Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk...
Transcript of Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk...
![Page 1: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/1.jpg)
Copyright © 2016 by Paul D. Witman
Vendor Due D i l i gence:D igg ing Beneath the
Sur face
for SecureTheVillage Financial Services CyberSecurity Roundtable
October 14, 2016
Paul Witman
Professor, Information Technology Management
School of Management
![Page 2: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/2.jpg)
Copyright © 2016 by Paul D. Witman
Introductions
• Paul Witman, Professor, IT Management
• Formerly with Citibank (technology ops), and Digital Insight
– Six acquisition due diligences (both sides)
– Numerous vendor due diligences – ATMs, tech providers, payment providers, …
– Countless customer due diligences
Names, Affiliations, Risk Management Experiences
![Page 3: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/3.jpg)
Copyright © 2016 by Paul D. Witman
Regulatory Roots - OCC
• Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination (OCC, 2013)
![Page 4: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/4.jpg)
Copyright © 2016 by Paul D. Witman
Regulatory Roots - FFIEC
• Senior management and board awareness of outsourcing risks
• Ensure that outsourcing arrangement is risk-prudent
• Systematically assess needs and establish risk-based requirements
• Implement effective controls to address identified risks
• Perform ongoing monitoring to identify and evaluate changes in risk
• Document procedures, roles/responsibilities, and reporting mechanisms
![Page 5: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/5.jpg)
Copyright © 2016 by Paul D. Witman
Risk Management Overview
Source: vicimediainc.com
![Page 6: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/6.jpg)
Copyright © 2016 by Paul D. Witman
Cascading Risk Management
Supplier SupplierDirect
VendorCustomer
(Bank)End
Customer
Risk starts at the first supplier in the chain, and travels downstream
…
• Vendor obligations are driven by, and drive, agreements with customers
• Who do your vendors outsource to, and what risk controls do they have in place?
![Page 7: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/7.jpg)
Copyright © 2016 by Paul D. Witman
Vendor, customer obligationsWhat do your contracts (both inbound and outbound) say about these issues?
• Use of “cloud” providers (definition?)
• US(or non-US)-based storage, operations, and facilities
• Encryption levels and practices
• Personnel policies
• Notification policies
• SLAs for performance and for service?
• Others?
![Page 8: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/8.jpg)
Copyright © 2016 by Paul D. Witman
Legal/Compliance
• Contract reviews should check for issues in contracts that could impact tech operations or vendor relationships
– Demands from your customers
– Stipulations from your vendors, and your demands of them
• Data location
• Breach notifications
• Regs from other regions, states or industries
• Others?
Contracts reviews for impactful clauses
![Page 9: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/9.jpg)
Copyright © 2016 by Paul D. Witman
Project Management/SDLC (?)
• Does your organization have a formal SDLC?
• Explicit step for risk identification and controls
– Some risks might simply result in risk acceptance by business owner
• Focus on thoughtful, up-front risk analysis
– Probably the only time you’ll get concentrated attention on vendor
New vendor relationships have explicit steps in PM processes
![Page 10: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/10.jpg)
Copyright © 2016 by Paul D. Witman
Vendor Due Diligence Processes
• Audit reports (SOC2, SSAE16)
• Site visits (perhaps just for big, high-risk, or leveraged vendors)
• Cascading risk questions – how far up the supply chain do you troll for risk?
• Breach and issue notification requirements/practices?
• Others?
The checklist is just the beginning …
![Page 11: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/11.jpg)
Copyright © 2016 by Paul D. Witman
Questions to ask …
• Focus on data and trust levels implied
– Processing high-value PII – focus deeply on what they do and how
– Storing high-value PII – focus even more deeply on operations – risk is longer term
– Low-value PII, or short-term handling vs. storage – perhaps lower investment
• “Laundry list” of questions is just a starting point
– Should trigger deeper dives based on responses and risk profile
• People are still the weakest, most unpredictable link …
• Other suggestions?
Of yourselves, and of the vendors
![Page 12: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/12.jpg)
Copyright © 2016 by Paul D. Witman
Location, location, location
• Disaster recovery
• Sovereignty issues
• Constraints from contracts
• Hardware segregation
• Others?
Geography still matters
Source: granderie.ca
![Page 13: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/13.jpg)
Copyright © 2016 by Paul D. Witman
Audit Issues
• Represent a point in time
• May not check all functions
• Tests documentation and some activities, but not on ongoing basis
• Audit can be clean, with unseen issues under the hood
– Even issues the vendor is unaware of …
Audits are a good start, but …
Source: asil.ae
![Page 14: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/14.jpg)
Copyright © 2016 by Paul D. Witman
Monitoring
• Formal
– Scheduled, periodic check-ins
– Effort commensurate with risk posture
• Informal
– Follow-up on incidents
– Just asking the question can motivate change in behavior
– After action reviews – DR/HA tests, SLA triggers, etc.
Consistent, process-driven monitoring will support solid risk management
Source: inkt.org
![Page 15: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/15.jpg)
Copyright © 2016 by Paul D. Witman
Cloud Issues
• Consumer-grade cloud services are readily available
– May be used by your staff for internal projects
– Or to collaborate with customers
• Even “commercial grade” cloud services may introduce new risks
– Personnel policies
– Shared tenancy on cloud operations
– Breach notifications
• Governance challenges
• Others?
What has your organization done that perhaps you’re not even aware of?
Source: thecloudandediscovery.com
![Page 16: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/16.jpg)
Copyright © 2016 by Paul D. Witman
Pragmatism
• For lower-risk vendors, run with standard checklist, audit reviews, contractual, legal, and compliance
• For higher-risk vendors, drill deeper
– More questions
– More active monitoring
– Site visit?
• Collaborative site visit with other clients?
• Risk posture with vendor (including supply chain) should drive due diligence investment level
If you have limited resources, focus on the highest risk areas
![Page 17: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/17.jpg)
Copyright © 2016 by Paul D. Witman
Upcoming Issues
• New York FinServ Cybersecurity – new regs
– Must have a CISO, annual pen testing, breach notifications, …
– Impacts on your vendors?
• Internet of Things?
– What’s connected to your network?
– Or to your employees’ home networks, to which they connect your equipment?
• Europe privacy requirements - GDPR
• Ransomware attacks?
• Others?
It’s never boring in IT, or in InfoSec …
![Page 18: Vendor Due Diligence: Digging Beneath the Surface · • Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle:](https://reader033.fdocuments.us/reader033/viewer/2022042810/5f9e5fd2a6031f79713dc633/html5/thumbnails/18.jpg)
Copyright © 2016 by Paul D. Witman
Potential Action Items
• Collaboration for vendor analyses, ongoing risk management and monitoring?
• Formal data classification?
• Formalized risk management processes?
– Including ongoing monitoring
– Explicitly driven by risk profiles
• Others?
What can you do together more effectively or efficiently than as individuals?
Source: dtcap.org