Vetting a Vendor

Vetting a Vendor

Every part of a financial institution must be secure

Security continues to be a major area of vulnerability for the banking industry, with attacks impacting individuals, small businesses and major corporations. From phishing to ransomware, fraudsters are constantly evolving their methods to counter steps taken by banks and credit unions to protect their environments. To maintain their reputation as organizations trusted most by consumers and businesses when it comes to managing assets, financial institutions must ensure that every part of their operation is secure, including those areas where vendors play a role.

Financial institutions are complex entities with many moving parts. These intricacies typically lead banks to partnering with several vendors to assist with both consumer facing and internal processes, such as mobile and Internet banking, small business banking, loan processing, bill pay processes and P2P payments. Because of the many challenges associated with building new technology infrastructure in house, these vendors have become not only a logical choice but also a strategic alternative. These companies are helping financial institutions innovate and keep up with the rapidly evolving needs of consumers and business owners.

While these relationships are typically mutually beneficial partnerships, because vendors are a vital component of the financial institution’s infrastructure, careful vetting must be done to limit vulnerabilities introduced by these third parties. Banks and credit unions must ensure that the vendors they select not only have the highest standards in customer satisfaction and compliance, but also when it comes to security.


In security, “you’re only as strong as your weakest link” is a well-known adage. For this reason, financial institutions must conduct extensive due diligence on the security practices of their vendor partners, or else they jeopardize their customers’ financial health as well as their brands. After all, if a bank or credit union suffers a breach due to a vendor’s oversight, customers won’t blame the vendor; instead, they’ll blame their financial institution that’s supposed to safeguard their finances. This type of mistake is a costly one that is nearly impossible for a bank or credit union to fully recover from, as its reputation will be tarnished and its customers will become highly sensitive to the risk of doing business with them.

Once a financial institution has identified several vendors it could potentially partner with for a desired product or solution, it must start with a review of the vendor’s overall strategy and approach to security. Some vendors tend to view security as a “necessary evil,” simply a box that must be checked by going through the necessary motions. This is obviously not the type of vendor that a bank or credit union should aim to partner. Instead, the preference should be given to vendors that consider security an integral part of their operations, part of their core culture, something that is lived and breathed every day.

While vendor culture can be a difficult thing to ascertain, good indicators include the strength and depth of the vendors’ security policy, the quality and experience of security staff and the presence of a strong plan for handling security incidents. The amount of time a vendor has had its security certifications in place is also a good gauge for measuring how well the consumers’ data will be protected. The level of effort the vendor takes to keep these certifications can also be a positive indicator of its commitment to security. However, if a vendor’s commitment does not continue beyond obtaining and maintaining certification, then there is cause for concern. Vendors that truly care about the security of the organizations they do business with will go above and beyond, demonstrating additional ways to safeguard sensitive information and data.


When ‘the cloud’ first became a high profile topic a few years back, many organizations avoided its use primarily because it was unclear how secure it could be. As time went on, most of these concerns were dispelled as companies, including financial institutions, began to realize and trust how safely the cloud could store and back up sensitive data. In fact, security for use in the cloud began to meet and exceed that of other options attracting companies who especially needed the ability to reduce IT costs while maintaining scalability, reliability and flexibility within their operations. Among the organizations that began to move more of their infrastructure to the cloud was banks and credit unions. However, vendors whose solutions are cloud-based do require their own unique set of security measures.

When looking to validate the security of a cloud-based vendor, it is important to note that not all clouds are created equal. Financial institutions must understand where the data resides and if it’s possible for the data to move out of this country without the institution’s or customer’s knowledge. Today, most physical cloud-based storage facilities feature military level security, but banks and credit unions must confirm a potential’s vendor cloud storage location meets this level of protection. It is also paramount to investigate if the vendor employs any subcontractor services, and if so, what kind of security measures these companies are taking, as their security practices can reflect back on the financial institution as well.

