vendor management from a vendor’s perspective. agenda regulatory updates and trends examiner...
TRANSCRIPT
![Page 1: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/1.jpg)
Vendor Management from a Vendor’s Perspective
![Page 2: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/2.jpg)
Agenda
• Regulatory Updates and Trends• Examiner Trends• Technology and Solution Trends• Common Issues and Misconceptions• The Vendor Perspective• Best Practices for Effective Vendor
Management
![Page 3: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/3.jpg)
Exclusive to the financial institution market
Over 500 financial institutions
99% client retention & renewal rate
SOC 2 Type II audited solutions
• Experts in banking technology• A strong regulatory compliance knowledge base• Multi-layered approach to enterprise security• Multiple core processors and applications• Single point of contact for IT and regulatory
guidance
Most Innovative
Solution2011–2013
![Page 4: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/4.jpg)
![Page 5: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/5.jpg)
Regulatory Trends
• Increased Regulatory Scrutiny• Examiners realize the trend in outsourcing
more• Solutions still have to be managed as if
they were created and managed in-house• Increased focus on cyber security
• Institution• Vendor
![Page 6: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/6.jpg)
Regulatory Trends
• Institutions continue to increase the use and scope of solution providers
• Increased findings from regulators on concerns they find during vendor exams
• FFIEC Webinar on Cyber Security• Cyber Security Toolkit• FFIEC updates Appendix J• FDIC FIL
• https://www.fdic.gov/news/news/financial/2014/fil14013.pdf
![Page 7: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/7.jpg)
![Page 8: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/8.jpg)
FFIEC Update – Appendix J
• Third-party management– Due Diligence
• Right to audit• Subcontracting• Foreign-based service providers• BCP testing• Data governance• TSP updates• Security issues
– Contracts– Ongoing Monitoring
• Third-party capacity– Significant Technology Service Provider Continuity
Scenarios
![Page 9: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/9.jpg)
Appendix J – Continued
• Testing with third-party Technology Service Providers– Testing Scenarios
• TSP outage or disruption• FI outage or disruption• Simultaneous cyber attacks
– Testing Complexity
• Cyber resilience– Risks
• Malware• Insider Threats• Data or Systems Destruction and Corruption• Communications Infrastructure Disruption• Simultaneous Attack in FI and TSP
![Page 10: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/10.jpg)
FFIEC Outsourcing Technology Appendix DManaged Security Services
• Network Boundary Protection• Management of Intrusion Detection and Prevention for
Networks and Hosts• Event Log Management and Alerting• Anti-Virus and Web Content Filtering Services• Patch Management and Security Software Management• Security Incident Response and Management• Data Leak Prevention• Secure Messaging• Information Security Consulting Services
![Page 11: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/11.jpg)
MSSP Update
Critical considerations include…• availability, • integrity, • and confidentiality……of Financial Institution Data.
![Page 12: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/12.jpg)
The Compliance Process Simplified
![Page 13: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/13.jpg)
Examination Trends
• Focus on Management “M” in CAMELS rating• Layered Defense to Security Threats• Vendor Management Focus• Business Continuity Planning not Disaster
Recovery• Segmentation of duties and backup for key
personnel• Oversight and Validation of IT • Vendors having wrong or limited SOC
reporting
![Page 14: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/14.jpg)
Technology Trends
• We have to do more with less resources• Leverage the cloud
• Core / third party applications• Structure of services• Hybrid/ Private / Public
• Heavy fintech focus on mobile and customer relationship enhancement
• Increase leverage of solutions to assist in verifying adherence to policies and procedures
![Page 15: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/15.jpg)
The Vendor’s Perspective
• The difference between buying solutions and being sold solutions
• Sales Ethics• Technical Understanding vs High Level
Functionality• Multiple Decision Makers
– Technical– Senior Level– Tech Committee
• Request for Proposal
![Page 16: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/16.jpg)
Common Issues and Misconceptions
• SOC 1,2 &3 vs Type 1 &2• SOC 2 (and others)
• Vendor can define what services are reviewed• Review Timing
• Third Party Providers / Contractors• Lack of understanding outside of fintech
companies• Risk Assessments Not Completed
![Page 17: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/17.jpg)
Best Practices
• Review Vendors at Least Annually• Define Reporting Process • Centralize Key Components of Contracts
• Renewal Dates• Auto Renewal Dates • Last Risk Assessment Review
• Risk Rate Vendors• Inherent Risk• Residual Risk
![Page 18: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/18.jpg)
Risk Review Categories
• Access to NPI – Core• Access to NPI – Non-Core• Access to confidential Information• Criticality of the service• Complexity and Availability of the Service• Concentration Risk• Cloud Based• Foreign Based
![Page 19: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/19.jpg)
Reducing Inherent Risk
• Is the Vendor Financial Institution Specific?• Do they have a user group?• How much verification information do you
receive?• What type of Audit and Reporting do they
have?• Automated systems vs manual processes /
spreadsheets
![Page 20: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/20.jpg)
Best Practices for New Contracts
• Take control of the references you receive– Core Processor– Geography– Size– Ask for More
• Ask the references the same questions• Increase your peer group• Attend user groups• Leverage your other vendor relationships• Fill out the risk assessment
![Page 21: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/21.jpg)
Ask the hard questions
• Vendor• When customers don’t renew, what are the
reasons?• What items are not included in proposal?• How do you prioritize your enhancements?
• References• What was unexpected vs. your expectation?• When issues arise, how are they handled?• How honest do you feel the company and
sales rep are?
![Page 22: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/22.jpg)
Existing Vendors
• Ongoing Management• Annual Updates• Reporting / Verification of Adherence• Review of Business / Strategy Annually• User Group Conferences / Attendance• Updated Vendor Management Packet• Updated Risk Assessment
• Long-term Contracts Don’t Remove the Need for Annual Review
![Page 23: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/23.jpg)
Summary
• Vendor Management has heightened oversight from examiners
• Senior Management and the Board need to be involved
• Vendor Management will continue to grow in importance as more solutions are outsourced
• It’s important to leverage peers and references in the process
![Page 24: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/24.jpg)
Questions?
![Page 25: Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions](https://reader035.vdocuments.us/reader035/viewer/2022081603/5697c0061a28abf838cc5b6a/html5/thumbnails/25.jpg)