the security of your data on individual PCs or the security of your
data when it is stored in the servers of your vendors? And if the
contract does address these issues, what due diligence have you
done? You should obtain copies of any third-party audits that have
been performed, such as Service Organization Controls (SOC)
reports, Payment Card Industry (PCI) compliance reports, etc.
(NOTE: If you haven’t already done this, you will want to identify
the different steps you’ll take with each vendor relationship commensurate with the level of risk they pose. )
What if you are a smaller financial institution, and your ability
to negotiate contracts with your vendors is limited? In other words,
what do you do if your vendor declines to amend the contract
to include the provisions you believe should be in the contract?
Let’s face it. Vendors need to evaluate the risks in the relationship
from their side and they are likely to be different than the risks we
have in the relationship, but what do we do when these challenges
happen? First, you should consider using another vendor. If the
vendor won’t include the contract provisions you require, find
one that will. But what if another vendor is not an option? Then
you will need to work hard to negotiate the provisions that you
can, and you may be forced to accept the risk that some of the
provisions are not in the contract.
And for all of the vendors that we have mentioned, do you
have a certificate of insurance? Have you reviewed their disaster
recovery plan? Have you reviewed their financials? Because if
something happens to your vendor, what happens to your data?
What happens to your operation? There have been several cases
of industry vendors that were unable to stay in business and simply stopped operating. What will you do if that happens to you?
And to complicate matters, you now may need to consider your
vendors’ vendors as your own vendors.
Let’s Not Forget—Cybersecurity Risks
Cyber threats have increased year to year and require a strong
cybersecurity program to identify, prevent, detect, and recover
from attacks. Vendors are a key source of the risk as well as a link
in managing cybersecurity risk. It’s said that cybersecurity is only
as good as your weakest link, and you don’t want vendors to be
that link! Think about the number of vendors that might have
access to your systems, or the vendors whose systems contain your
data and might be vulnerable to intrusion, including:
■ ■ ■ Managed IT services—outsourcing vendors for network and
■ ■ ■ IT support—managing routers and servers
■ ■ ■ Cloud services—Software as a Service (SaaS)
■ ■ ■ Non-IT providers—high-tech heating and air conditioning,
You might recall a major US retailer’s breach in 2013 where the
security, or lack thereof, with an HVAC provider opened the door
to what was a breach for over 100 million people. It is estimated
that the cost to manage the breach was $248 million before re-
ceiving $90 million in insurance receivables. So a robust vendor
program can also save you money!
by Marcia Geike, CRCM and David McCrea, CRCM
DATA AGGREGATION IS A HOT TOPIC RIGHT NOW. In November 2016,
the Consumer Financial Protection Bureau (Bureau) launched an inquiry
into consumer aggregation of financial information, which is sometimes
referred to as “screen scraping.” The idea of data aggregation is that
individual consumers would be able to use a single source to obtain their
financial information from any bank, brokerage firm, and other financial
service provider. So what seems to be the issue?
It appears to be the Bureau’s concern that there are a number of financial institutions that don’t permit their customers to use data aggregation.
On the surface it seems that this is a disservice to customers who desire
the convenience of a single log-in for all of their financial information. But
there are risks to data aggregation. The risks are:
■ ■ ■ All of the customer’s financial information is available to a third-party vendor
on which the financial institution has not performed any due diligence.
■ ■ ■ The consumer expects that their financial institution will protect them,
when it is possible that the bank is not even aware of the third-party
relationship the consumer has established.
■ ■ ■ User IDs and passwords are provided by the customer to the third party,
and the security of the user IDs and passwords isn’t known.
■ ■ ■ The third party may have transaction capabilities on the consumer’s
account through the user IDs and passwords.
And as we have discussed in the body of the article, neither the financial
institution nor the customer knows the data aggregator’s level security provided by the third party. Nor has any due diligence been performed by the financial institution on any vendors used by the third party. Because the typical
vendor due diligence has not been performed, there are a lot of unknowns.
There are limited actions we can take and neither provide much assistance:
■ ■ ■ You can partner with a data aggregation company and perform the
necessary due diligence to ensure that you are comfortable with your
partner. However, this may not be practical for your institution and/
or it may be very expensive. Also, there is no guarantee that the bank
partners with the company your customer wants to use.
■ ■ ■ You can tell your customers that you discourage data aggregation, but
they will wonder what it is and why you are discouraging it. Banks are
in the business of protecting customers’ information, but sometimes
this is not appreciated by our customers specially, when protecting
customers makes things less convenient for them.
Instead, we should encourage the Bureau to work with financial institutions and data aggregators to develop a solution that addresses the data
security issues, that is reasonably priced for our customers, and that does
not rely solely on the user IDs and passwords of individual consumers for
data sharing. We are an industry of innovation, so someone is bound to
come up with a workable solution. Let’s innovate!