In the selection and oversight of vendors that hold customer
data, or connect to your system, a discussion about their cybersecurity program should occur. Questions to consider are:
■ ■ ■ Have they had any testing of the security of their system, including penetration testing?
■ ■ ■ Are they willing to provide past and future test results with you?
(A non-disclosure agreement may be necessary if you’re not a
customer yet, since this is sensitive information.)
■ ■ ■ Do they have policies and procedures on how they manage
your information and data transmissions? Collect and read
■ ■ ■ Do they have cybersecurity insurance or can the risk of no
cyber insurance or insufficient coverage be managed through
their balance sheet? How financially secure are they?
■■ ■ If they have a breach involving your data, how quickly
will they notify you? It’s recommended to insert a specific
timeframe (e.g., within 48 hours of identification regarding your data).
■ ■ ■ If it’s a critical service provider you may want to consider requiring a disaster recovery test of the vendor to have a better
understanding of the protections that are in place to protect
your data, even when systems are not operating as normal.
Monitoring Your Vendors’ Vendors
Once you’ve identified the risks your vendors present, you have
to start thinking about your vendors’ vendors. Companies wishing to be your long-term partner may portray themselves as
a “one-stop shop” while outsourcing some of the services to
another vendor or sub-contractor. Who are these additional
companies? What data do they access and how secure is their
system? How strong are your vendors’ controls in their vendor
relationships? There could be another layer in identifying your
Your vendors’ vendors, also referred to as sub-servicers or
sub-contractors, might be the least obvious of your vendors.
When you identify them, you will need to ensure that proper
due diligence on them occurs. First, you will need to identify
who they are, what service(s) they provide to you or your vendor,
what data they may have access to, and when they may have
access to the data. Also, you need to complete the same level of
due diligence and vendor risk rating on them, too. And the chain
can keep going. You may need to identify your vendors’ vendors’
vendors. (This can keep going, but you get the idea.) And this
is where a well-designed contract helps mitigate the risks. You
will need to review the contract to determine who the vendors
are, or whether the contract grants you the authority to question
your vendors as to who their vendors are and what services are
performed by them. This level of review may bring to light the
fact that you need to update or re-write your vendor contracts to
have the authority to perform this level of due diligence. But this
can also bring you back to having to choose between accepting
the fact that you are unable to make changes to the contract or
When technology is a major component of the vendor relationship a review of the internal controls should be conducted prior
to entering the relationship and periodically, depending upon
the risk level of the service. This usually involves a report from a
trusted third party, like an accounting firm.
You may recall that in 2010, the American Institute of Certified Public Accountants (AICPA) retired the old SAS70 report,
used to review controls on financial statement reliability, for the
Statement of Standards for Attestation Engagements #16 (SSAE16)
using the SOC- 1 report. 1 Over the years the industry has come to
utilize these reports and vendors have expanded their independent
reviews beyond the SOC- 1 to include other types like the SOC- 2
which focuses on the principles of security, system availability,
processing integrity, confidentiality and privacy. In May 2017, the
(AICPA) released an enhanced tool that can help you evaluate the
protection of your vendors’ systems—a new SOC- 1 report The
AICPA has updated the standards as part of the SSAE18 rules
and added several sections to the SOC- 1 so you can evaluate
the data risk not only for your vendors but also your vendors’
vendors. It could include data centers, cloud infrastructure, and
other outsourced services that have access to your data and could
increase the risk of breaches.
Accounting firms performing the SOC- 1 testing should inquire about your vendors’ oversight of their outsourced services.
Examples of this type of activity could include:
■ ■ ■ Reviewing and reconciling output reports;
■ ■ ■ Holding periodic discussions with the subservicer;
■■ ■ Making site visits or performing audits at the subservicer
■ ■ ■ Testing controls at the subservicer;
■ ■ ■ Reviewing the subservicer’s SOC- 1 reports (on financial reporting controls) and SOC- 2 reports (on non-financial reporting
■■ ■ Monitoring external communications, such as customer
These controls may have been conducted all along but now
their process will be formalized and documented.
This should sound familiar because it is similar to the controls
that the regulators are expecting of your own vendors. The consistency should provide institutions with a better understanding of
who has access to your information and the established controls
and risks. These new SOC- 1 standards should start to be seen in
reports being issued in late summer and do not impact SOC- 2
or SOC- 3 non-financial reporting.
Once you’ve identified the risks your vendors
present, you have to start thinking
about your vendors’ vendors.