Download presentation
Presentation is loading. Please wait.
1
Vendor Management & Business Value
9/16/2018 © 2012 Rick Hebert & Associates
2
Vendor Management Risk Assessment
5 step process for selection, review and oversight of vendors. Risk Assessment Due Diligence in Selection of New Vendors Contract Review Vendor Oversight Examiner Supervision 9/16/2018
3
© 2012 Rick Hebert & Associates
Risk Assessment For new high risk vendors, an in-depth assessment is conducted. Whether high risk or not an assessment may be conducted if the vendor may have a substantial impact on business or are offering a new service that has not been previously offered 9/16/2018 © 2012 Rick Hebert & Associates
4
© 2012 Rick Hebert & Associates
SSAE, SOC SOC3 A certification of controls Reviews the controls as in SOC1 and SOC2 but will also provide certification that the controls are adequate and appropriate for a vendor. 9/16/2018 © 2012 Rick Hebert & Associates
5
© 2012 Rick Hebert & Associates
SSAE, SOC A few other alternatives E-Security Cyber Trust Certification PCI (Payment Card Industry) Compliance along Ample auditing and reporting 3rd Party Reviews IT Risk Assessment Examination Results Others 9/16/2018 © 2012 Rick Hebert & Associates
6
© 2012 Rick Hebert & Associates
Program Vendor Management Program & Policy High Risk Vendors Vendor Risk Assessment Ratings Matrix New Vendor Risk Assessments New High Risk Vendors 9/16/2018 © 2012 Rick Hebert & Associates
7
© 2012 Rick Hebert & Associates
Program Vendor Risk Assessments should ongoing Vendor Management should be incorporated in the GLBA or customer confidentiality Policy Vendor Management should be incorporated in the Red Flags/Identity Theft Policy 9/16/2018 © 2012 Rick Hebert & Associates
8
© 2012 Rick Hebert & Associates
Program Vendor Financials Vendor Relationship Fraud Contract Review Policy Third Party Service Provider Standards 9/16/2018 © 2012 Rick Hebert & Associates
9
© 2012 Rick Hebert & Associates
9/16/2018 © 2012 Rick Hebert & Associates
10
© 2012 Rick Hebert & Associates
Program Due Diligence is a process of reviewing the vendor and determining if the organizations can work well together. This may be accomplished with a strict format or through management interview. If accomplished through management interview the VM process will require completion and decisions may change. 9/16/2018 © 2012 Rick Hebert & Associates
11
© 2012 Rick Hebert & Associates
Program Financial Stability An assessment of the company’s financials will be dependent upon the risk the company poses. A high risk vendor may require a more careful examination of financials. A low risk vendor may be of less concern. 9/16/2018 © 2012 Rick Hebert & Associates
12
© 2012 Rick Hebert & Associates
Program Strategic Approach Determine if the vendor’s strategic approach fit your organization’s need? Controls in Place at Vendor Controls Required by Organization 9/16/2018 © 2012 Rick Hebert & Associates
13
© 2012 Rick Hebert & Associates
Vendor Management System Overview Risk Present: Transactional, Operational, Reputational, Financial, etc… Risk Critical Risk Level of Concern Sensitive Customer Data Stored or Transmitted by vendor Employee data stored or transmitted by vendor Onsite/Remote Connection Work Required 9/16/2018 © 2012 Rick Hebert & Associates
14
© 2012 Rick Hebert & Associates
3rd Party Requirements Technical Considerations, some examples of Standards https, ssl, 128 bit encryption – required when software is transmitting data outside of the network Multi-factor authentication requirements will be considered on a per system basis Firewall rules – must be clearly defined and documented prior to opening any specific ports or services for the vendor Others 9/16/2018 © 2012 Rick Hebert & Associates
15
© 2012 Rick Hebert & Associates
Contract Review In addition to a review conducted by a lawyer, a review is conducted internally and shall examine the existence of the following items in each contract. A determination will made as to the depth of the vendor relationship and the need to require items not included. 9/16/2018 © 2012 Rick Hebert & Associates
16
© 2012 Rick Hebert & Associates
Contract Review GLBA, CMR 201 clauses (sensitive or confidential data) Protection controls related to the protection of sensitive and confidential data Appropriate disposal of confidential and proprietary data Notification of breach in logical or physical security and a description of anticipated losses Confidentiality agreement and terms related to any use of bank premises, equipment or employees. Fraud Notification of successful or attempted fraud Timeframe End of contract and automatic renewal information will be understood prior to signing a contract. 9/16/2018 © 2012 Rick Hebert & Associates
17
© 2012 Rick Hebert & Associates
Services Description of frequency (how often), format (type) and specifications (details) of any service provided. Details should be appropriate for the service provided. Services provided such as Software support and maintenance, training of employees and customer service during implementation and after the sale. 9/16/2018 © 2012 Rick Hebert & Associates
18
© 2012 Rick Hebert & Associates
Legal Responsibilities and Compliance A statement of the third party’s compliance with laws, regulations, and regulatory guidance. Authorization for Sample Bank and the appropriate federal and state regulatory agency to have access to records of the third party to evaluate compliance with laws, rules and regulations. Identification of required customer disclosures and which party is responsible for providing such disclosures. Insurance Insurance coverage maintained by the third party Sub-Contractors Use of subcontractors and the process used to determine suitability of the subcontractor with respect to the relationship with Organization. 9/16/2018 © 2012 Rick Hebert & Associates
19
© 2012 Rick Hebert & Associates
Monitoring Statement of authorization for the institution to monitor and periodically review the vendor’s compliance with the contract or agreements established. Indemnification Indemnification verbiage should describe claims that may be issued and the monetary and legal risk assumed by the bank and by the Vendor. This verbiage may explain potential damages and losses that could be caused by the vendor relationship and expenses that may be incurred should be considered and incorporated into the contract, where possible. 9/16/2018 © 2012 Rick Hebert & Associates
