Overview
The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) have issued this guidance to provide sound risk management principles supervised banking organizations [1] can leverage when developing and implementing risk management practices to assess and manage risks associated with third-party relationships. Inter-agency guidance on third-party relationships

Community Banks typically do not possess all the resources to deliver financial services to its customers and the related accounting and financial reporting. Therefore, Community Banks draw these resources from 3rd party vendors. Since these vendors are not part of the FI (Financial Institution) the FI does not have absolute control over the vendor, their actions and security environment.

This creates the need to conduct due diligence on these 3rd parties to ensure they can adequately deliver the needed deliverables and provide appropriate security. In addition, if they possess NPPI (non-public personal information) then their financial condition is also of concern. Therefore, the due diligence should be tailored to the risk associated with the vendor under review.

The vendors utilized by FIs vary from small companies to very large companies and the risk associated with them can also vary. The critical aspect of the initial assessment is to identify the risks associated with the vendor being evaluated (for example if you utilize a secure storage for backup paper files and shred, this vendor may not have a SOC report but can pose risk of information breach, a physical review of their security features, where are files held, who has access, do other customers have access, conduct periodic reviews of continuity of security controls, what happens if this vendor fails financially who controls the paper files).

Contracts
While third parties may initially offer a standard contract, a banking organization may seek to request modifications, additional contract provisions, or addendums to satisfy its needs. In difficult contract negotiations, including when a banking organization has limited negotiating power, it is important for the banking organization to understand any resulting limitations and consequent risks. Inter-agency guidance on third party relationships

In many instances the FI does not have much negotiating power with the vendor and is forced to accept the terms in the vendor’s contract. It is essential to evaluate the contract and enumerate the provisions that would have been preferable but were not included in the contract. The lack of these terms should be evaluated and a determination made whether the absence of these terms is acceptable.
Checklists are an important part of achieving a robust and effective vendor management system. The guidance has a list of contract provisions that should be included in a contract with a vendor that possesses or processes NPPI. (Federal Register Volume 88, No 111 Friday June 9, 2023 pg 37932)

Physical and Digital Security
The due diligence on a new 3rd party vendor and the ongoing monitoring of an existing vendor typically includes the use of 3rd party audits of the vendors systems. In many instances the vendor will have had a SOC (service organization controls) audit performed.

Although, the SOC reports are a critical component of the controls review, they do not necessarily cover all the critical controls. It is essential to delineate what controls need to be evaluated. Refrain from looking at the last column of the report noting no exceptions and thinking you are done. Many times, the SOC does not address or have 3rd party tested;

• Encryption of backups
• Decryption key management
• Segmentation of data
• Change control
• Encryption of data at rest
• Physical controls as they have outsourced to a separate data center
• Vendor management

Therefore, create a good checklist and verify the SOC covers what is needed. In some cases, the particular control is addressed in the management discussion of controls but is not 3rd party tested. Management’s representation is evidence, not as good as if it were 3rd party tested. If it is not covered in the SOC reach out to the vendor for other evidence of control effectiveness. Even an assertion from the CIO or CISO is better than nothing at all. Remember, this is a risk assessment, there will be residual risk, you just need to determine if the residual risk is within tolerance.

One item above that is very important is determining how this 3rd party vendor manages their vendors. A breach of your vendor due to another vendor’s weak security environment is still your problem. Ensure that you get information on your vendor’s vendor management process.

Also, several of the large IT service providers have a number of SOC reports, make sure you are reviewing the one that covers the service you are evaluating. These large data processors may also have federal regulatory examinations. You will need to request these from your primary regulator and they can be eye opening when compared to the SOC results.

Insurance
One item that can provide some protection is insurance. The most important is cyber security insurance. This will help protect the Bank. Typically obtain the current declaration page and tickle it for follow up around the expiration date.

Financial Condition
An assessment of a third party’s financial condition through review of available financial information, including audited financial statements, annual reports, and filings with the U.S. Securities and Exchange Commission (SEC), among others, helps a banking organization evaluate whether the third party has the financial capability and stability to perform the activity. Interagency guidance on third party relationships
In addition to the above consideration, if the vendor fails for financial reasons is your contract still in force, where is your data, who controls your data, do you have any rights to the data? Does this constitute a breach under GLBA?

We have seen companies with significant losses due to development costs associated with the business being created. This type of company needs access to capital to provide comfort to the FI that they can continue in operations to deliver the expected products and services.

Monitoring
Vendor management does not end with the initial review but must be followed up with regular reviews to ensure the control environment, insurance and financial condition continue to be acceptable.
We encourage these reviews to be presented to some sort of IT Committee of senior management or the board to keep them abreast of the risk profile associated with 3rd party vendors.

Resources
Federal Register: https://www.govinfo.gov/content/pkg/FR-2023-06-09/pdf/FR-2023-06-09.pdf

Scott Edwards – Contributor
CEO – EdwardsFIC