Finally, it’s essential to understand what type of security forensics or reporting the cloud service supports and what notification processes are in place for a potential compromise or disclosure.


After vendor selection, the financial institution’s job is far from done. At a minimum, financial institutions should confirm that their vendor partners continue to maintain the same or commensurate security certifications. In addition, the security of a vendor’s products, services and platforms should continue to be evaluated at least annually. Because vendors truly become part of an institution, their status should be monitored as closely as the institution’s own internal systems. Best practices include having a vendor management program in place to help bankers and vendors communicate and coordinate their priorities to remain on the same page.

Besides vendor screening, financial institutions have a responsibility to their customers to discern that all aspects of their operations are secure. Information technology is expanding the sharing and use of data across and outside of typical security barriers like corporate firewalls. It is important for financial institutions to realize that protections that were once adequate may lose value over time as new attacks surface and the information ecosystems change due to evolving consumer demands. One example of this is the amount of information being shared by organizations and consumers across social media and networks today. With many consumers in the United States using fewer than five unique passwords to secure their online information, organizations are considering and implementing different ways to secure their networks from attacks that might originate in these types of social exchanges.


Security has never been more important or required more commitment. Many progressive financial institutions are reducing the number of vendors they deal with by seeking partnerships with vendors that deliver more functionality on a single platform. Fewer platforms equate to fewer vulnerabilities and a simpler strategy for monitoring and updates. Separate, disparate systems complicate the security assessment; blurring the clarity of the institution’s overall security state. What was previously a complex, costly and siloed IT environment is being modernized to improve security, deliver more convenience to the end user and position organizations for the digital future.

The financial industry is a leader in security because there’s really no other option when the stakes are this high; the monetary assets of billions of consumers and millions of businesses are on the line. Simply meeting security regulations isn’t enough because regulations tend to be more than a few steps behind cyber criminals and the leading security practices required to combat them. For example, many of today’s attacks across industries focus on social engineering and ransomware. Both of these methods bypass many of the boundary protections and provide entry points for multi-phased and long term attack methodologies. Unfortunately, current regulations have yet to catch up with these new attack methods, leaving financial institutions, and their customers, vulnerable.

With all this in mind, no financial institution that values its brand and the customer loyalty it creates can take the task of vetting vendors and their security practices lightly. Consumers ultimately don’t recognize the difference between a mistake made by a vendor and a mistake made by a bank or credit union, nor should they have to. Once a vendor becomes part of the bank, there is no separation; what happens to the customer reflects negatively on the institution and industry as a whole. Financial institutions succeed because they are the trusted, proven gatekeepers and advisors for people’s livelihoods and that relationship cannot be maintained without the best security practices being employed by the vendors that serve those organizations.

This article originally appeared in the August 2016 issue of Security Today.


  • Maximizing Your Security Budget This Year

    Perimeter Security Standards for Multi-Site Businesses

    When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now

  • ISC West 2024 is a Rousing Success

    The 2024 ISC West security tradeshow marked a pivotal moment in the industry, showcasing cutting-edge technology and innovative solutions to address evolving security challenges. Exhibitors left the event with a profound sense of satisfaction, as they witnessed a high level of engagement from attendees and forged valuable connections with potential clients and partners. Read Now

    • Industry Events
    • ISC West
  • Live From ISC West: Day 2

    What a great show ISC West 2024 has been so far. The second day on Thursday was as busy or even more hectic than the first. Remember to keep tabs on our Live From ISC West page for news and updates from the show floor at the Sands Expo, because there’s more news coming out than anyone could be expected to keep track of. Read Now

    • Industry Events
    • ISC West
  • A Unique Perspective on ISC West 2024

    Navigating a tradeshow post-knee surgery can be quite the endeavor, but utilizing an electric scooter adds an interesting twist to the experience. While it may initially feel like a limitation, it actually provides a unique perspective on traversing through the bustling crowds and expansive exhibition halls. Read Now

    • Industry Events
    • ISC West

Featured Cybersecurity

New Products

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3