Vendor Management Managing your 3rd Party Relationships Lisa Huertas Vice PresidentDigital Compliance www.digitalcomply.com
Vendor Management – It’s no longer a choice • Our Climate • What does vendor management mean today? • Federal Guidelines and Expectations • Risk Classifications • What determines my risk? • How should I classify my vendors • New vs. Current Contracts
Vendor Management – It’s no longer a choice • Information Request Selection • What am I supposed to get from my vendors? • Audit / Exam expectations in 2009 • NCUA Exam Questionnaire released Monday, April 14, 2008
Digital Compliance, LLC • Conceived in 2003Our initial focus - providing service to: • Financial Institutions • Companies Who Provide Product/Service to the Financial Sector
Digital Compliance Is the Pioneer • 857 Vendors In our system • 2500 Financial Institutions • 6 years of request and process experience! • As an independent company we do not have any affiliation hurdles
The Threats are different…. A “hold up” is no longer the greatest concern. Information is king… if you can grab the data you may be able to profit from it. …individuals paying top dollar to design new types of attacks… Things Have Changed
Things Have Changedcontinued. • Financial Institutions hold more information than nearly any other industry • What have you been entrusted with? • How are you protecting this information that leaves your control?
Our Climate Information Security Breach On the Rise… Data loss Data stolen Systems hacked Phishing leads to information compromise Legislation to address consumer identity theft
The threat has grown TOTAL number of records containing sensitive personal information involved in security breaches in the U.S. January 2005 – December 2008: 223,756,043 PRIVACY RIGHTS CLEARINGHOUSE Data loss: 8.3 million records alone in Q1 2008 Heartland Payment System’s Breach largest on record – 2009 Identity Fraud Survey Shows ID Theft up 22% The 2008 Toll: 9.9 Million People, $48 billion
The scope has grown Federal Trade Commission For seven years in a row, identity theft tops the list, accounting for 36 percent of the fraud complaints consumers have filed with the agency
Internet Fraud In the United States alone, victims of reported Internet fraud lost $239 million in 2007, with average losses running about $2,530 per complaint recorded by a special Web-based hot line operated by the FBI and the National White Collar Crime Center, a nonprofit corporation focusing on electronic crime. Maturing Data for future use!
Consequences • Consumer Confidence Declines • Data-Security Laws Sprout In Wake of Breaches • Lawsuits already in motion • NCUA, Governing Bodies Respond NCUA Letter to Credit Unions 07-01 NCUA Letter to Credit Unions 08-CU-09Evaluating 3rd Party Relationships Questionnaire NCUA Letter to Credit Unions08-CU-19
NCUAControl Systems and Reporting …. Credit Unions are ultimately responsible for establishing internal controls and audit functions reasonably sufficient to assure them that third parties are appropriately safeguarding member assets, producing reliable reports, and following the terms of the third party arrangement. Additionally, credit unions should tailor internal controls as necessary to ensure staff observes policy guidance for third party relationships. Examiners should ensure credit unions have on-going risk management procedures with regard to any material third party relationship.
NCUA Internal PrivacyWhat Do Your Members Know? NCUA Initial privacy notice to consumers required. Initial notice requirement. You must provide a clear and conspicuous notice that accurately reflects your privacy policies and practices to: Member/Consumer no later than when you establish a member relationship before you disclose any nonpublic personal information about the consumer to any nonaffiliated third party How small is your print??
What Can You Do To Manage The Risk When Outsourcing Review the federal expectations FFIEC Guidelineshttp://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html NCUA Exam Questionnaire:http://www.ncua.gov/letters/letters.html
NCUA Exam Questionnaire3rd Party Relationships (10 sections) Background Credit Union Policy and standards when entering into a 3rd Party Relationship
NCUA Exam Questionnaire3rd Party Relationships Planning/Risk Assessment Risk Expectations Staff Expertise Cost Membership Impact Exit Strategy
NCUA Exam Questionnaire3rd Party Relationships Planning/Risk Assessment Has the credit union evaluated the costs of monitoring and providing support to the third party program (i.e., staffing, capital expenditures, communications, and technological investment)? Are Credit Unions monitoring their third party relationships?
NCUA Exam Questionnaire3rd Party Relationships Planning/Risk Assessment Financial Investment/Benefits from outsourcing to 3rd party relationships
NCUA Exam Questionnaire3rd Party Relationships Due Diligence - Background Check Pre-Contract3rd Party experience, referrals, qualifications Business Model, Financials
NCUA Exam Questionnaire3rd Party Relationships Due Diligence – Contract Issues and Legal Review (i)Data security and member confidentiality (including testing and audit);
NCUA Exam Questionnaire3rd Party Relationships Due Diligence – Contract Issues and Legal Review (j) Business resumption or contingency planning;
NCUA Exam Questionnaire3rd Party Relationships Due Diligence – Contract Issues and Legal Review (m) Compliance with regulatory requirements (i.e., Gramm-Leach-Bliley Act (GLBA), Privacy, BSA, etc.)
