How Much Vendor Oversight Should Your Company be Performing?

It’s a common practice for enterprises to conduct due diligence on any prospective third-party vendor. But why do so many organizations fail to regularly evaluate their existing vendors?

A poorly managed vendor oversight program can be a point of pain for any institution hoping to function smoothly and efficiently. Without a consistent program for managing vendor risk, banks and financial institutions, in particular, face non-compliance with government regulations. This can not only pose financial risks but can also diminish a company’s reputation. 

Delivering Vendor Risk Management Solutions

In this current economic climate, risk management is more important than ever. Companies only beginning to develop risk management programs haven’t yet realized the potential benefits of a structured solution for managing vendors. This includes reducing costs and risks while creating a competitive advantage against organizations who aren’t managing their risk.

Why Having a User Group Matters

Have you ever wished that a piece of software could be updated and tailored as your organization’s needs change? Most industries today are constantly evolving as technology is accepted and integrated. This is why choosing a vendor management software tool that has a user group is so important. User groups provide valuable insight into customer needs and improve the software for everyone involved.

Custom Reports:

If You Collect Data on It, You Can Create a Report for It

No two companies are exactly alike – in the way they operate or in the way they manage their vendors. The same is also true of a company’s reporting needs. One leadership team may have a different priority or consider a different metric to be mission critical. Regulatory teams or auditors may ask for data based on their current priorities.

Market Risk Alerts: Why Vendor News Monitoring is Valuable to Your Company

Scouring hundreds of news sites in search of any mention of your vendor companies or setting up electronic alerts to notify you when a crucial supplier makes headlines – this can sometimes seem like a waste of time. In fact, when done right, vendor news monitoring delivers significant value to your organization.

Single Sign-On (SSO) is a service that allows users to need only a single set of login credentials (username and password) to access multiple applications during their session. The goal of SSO is to minimize the number of times a user has to log in at various websites or applications by having the user manually log in at one site or application (called the identity provider or IdP), and then being automatically logged in, without having to provide credentials, at one or more other sites or applications (called service providers or SPs).

In addition to streamlining the user’s working experience, SSO is also helpful on the back end with monitoring user accounts and providing a log of user activities.

There are two single sign-on flows supported by the Security Assertion Markup Language (SAML) v2.0: IdP-initiated SSO and SP-initiated SSO. In IdP-initiated SSO, the user starts at the IdP site, logs in, and clicks a link to the SP site which then initiates SSO.

In the SP-initiated SSO, the user starts at the service provider site and, rather than logging in at the SP site, SSO is initiated with the IdP (as long as the user is already authenticated at the IdP--if they are not, then the user will have to enter their credentials).

At the end of a user’s session, there are two types of single logout flows that can occur: IdP-initiated and SP-initiated. Again, with IdP-initiated single logout (SLO), the user will start at the IdP site and click a link to log out, effectively logging the user out of every SP site to which there is an SSO session as well.

In SP-initiated SLO, the user will again begin at the service provider site. The user will click a link to log out of the IdP site, and effectively also be logged out of every SP site to which there is an SSO session.

While single sign-on is a highly sought service by users due to the great convenience it provides, organizations should also pay attention to the risk it can create to enterprise security. If an attacker gains control of a user’s SSO credentials, they’ll have access to all of the SP sites and applications that user has permission to, increasing the amount of damage they can inflict. It is imperative that a relationship of trust exists between the identity provider and the service providers. Service providers must trust that the identity provider has authenticated the user.

VendorInsight supports single sign-on via the SAML v2.0 Assertions, Protocol, Binding and Profiles as defined by the OASIS standard. For more detailed information please refer to the SAML v2.0 specification documents at www.oasisopen.org

To learn more about this feature and how it works within the VendorInsight risk management software, please contact a team member using the link below and we will follow up with you as soon as possible.

Remember the FFIEC’s 2015 Appendix J addition to the Examination Handbook? The addition covered business continuity planning for your technology service providers (TSPs). Appendix J presented a new standard for TSP contractual requirements—its purpose to strengthen the resilience of outsourced technology services—which regulators expected financial institutions to adopt and implement moving forward.

Moving ahead to 2017, two years after the introduction of Appendix J, regulators performed an evaluation of TSP contracts as they pertain to the third party vendor management responsibilities for insured and supervised financial institutions. The evaluation, which sought to determine the effectiveness of the prior guidance in altering TSP contract terms, focused on cybersecurity readiness and responsibility, and the use of subcontractors (aka your fourth parties).

In response to the findings of their evaluation, the Office of the Inspector General (IG) of the FDIC issued EVAL-17-004. According to the report, the IG, “did not see evidence, in the form of risk assessments of contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs may have on the FI’s ability to manage its own business continuity planning and incident response and reporting operations.”

The report went on…

“Typically, FI contracts with TSPs did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights. Contracts also did not sufficiently define key terminology related to business continuity and incident response.”

This is not the outcome any of us would have expected.

As a result, the FDIC Inspector General has laid out a few recommendations. First, the Division of Risk Management Supervision (RMS) of the FDIC must communicate to FIs the importance of fully considering and assessing the risks that TSPs present. FIs must ensure that contracts with TSPs include specific and detailed provisions that address FI-identified risks and protect FI interests. And finally, FIs must clearly define key contract terms that would be important in understanding FI and TSP rights and responsibilities.