20
© 2012 Rick Hebert & Associates
Initial Risk Rating Vendor Risk Rating Low Vendors with a risk rating of Low - “1” expose the bank to low, or no, potential for: financial or customer information loss. The services or products they provide are not considered mission-critical, and if the vendor fails to perform, they can be easily replaced or provided by other vendors, with little or no disruption in the bank’s operations, resulting in little or not adverse financial impact on the bank. Further due diligence is not required. * Vendor Risk Rating Moderate Vendors with a risk rating of Moderate - “2” expose the bank to a moderate potential for financial loss. The services or products they provide are not considered mission-critical, and if the vendor fails to perform, they can be replaced or provided by other vendors, but at the cost of a moderate disruption in the bank’s operations, resulting in moderately adverse financial impact on the bank. Further due diligence is recommended. * Vendor Risk Rating High Vendors with a risk rating of High - “3” expose the bank to a high potential for financial loss. The services or products they provide are considered mission-critical, and if the vendor fails to perform, they can not be easily replaced or provided by other vendors, without significant disruption in the bank’s operations, resulting in a significant adverse financial impact on the bank. Further due diligence is required. * * For GLBA Vendors or those covered by State law, complete the Information Security Risk Assessment by either utilizing an SSAE, or an industry accepted source following pre-determined guidelines. 9/16/2018 © 2012 Rick Hebert & Associates
21
© 2012 Rick Hebert & Associates
Vendor Type Rating Description Critical 1 Low – not mission critical, easily replaced, no financial impact 2 Medium – not mission critical, easily replaced but important relationship, may have moderate financial impact 3 High – mission critical, have customer/employee data, operationally significant, financial impact of change or failure could be significant Concern No Longer Used, Not within Scope No data shared and access governed by internal controls Data shared – not significant financially and/or potential reputation exposure for customers and employees is minimal Onsite access to sensitive data but risk mitigated by internal controls 4 Sensitive Information access either onsite or remotely 5 Highest concern – Customer Data shared and/or transmitted 9/16/2018 © 2012 Rick Hebert & Associates
22
© 2012 Rick Hebert & Associates
For Vendors Rated 3 that submit or possess information including customer, employee or other sensitive data obtain the following: Confidentiality Agreement Confirm Confidentiality Agreement / Non-disclosure between vendor and CMB is in contract or on file or profession already regulated by other entities. SSAE 16/SOC 1 or Equivalent SSAE 16/SOC 1 report, if available Or Internal audit reports or CPA Management letter, including management response and actions taken, if available, vendor documentation of internal controls. FFIEC Exam Report If available, regulatory examination report, including management response and actions taken, if applicable. User Controls Compliance Verify Bank’s ability to comply with ‘User Controls’ section of SSAE report. Vendor BCP Testing Results of vendor’s test of it’s BCP. Detailed Risk Assessment Detailed description of vendor along with assessment of Financial Stability Risk Credit Risk Compliance Risk Financial Risk Operational/Transactional Risk Reputation Risk Strategic Risk Provide Detailed Risk Score Business Value Describes the value of the vendor to Sample, what the vendor provides or offers that will have some value to the bank. Fee Income Access to Data/Automation Reduction of Cost Competitive Pricing New Business Operational Improvements Competitive Offering Other Value, Savings, Efficiency Financial Audited financial statements, Dun & Bradstreet report. 9/16/2018 © 2012 Rick Hebert & Associates
23
© 2012 Rick Hebert & Associates
Steps No data shared and access governed by internal controls Send Cover Letter Send Confidentiality Agreement 9/16/2018 © 2012 Rick Hebert & Associates
24
© 2012 Rick Hebert & Associates
Steps Data shared – not significant financially and/or potential reputation exposure for customers and employees is minimal Send Cover Letter Send Confidentiality Agreement 9/16/2018 © 2012 Rick Hebert & Associates
25
© 2012 Rick Hebert & Associates
Steps Onsite access to sensitive data - risk mitigated by internal controls Send Cover Letter Send Confidentiality Agreement Conduct Red Flag Review of Vendor using red flag software Obtain W-9 9/16/2018 © 2012 Rick Hebert & Associates
26
© 2012 Rick Hebert & Associates
Steps Sensitive Information access either onsite or remotely Send Cover Letter Send Confidentiality Agreement Conduct Red Flag Review of Vendor using bank’s red flag software Request document from Company describing data protection procedures as relates to scope of services provided. Request documentation either through letter or other format the stability of company – Examples of criteria to be used; bank management may provide alternative documentation, as appropriate to the scope of the services provided to the bank: Number of companies/banks currently serviced Annual cash flow Reference letter from customer 9/16/2018 © 2012 Rick Hebert & Associates
27
Risk Assessment/Due Diligence May Include
Detailed description of vendor along with assessment of Financial Stability Risk Credit Risk Compliance Risk Financial Risk Operational/Transactional Risk Reputation Risk Strategic Risk Provide Detailed Risk Score 9/16/2018 © 2012 Rick Hebert & Associates
28
© 2012 Rick Hebert & Associates
Vendor Management Business Value – Appetite (or Tolerance) Fee Income Access to Data/Automation Compliance Operational Improvements Reduction of Cost Competitive Pricing New Business Competitive Offering Other Value, Savings, Efficiency, etc… as determined by Management 9/16/2018 © 2012 Rick Hebert & Associates
29
© 2012 Rick Hebert & Associates
Presenter Denise Butler Phone (207) 9/16/2018 © 2012 Rick Hebert & Associates
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.