Financial Institution Specific? Do they have a user group? How much verification information do you receive? What type of Audit and Reporting do they have? Automated systems vs manual processes / spreadsheets

20 Best Practices for New Contracts Take control of the references you receive – Core Processor – Geography – Size – Ask for More Ask the references the same questions Increase your peer group Attend user groups Leverage your other vendor relationships Fill out the risk assessment

21 Ask the hard questions Vendor When customers don’t renew, what are the reasons? What items are not included in proposal? How do you prioritize your enhancements? References What was unexpected vs. your expectation? When issues arise, how are they handled? How honest do you feel the company and sales rep are?

22 Existing Vendors Ongoing Management Annual Updates Reporting / Verification of Adherence Review of Business / Strategy Annually User Group Conferences / Attendance Updated Vendor Management Packet Updated Risk Assessment Long-term Contracts Don’t Remove the Need for Annual Review

23 Summary Vendor Management has heightened oversight from examiners Senior Management and the Board need to be involved Vendor Management will continue to grow in importance as more solutions are outsourced It’s important to leverage peers and references in the process

24 Questions?

25

Download ppt "Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions."

Similar presentations

Managed Funds Association’s Sound Practices for Hedge Fund Managers 2009 Edition.

Managed Funds Association’s Sound Practices for Hedge Fund Managers 2009 Edition.
Chapter 13 Managing Computer and Data Resources. Introduction A disciplined, systematic approach is needed for management success Problem Management,

Chapter 13 Managing Computer and Data Resources. Introduction A disciplined, systematic approach is needed for management success Problem Management,
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works

Security Controls – What Works
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.

Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Similar presentations

Ads by Google