Managing vendor security risks

Last week, the CFPB brought its first enforcement action related to a data breach. Although the CFPB action involves an online payment system operator, it serves as a reminder that data breaches put banks at risk of regulatory action. While most banks have prioritized the security of their own IT systems, they may overlook data security issues when selecting third-party vendors. Given the volume of tasks that community banks outsource to vendors, it is critical that banks thoroughly vet any potential vendor to ensure strong data security practices.

Nearly every community bank outsources at least some portion of its operations, whether it is online banking, ATM processing, or even the entire IT function. While most banks will carefully vet their third-party vendors for price, contract terms, and regulatory compliance, data security is sometimes overlooked. For example, a report last year from the New York State Department of Financial Services found that about 1 in 5 banks surveyed do not require vendors to warrant that they have minimum data security requirements, and 1 in 3 banks do not require vendors to apply data security requirements to subcontractors. However, vendor data security is critically important not only to protect customer information, but also to ensure regulatory compliance.

In fact, an OCC bulletin on third-party relationship management cautions that “a bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.” As the bulletin explains, serious vendor issues may adversely affect the management component of a bank’s CAMELS rating. In the worst cases, “the OCC will pursue appropriate corrective measures, including enforcement actions, to address violations of law and regulations or unsafe or unsound banking practices by the bank or its third party.”

Given the seriousness of vendor data security, banks should heed the advice of regulators and follow certain best practices in managing vendor relationships.  For example:

  • Banks must have a written plan relating to vendor management and should designate an employee (preferably someone in senior management) who is responsible for vendor oversight. For vendors involved with “critical activities,” the regulators expect board involvement in approval and monitoring.
  • Any IT or software vendor should be familiar with the FFIEC guidelines on information security, the Gramm-Leach-Bliley Act, and other applicable laws and regulatory guidance. As a best practice, banks should consider only using vendors with extensive experience working with regulated financial institutions.
  • Banks should put prospective vendors through a thorough vetting process. This should include an on-site assessment of the vendor’s facilities, a review of any prior customer or regulatory complaints, and an interview of the vendor’s management team. The review process should also include a certification from the vendor that they are familiar with the bank’s information security policies and are equipped to fully comply with those policies.
  • Relationships with vendors should be governed by an agreement that, among other things, establishes detailed minimum performance standards for information security. The agreement should require vendors to pass on the same minimum standards to any subcontractors.
  • After entering into a contract with a vendor, banks should exercise careful oversight, including regular meetings with the vendor and routine audits. For the most significant vendors or those handling sensitive customer information, banks should consider hiring a security firm to conduct regular audits.

Lastly, banks should ensure that their contracts with vendors contain strong indemnity provisions to protect the bank in the event of a data breach. The indemnity language should protect the bank from losses and legal fees associated with customer litigation and any regulatory enforcement action. Banks may also want to review their insurance policies to determine whether they have coverage for third-party data breaches.

Importantly, banks have an ongoing obligation to ensure that their vendors are complying with information security requirements. The OCC has cautioned that a prior working relationship with a vendor is not a substitute for proper diligence in vetting and monitoring the vendor’s compliance. Although this is a costly and time-consuming process, following these best practices will help banks avoid the far more costly consequences of a vendor data breach.