Vetting a Vendor
Every part of a financial institution must be secure
- By Jeff Walker
- Aug 01, 2016
Security continues to be a major area of vulnerability for the banking
industry, with attacks impacting individuals, small businesses
and major corporations. From phishing to ransomware, fraudsters
are constantly evolving their methods to counter steps taken by
banks and credit unions to protect their environments. To maintain
their reputation as organizations trusted most by consumers and businesses when
it comes to managing assets, financial institutions must ensure that every part of
their operation is secure, including those areas where vendors play a role.
Financial institutions are complex entities with many moving parts. These
intricacies typically lead banks to partnering with several vendors to assist with
both consumer facing and internal processes, such as mobile and Internet banking,
small business banking, loan processing, bill pay processes and P2P payments.
Because of the many challenges associated with building new technology infrastructure
in house, these vendors have become not only a logical choice but also
a strategic alternative. These companies are helping financial institutions innovate
and keep up with the rapidly evolving needs of consumers and business owners.
While these relationships are typically mutually beneficial partnerships, because
vendors are a vital component of the financial institution’s infrastructure,
careful vetting must be done to limit vulnerabilities introduced by these third parties.
Banks and credit unions must ensure that the vendors they select not only
have the highest standards in customer satisfaction and compliance, but also when
it comes to security.
VETTING VENDOR SECURITY
In security, “you’re only as strong as your weakest link” is a well-known adage.
For this reason, financial institutions must conduct extensive due diligence on the
security practices of their vendor partners, or else they jeopardize their customers’
financial health as well as their brands. After all, if a bank or credit union suffers
a breach due to a vendor’s oversight, customers won’t blame the vendor; instead,
they’ll blame their financial institution that’s supposed to safeguard their finances.
This type of mistake is a costly one that is nearly impossible for a bank or credit
union to fully recover from, as its reputation will be tarnished and its customers
will become highly sensitive to the risk of doing business with them.
Once a financial institution has identified several vendors it could potentially
partner with for a desired product or solution, it must start with a review of the
vendor’s overall strategy and approach to security. Some vendors tend to view
security as a “necessary evil,” simply a box that must be checked by going through
the necessary motions. This is obviously not the type of vendor that a bank or
credit union should aim to partner. Instead, the preference should be given to vendors
that consider security an integral part of their operations, part of their core
culture, something that is lived and breathed every day.
While vendor culture can be a difficult thing to ascertain, good indicators include
the strength and depth of the vendors’ security policy, the quality and experience
of security staff and the presence of a strong plan for handling security
incidents. The amount of time a vendor has had its security certifications in place
is also a good gauge for measuring how well the consumers’ data will be protected.
The level of effort the vendor takes to keep these certifications can also be a positive
indicator of its commitment to security. However, if a vendor’s commitment
does not continue beyond obtaining and maintaining certification, then there is
cause for concern. Vendors that truly care about the security of the organizations
they do business with will go above and beyond, demonstrating additional ways to
safeguard sensitive information and data.
VENDORS IN THE CLOUD
When ‘the cloud’ first became a high
profile topic a few years back, many
organizations avoided its use primarily
because it was unclear how secure it
could be. As time went on, most of these
concerns were dispelled as companies,
including financial institutions, began
to realize and trust how safely the cloud
could store and back up sensitive data.
In fact, security for use in the cloud began
to meet and exceed that of other options
attracting companies who especially
needed the ability to reduce IT costs
while maintaining scalability, reliability
and flexibility within their operations.
Among the organizations that began
to move more of their infrastructure to
the cloud was banks and credit unions.
However, vendors whose solutions are
cloud-based do require their own unique
set of security measures.
When looking to validate the security
of a cloud-based vendor, it is important
to note that not all clouds are created
equal. Financial institutions must
understand where the data resides and
if it’s possible for the data to move out
of this country without the institution’s
or customer’s knowledge. Today, most
physical cloud-based storage facilities
feature military level security, but
banks and credit unions must confirm
a potential’s vendor cloud storage location
meets this level of protection. It
is also paramount to investigate if the
vendor employs any subcontractor services,
and if so, what kind of security
measures these companies are taking,
as their security practices can reflect
back on the financial institution as well.
Finally, it’s essential to understand
what type of security forensics or reporting
the cloud service supports and what
notification processes are in place for a
potential compromise or disclosure.
THE BANK’S ROLE
After vendor selection, the financial
institution’s job is far from done. At
a minimum, financial institutions
should confirm that their vendor partners
continue to maintain the same or
commensurate security certifications.
In addition, the security of a vendor’s
products, services and platforms
should continue to be evaluated at
least annually. Because vendors truly
become part of an institution, their
status should be monitored as closely
as the institution’s own internal systems.
Best practices include having a
vendor management program in place
to help bankers and vendors communicate
and coordinate their priorities
to remain on the same page.
Besides vendor screening, financial
institutions have a responsibility
to their customers to discern that all
aspects of their operations are secure.
Information technology is expanding
the sharing and use of data across
and outside of typical security barriers
like corporate firewalls. It is important
for financial institutions to
realize that protections that were once
adequate may lose value over time as
new attacks surface and the information
ecosystems change due to evolving consumer demands. One example
of this is the amount of information
being shared by organizations and
consumers across social media and
networks today. With many consumers
in the United States using fewer than
five unique passwords to secure their
online information, organizations are
considering and implementing different
ways to secure their networks from
attacks that might originate in these
types of social exchanges.
SINGLE PLATFORM VENDORS
Security has never been more important
or required more commitment. Many
progressive financial institutions are
reducing the number of vendors they
deal with by seeking partnerships with
vendors that deliver more functionality
on a single platform. Fewer platforms
equate to fewer vulnerabilities and a
simpler strategy for monitoring and updates.
Separate, disparate systems complicate
the security assessment; blurring
the clarity of the institution’s overall
security state. What was previously a
complex, costly and siloed IT environment
is being modernized to improve
security, deliver more convenience to
the end user and position organizations
for the digital future.
The financial industry is a leader in
security because there’s really no other
option when the stakes are this high;
the monetary assets of billions of consumers
and millions of businesses are
on the line. Simply meeting security
regulations isn’t enough because regulations
tend to be more than a few steps
behind cyber criminals and the leading
security practices required to combat
them. For example, many of today’s
attacks across industries focus on social
engineering and ransomware. Both
of these methods bypass many of the
boundary protections and provide entry
points for multi-phased and long
term attack methodologies. Unfortunately,
current regulations have yet to
catch up with these new attack methods,
leaving financial institutions, and
their customers, vulnerable.
With all this in mind, no financial
institution that values its brand and
the customer loyalty it creates can take
the task of vetting vendors and their
security practices lightly. Consumers
ultimately don’t recognize the difference
between a mistake made by a
vendor and a mistake made by a bank
or credit union, nor should they have
to. Once a vendor becomes part of the
bank, there is no separation; what happens
to the customer reflects negatively
on the institution and industry as a
whole. Financial institutions succeed
because they are the trusted, proven
gatekeepers and advisors for people’s
livelihoods and that relationship cannot
be maintained without the best security
employed by the vendors
that serve those
This article originally appeared in the August 2016 issue of Security Today.