NCUA Exam Questionnaire3rd Party Relationships Due Diligence – Accounting Considerations
NCUA Exam Questionnaire3rd Party Relationships Risk Measurement, Monitoring and Control Has the credit union assigned appropriate staff to oversee the third party relationship to monitor performance and compliance with contracts?
NCUA Exam Questionnaire3rd Party Relationships Does the credit union’s policies appropriately address the third party relationship?“Credit Unions which outsource products and services must continue to maintain adequate controls over these functions.”
NCUA Exam Questionnaire3rd Party Relationships Controls over Member Data Does the communication method ensure member data is protected? How does the credit union communicate with the third party? Email in/out box
Where Are YOU Today? Do you have a Program Today?Where Do you Start?Where Do you Finish?
Which Vendors? Rule of thumb – Risk Classification • Require full due diligence reviews for any vendor that has access to: • Member Information • Employee Data • Institution Networks • Or for any vendor that provides services critical to maintaining operations
Core Processors Internet Banking/ Bill Payment/ Brokerage/ Cash Management/ Etc Providers Credit/Debit Card Processors Check Printers Statement Printers Network Security Consultants ATM Networks Network Security Providers Web Site/Email Hosts CRM Providers MCIF Providers Credit Bureaus Payroll Processors Etc. Highest Risk Vendors
Critical To Operations • Some suggested vendors that may be critical to the operation of an institution • Telecommunications/Network Providers • IT Providers • Software Providers (i.e. loan/deposit/acct/etc.) • One patch away from disaster….
Request Tug of War Knowing What You Need Vs. Providing What You asked for!
Where Do I start? Understand Where You Are Today! • Product/Service/Vendors you do business withDo you have a classification system in place? If so, how are your vendors classified? If not, what is the defining line? • What due diligence is required for each vendor * is there a list? • How are my Third Party relationships managed? Who won the vendor management lotto this year? • What documentation you have requested/received in the past?Success/difficulty your institution has had How does our information stack up? • IS THERE HELP?
Compliance Classification Mission Critical Classification Compliance Classification
The List? Vendor Compliance Request List • Corporate contact information • Listing of products and services provided to client. • Listing of pertinent data center locations where client’s data is stored, processed, and/or located in physical or electronic form • Annual report or audited financial report • Business insurance certificate, including, but not limited to General Liability, Errors & Omissions
The List? 10. Infrastructure Change Management and Control Policies and Procedures, including, but not limited to: Planning Oversight Project Management Testing Implementation 11. Records Management Policies and Procedures, including, but not limited to: Electronic and hard-copy (paper) formats Retention Policies Destruction Procedures
The List? 12. Infrastructure Incident Response Policies and Procedures, including, but not limited to: Security Breach Virus or Network Attacks Data Tampering Unauthorized Access 13. Network Penetration Testing Results, to include: Date of Most Recent Test Noted Exceptions Exceptions Addressed Date of Next Test i.e. Cybertrust, TruSecure, other Certifications 14. High-Level Network Diagram Illustrate or describe firewall protection, not to include IP addresses
The List? 15 Business Continuity and/or Disaster Recovery Policies and Procedures (Executive Summary) 16 Disaster Recovery Testing Results, to include: Date of Most Recent Simulation Noted Exceptions Exceptions Addressed Date of Next Simulation 17 Related maintenance contracts covering hardware and software, including, but not limited to: Contracts with third-party technology providers that keep infrastructure operational and functioning
The List? 18 Related Vendor Service Level Agreements (SLAs) –Please identify anythird-party relationships engaged to facilitate, service, maintain or impact the product or service provided our Credit Union 19 All relevant SAS 70 review documentation
Documentation Review IF I GET it, I have to READ it? Maintain, Update, ReviewWhat is your vendor update cycle? How often do they test? Were there exceptions? Were they fixed?
What Is Your Response? Proactive vs. Reactive Is there Help? Software Consultants Digital Compliance
What is VCMS?? • A single point and click source to access complete vendor compliance packages in mere seconds. • Gathering, receiving, documenting, digital conversion, updating and secure access to your vendor compliance documentation.
Tailored Request List A tailored approach to the request list Asking for documentation that makes sense for the product/service provided
VCMS Financial Process Discovery Authorization Request/Receipt Document Review, Report, Notify Digital Upload Access Reporting Update/Manage Renewal
Questions? Lisa Huertas Vice President, Vendor Solutions Digital Compliance, LLC www.digitalcomply.com email@example.com 406-325-9737