Vendor Due Diligence in the Cyber Threat Era and COVID19: the risk landscape has changed dramatically. It has never been more important to ensure vendors be put through a due diligence checklist.
By: Steve Ryker, CPP, VP – Compliance & Risk
With today’s increasing cyber threats, ransomware and data breach attacks, heightened banking regulations, bank protection act, and increased need for life safety it is extremely important to perform due diligence on your security and ATM vendors. These reviews assure that your vendor or potential vendor is cyber compliant, financially stable, meets regulatory laws, carry the proper insurance coverage and limits, and has an ethically sound and strong corporate structure.
We utilize this same checklist for our own vendors at Cook Security Group and recommend our customers do the same. Beyond cyber-attacks, in many cases, it was a vendor that did not have the appropriate protection.
Vendor selection and ongoing management has never been more important, based on the current threat landscape. Vendors can assist your financial institution achieve cost-effective and cyber-protected success through the prudent selection and maintenance of technology and equipment. Vendors are also capable of increasing cyber risk, narrow-minded technology recommendations, looking back instead of forward, and resistance to change.
You are only as strong as your weakest vendor link. It is important to avoid permitting vendor engagements to increase risk for your financial institution. Vendor selection and ongoing management has never been more important, based on the current threat landscape. Vendors can assist your financial institution achieve cost-effective and cyber-protected success through the prudent selection and maintenance of technology and equipment. Vendors are also capable of increasing cyber risk, narrow-minded technology recommendations, looking back instead of forward, and resistance to change.
It is recommended to commit the same level of vetting processes on vendor selection as you place on hiring key employees. Once selected, vendors should be managed effectively and treated as trusted members of your team. If the vendor is resistant to this level of partnership, it is suggested you look elsewhere.
Trusted partnerships between the financial institution and vendors are an incredible value add for both organizations. The foundation of trust between a financial institution and a vendor begins with the vendor understanding financial institution’s culture, expectations, policies, procedures, along with industry standards. The next step is to determine if the vendor’s technician footprint aligns with the financial institution’s footprint. The vendor’s skilled technicians must be trained and certified. It is critical to select vendors that have a track record of retaining skilled talent to maximize quality. Annual vendor employee turnover should not exceed 15%.
Vendors that install and/or service equipment that will be connected to your financial institution’s network should certify via a Service Organization Controls (SOC2) Type2 audit. SOC2 Type 2 certification requires an annual audit to verify the vendor has controls in place that protect your financial institution’s data. One component of the SOC2 Type2 audit is the vendor controls on their employee’s computer devices. These controls include but are not limited to prohibiting certain application downloads or website access, operating system patching, and updated virus protection.
Imagine for a moment a vendor that is not SOC2 Type2 compliant and is not diligent about patching their technician’s computer operating system and updating virus protection. The technician accidentally downloads malware while searching the web at lunch, and then introduces the malware to a financial institution’s network while completing diagnostics and repair services.
A vendor’s equipment used to conduct their business and the equipment marketed to financial institutions must be hardened and tested to mitigate cyber and compliance risk. Vendor’s equipment and product offerings should include the following:
- Encryption capability
- Centralized patch management and firmware updates with remote capability
- Strong password management with no default passwords
- Open architecture and field serviceable product line
- Annual cyber penetration tests to verify protection levels
The vendor must also reduce risk for the financial institution by completing background checks on their employees and sub-contracts. If sub-contractors are utilized for a project, management and performance expectations should mirror the vendors and be transparent to the financial institution. No one wishes to have a vendor blame a sub-contractor for poor performance. The buck stops with the vendor.
A vendor’s finances should be explored to verify multiple years of strong financial performance and cash reserves. Vendor’s experiencing financial problems can cause many negative issues. Among these are the following:
- Catastrophic closing of the vendor’s business
- Loss of talented employees
- Difficulty acquiring needed equipment from manufacturers and suppliers
The financial institution having to make an unexpected and disruptive transition to another vendor.
The trusted vendor should be expected to partner with your financial institution’s planning and future roadmap for implementing innovative technology, automation, remote technologies. Vendors often provide services to other financial institutions and perhaps even other sectors. This exposure provides the vendor an expanded view of different risk mitigation strategies and use of technologies or automation. The trusted vendor should routinely share information with your institution. Some examples include:
- Implementation and use of artificial intelligence
- Use of video analytics
The vendor should help the financial institution solve pain points. Major pain points for many financial institutions are platform creep, vendor bid processes, and the timing and implementation of a new platform.
Platform creep is the repeated implementation of disparate systems. Each of these systems requires hardware, firmware, operating system, and software support. An example is security video, access control, and alarm systems. There are systems available today that integrate these functions and increase the performance of each, while reducing support requirements.
One potential vendor bid process trap is vendors that submit extreme low bids compared to competitor bids. It is hard to say no to what appears to be a significant cost savings. Close inspection of an extreme low bid is recommended. Many costs are equal for all vendors in a region or market. Bids can vary somewhat based on volume discounts for equipment, and management of overhead costs. Extreme low bidders are often risking loss in the short-term for a return in a future bid for projects and equipment. What if that future work is not awarded to the extreme low bidder. How long will that low bidder be willing to suffer a loss every time work is performed? Another question to ask is the extreme low bidder up to date with technology such as electronic dispatch and equipment tracking, SOC2 Type2 certification, training and certifications for employees, and proper levels of insurance coverage?
The trusted vendor can track a financial institution’s equipment and advise when a current platform or equipment has reached the end of life and replacement is prudent. The vendor can then:
- Work with the financial institution to determine requirements for the new platform
- Locate available platforms that match the requirements
- Assist with acquisition of the new platform
- Development a plan for platform or equipment rollout, installation, and user training plan
The new year is a great time to conduct an analysis of your current vendor engagements. Are your current vendor’s trusted partners? Have you verified your vendors are SOC2 Type2 compliant? Do your current vendors offer advice to improve the technology performance of platforms and equipment utilized by your financial institution? Based on the answers, now may be a great time to review the marketplace for new vendor and improved partnerships. Utilize the Vendor Due Diligence checklist to help.
Request an Executive Readiness Test
This article sums up the need for vendor due diligence…
Hackers are leveraging COVID-19 to steal, sell and damage your members’ identities like never before.
Is Your CU Ready for the ‘Cyber-demic,’ a Dangerous Fallout of the Pandemic?
Steve’s article can be also be found on the Credit Union Times Website