In the meantime, it may be wise for your organization to revisit and freshen up on the 2015 FFIEC Appendix J addition to the Examination Handbook, and be aware of the possible implications this report may have on future examinations.

On Tuesday, November 22, 2016, the OCC, Federal Reserve and the FDIC a press release announcing an invitation of comments on an advance notice of proposed rulemaking (ANPR), regarding enhanced cyber risk management standards for large banks under their supervision.

These regulatory agencies hope to increase operational resilience and lower the probability of failure in the banks they supervise.

Here’s what you need to know:

• The ANPR was published in the Federal Register on October 26, 2016, and comments are due by January 17, 2017.
• The ANPR applies to:
o any national bank, federal savings association (and any subsidiaries thereof), or federal branch of a foreign bank that is a subsidiary of a bank holding company or savings and loan holding company with total consolidated assets of $50 billion or more;
o any national bank, federal savings association, or federal branch of a foreign bank that has total consolidated assets of $50 billion or more and does not have a parent holding company; and
o any third-party service provider with respect to services provided to any covered national bank or federal savings association (or any subsidiaries thereof).
• The ANPR is not applicable to community banks
• Banks regulated by the above-mentioned agencies are required to ensure that the services they receive from third-parties are conducted with the same standards that would apply if the bank conducted the operations itself—therefore, the proposed enhanced standards would apply to all operations, even those serviced by third-parties.

Strategic planning isn't just for business. It can also be used as an effective tool to guide the development of your vendor management program. Asking key questions will reveal insights, force you to face realities and help ensure that you anticipate changes that will occur in the future. Some of these questions might be: "What are the biggest threats and risks my vendor management and third party risk management process face?" or "What resource allocations and succession plans need to be in place to ensure delivery for the future?" or "Do I expect competition to emerge for the risk management services I currently provide for my company?" or "Where do I expect technology to converge to bring me improved productivity in meeting regulatory requirements?"

If you are thinking that vendor management and third party risk management is complicated enough that you have your hands full just keeping up with today's requirements and that strategic planning would be a luxury, you are not alone. VendorINSIGHT, through our office of Client Development, has developed a worksheet that walks customers through the questions they need to ask. This worksheet paints a picture of the complexity, challenges, resources, and trends they will face in the future. It also delivers insights from our industry interactions, customer experiences, and assessment of what the regulators are saying. Completing this exercise can help you communicate to your management team where and when they should expect you to ask for more resources, make additional investments in systems and technology, and how you will develop the existing resources you have so you can be as effective and as efficient as possible.

Do you know who built your vendor management software? It's a funny question and its one that everyone should be asking. We know who built ours.

At VendorInsight® we used to take for granted that our competitors understood vendor management and were true process experts. We often gave them the benefit of the doubt just because they were a competitor and sold a vendor management solution. After a few experiences with new customers who were previously running other vendor management software solutions, we began to realize our assumptions were not true. They weren't getting the help they needed from these companies to continually evolve their vendor management programs and overcome the challenges that every company runs into as their vendor management program grows or as the requirements it must meet expand.

Our history is worth recounting for those who may incorrectly assume the same about us. VendorInsight's web based vendor management software solution was developed and introduced by CMPG, a leading consultancy in banking and financial services, in 2008. Since 1998, CMPG had consulted with Fortune 500 companies, three of the top eight US banks and numerous other financial institutions and companies, helping them build sustainable sourcing and vendor management practices, programs and processes, and training teams of new vendor managers. VendorInsight® emerged as a vendor management software solution built on proven principles of best practices in sourcing, vendor management, contract management and risk management. The initial features in VendorInsight® v1.0 leapfrogged the industry and quickly established VendorInsight® as a premier solution in the industry. This was because our vendor management consultants with decades of real-life leadership and implementation experience were involved in the design process and collaborated with our development team.

Aside from a couple of situations in which our customer was acquired by another company, we have never lost a single VendorInsight® customer - a fact we are very proud of. Our customer retention and high customer satisfaction ratings are metrics by which we measure our expertise, not just our effort, because they are driven by our ability as experts in vendor management to teach, help, coach, and keep our customers oriented toward the success factors for strong vendor management programs and away from the pitfalls and failures of other process designs.

Not in our opinion. We are in Chris Buses' camp when it comes to this issue. It is true that 5-7 years ago information security dominated the risk concerns when it came to outsourced and third party relationships, but with the FFIEC examination handbook updated in March 2008 the emphasis broadened to include many other dimensions of risk. Ultimately, that laid the groundwork for where we are today. Information security is just one small part of the vendor, or third party, risk management equation. And vendor risk management must be successfully integrated into an enterprise’s ERM program. Certainly, vendor management is a big enough, and complex enough process, that when done correctly, crosses a lot of organization boundaries and it requires its own system and dedicated resources to run efficiently and achieve good compliance. But vendor management also has to be integrated into a good ERM framework, which is why we built VendorINSIGHT® the way we did. In banking, for example, the successful CRO has broad-ranging risk management skills that span the two primary business elements - lending and deposits - as well as other affiliate services (insurance, etc.) and often brings a big-audit perspective that is essential to maintaining integrity in the ERM framework. The CRO often has a risk orientation focused on narrative and good documentation about business risks and trends and residual risks, as much as information security. We see information security as a specialty within the risk management department led by the CRO. Perhaps in a very small community bank this role can be assumed by one individual but we wouldn’t recommend it in a bank that is $1 B in assets or greater.