Independent Banker Article: Five Best Practices to Minimize Vendor Information Security Risks

The ICBA’s July 2016 issue of the Independent Banker Magazine will feature my article about minimizing data breach risks with bank vendors. The full article is available here and is reproduced below. I’m honored to have my article published in this great publication for community bankers.

IB Article

Safety Data Steps: Five best practices to minimize vendor information security risks

By Tyler J. Bexley

With data breaches dominating front-page headlines and regulators increasingly focusing on data protection, cybersecurity is one of the most important issues confronting community banks today. For example, the Consumer Financial Protection Bureau recently filed its first enforcement action related to data security, entering into a consent order with an online payment processor related to the company’s data security practices.

Although this enforcement action did not directly involve a bank, it serves as a reminder that banks must closely monitor their vendors to ensure compliance with applicable laws and regulations. In fact, the Office of the Comptroller of the Currency, in its Bulletin 2013-29, cautions that “a bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.”

Because of the serious consequences that come with data breaches, banks must scrutinize potential vendors and ensure that every vendor meets minimum regulatory requirements for data security. These are some best practices for banks to follow to minimize vendor data security risks:

  • Have a written plan relating to vendor management, and designate an employee (preferably someone in senior management) who is responsible for vendor oversight. For vendors involved with “critical activities,” the regulators expect board involvement in approval and monitoring. All employees and directors who have responsibility for vendor selection and management should have up to date training in data security issues.
  • Ensure that IT and software vendors are familiar with the Federal Financial Institution Examinations Council guidelines on information security, the Gramm-Leach-Bliley Act, and other applicable laws and regulatory guidance. Consider using only vendors with extensive experience working with regulated financial institutions.
  • Put prospective vendors through a thorough vetting process. This should include an on-site assessment of the vendor’s facilities, a review of any prior customer or regulatory complaints, and an interview of the vendor’s management team.
  • Have written agreements with all vendors that establish detailed minimum performance standards for information security. The agreement should mandate that vendors stay current on data security issues and regularly update their software to address new vulnerabilities in their systems. The agreement also should require vendors to pass on the same minimum standards to any subcontractors.
  • Ensure that vendors can meet any security-related claims in bank marketing material. For example, if a bank advertises that it protects customer data using certain encryption standards, the bank should ensure that its vendors (as well as their subcontractors) use the same encryption standards.

In the worst-case scenario of a data breach or adverse regulatory action, banks should be prepared to hold vendors accountable where appropriate. To that end, banks should ensure that their contracts with vendors contain strong indemnification provisions to protect the bank. The indemnity language should protect the bank from losses and legal fees associated with customer litigation, shareholder litigation, legal compliance and any regulatory enforcement action.

In the end, there is nothing a bank can do to completely prevent a data breach. But banks can minimize their cybersecurity risks by staying up to date on the latest risks and regulatory requirements, thoroughly vetting their vendors on the front end, and closely monitoring vendor performance. In the event of a data breach, banks should have procedures in place to quickly address the breach and, if appropriate, seek reimbursement from responsible vendors.