Page 3 of 3

Vetting a Vendor

• Aug 01, 2016

Security continues to be a major area of vulnerability for the banking industry, with attacks impacting individuals, small businesses and major corporations. From phishing to ransomware, fraudsters are constantly evolving their methods to counter steps taken by banks and credit unions to protect their environments. To maintain their reputation as organizations trusted most by consumers and businesses when it comes to managing assets, financial institutions must ensure that every part of their operation is secure, including those areas where vendors play a role.

Financial institutions are complex entities with many moving parts. These intricacies typically lead banks to partnering with several vendors to assist with both consumer facing and internal processes, such as mobile and Internet banking, small business banking, loan processing, bill pay processes and P2P payments. Because of the many challenges associated with building new technology infrastructure in house, these vendors have become not only a logical choice but also a strategic alternative. These companies are helping financial institutions innovate and keep up with the rapidly evolving needs of consumers and business owners.

While these relationships are typically mutually beneficial partnerships, because vendors are a vital component of the financial institution’s infrastructure, careful vetting must be done to limit vulnerabilities introduced by these third parties. Banks and credit unions must ensure that the vendors they select not only have the highest standards in customer satisfaction and compliance, but also when it comes to security.

VETTING VENDOR SECURITY

In security, “you’re only as strong as your weakest link” is a well-known adage. For this reason, financial institutions must conduct extensive due diligence on the security practices of their vendor partners, or else they jeopardize their customers’ financial health as well as their brands. After all, if a bank or credit union suffers a breach due to a vendor’s oversight, customers won’t blame the vendor; instead, they’ll blame their financial institution that’s supposed to safeguard their finances. This type of mistake is a costly one that is nearly impossible for a bank or credit union to fully recover from, as its reputation will be tarnished and its customers will become highly sensitive to the risk of doing business with them.

Once a financial institution has identified several vendors it could potentially partner with for a desired product or solution, it must start with a review of the vendor’s overall strategy and approach to security. Some vendors tend to view security as a “necessary evil,” simply a box that must be checked by going through the necessary motions. This is obviously not the type of vendor that a bank or credit union should aim to partner. Instead, the preference should be given to vendors that consider security an integral part of their operations, part of their core culture, something that is lived and breathed every day.

While vendor culture can be a difficult thing to ascertain, good indicators include the strength and depth of the vendors’ security policy, the quality and experience of security staff and the presence of a strong plan for handling security incidents. The amount of time a vendor has had its security certifications in place is also a good gauge for measuring how well the consumers’ data will be protected. The level of effort the vendor takes to keep these certifications can also be a positive indicator of its commitment to security. However, if a vendor’s commitment does not continue beyond obtaining and maintaining certification, then there is cause for concern. Vendors that truly care about the security of the organizations they do business with will go above and beyond, demonstrating additional ways to safeguard sensitive information and data.

VENDORS IN THE CLOUD

When ‘the cloud’ first became a high profile topic a few years back, many organizations avoided its use primarily because it was unclear how secure it could be. As time went on, most of these concerns were dispelled as companies, including financial institutions, began to realize and trust how safely the cloud could store and back up sensitive data. In fact, security for use in the cloud began to meet and exceed that of other options attracting companies who especially needed the ability to reduce IT costs while maintaining scalability, reliability and flexibility within their operations. Among the organizations that began to move more of their infrastructure to the cloud was banks and credit unions. However, vendors whose solutions are cloud-based do require their own unique set of security measures.

When looking to validate the security of a cloud-based vendor, it is important to note that not all clouds are created equal. Financial institutions must understand where the data resides and if it’s possible for the data to move out of this country without the institution’s or customer’s knowledge. Today, most physical cloud-based storage facilities feature military level security, but banks and credit unions must confirm a potential’s vendor cloud storage location meets this level of protection. It is also paramount to investigate if the vendor employs any subcontractor services, and if so, what kind of security measures these companies are taking, as their security practices can reflect back on the financial institution as well.

Finally, it’s essential to understand what type of security forensics or reporting the cloud service supports and what notification processes are in place for a potential compromise or disclosure.

THE BANK’S ROLE

After vendor selection, the financial institution’s job is far from done. At a minimum, financial institutions should confirm that their vendor partners continue to maintain the same or commensurate security certifications. In addition, the security of a vendor’s products, services and platforms should continue to be evaluated at least annually. Because vendors truly become part of an institution, their status should be monitored as closely as the institution’s own internal systems. Best practices include having a vendor management program in place to help bankers and vendors communicate and coordinate their priorities to remain on the same page.

Besides vendor screening, financial institutions have a responsibility to their customers to discern that all aspects of their operations are secure. Information technology is expanding the sharing and use of data across and outside of typical security barriers like corporate firewalls. It is important for financial institutions to realize that protections that were once adequate may lose value over time as new attacks surface and the information ecosystems change due to evolving consumer demands. One example of this is the amount of information being shared by organizations and consumers across social media and networks today. With many consumers in the United States using fewer than five unique passwords to secure their online information, organizations are considering and implementing different ways to secure their networks from attacks that might originate in these types of social exchanges.

SINGLE PLATFORM VENDORS

Security has never been more important or required more commitment. Many progressive financial institutions are reducing the number of vendors they deal with by seeking partnerships with vendors that deliver more functionality on a single platform. Fewer platforms equate to fewer vulnerabilities and a simpler strategy for monitoring and updates. Separate, disparate systems complicate the security assessment; blurring the clarity of the institution’s overall security state. What was previously a complex, costly and siloed IT environment is being modernized to improve security, deliver more convenience to the end user and position organizations for the digital future.

The financial industry is a leader in security because there’s really no other option when the stakes are this high; the monetary assets of billions of consumers and millions of businesses are on the line. Simply meeting security regulations isn’t enough because regulations tend to be more than a few steps behind cyber criminals and the leading security practices required to combat them. For example, many of today’s attacks across industries focus on social engineering and ransomware. Both of these methods bypass many of the boundary protections and provide entry points for multi-phased and long term attack methodologies. Unfortunately, current regulations have yet to catch up with these new attack methods, leaving financial institutions, and their customers, vulnerable.

With all this in mind, no financial institution that values its brand and the customer loyalty it creates can take the task of vetting vendors and their security practices lightly. Consumers ultimately don’t recognize the difference between a mistake made by a vendor and a mistake made by a bank or credit union, nor should they have to. Once a vendor becomes part of the bank, there is no separation; what happens to the customer reflects negatively on the institution and industry as a whole. Financial institutions succeed because they are the trusted, proven gatekeepers and advisors for people’s livelihoods and that relationship cannot be maintained without the best security practices being employed by the vendors that serve those organizations.

This article originally appeared in the August 2016 issue of Security Today.