During our recent three day Vendor Management Bootcamp (click here to watch on-demand), we had a lot of GREAT questions come in. It was simply impossible to get to them all during the live sessions, so we took your questions and worked with the various speakers to compile the answers and make them available for all here.
Below you will find the questions and the speaker responses from Day 2, Session 1.
Answers kindly provided by:
|
|
|
Dana Bowers CEO/Founder Venminder, Inc.
|
Branan Cooper Chief Risk Officer Venminder, Inc.
|
Aaron Kirkpatrick Information Security Officer Venminder, Inc.
|
Critical Vendors
Q1: Should a vendor that receive PII OR a customer-facing vendor be considered Critical no matter other characteristics?
Answer: "No – those would typically indicate a higher regulatory risk level but not necessarily business impact."
Q2: What type of ranking system would you use for critical?
Answer: "High, med, low or 1 thru 5. Simply Critical or NonCritical."
Download this infographic for the 3 questions to ask to determine criticality.
Q3: If a vendor has a High Financial Impact, why would reviewing their financials shed light on anything beside their Max Allowable Downtime? If they impact your financials heavily, what information would their financial documents be able to clarify?
Answer: "To determine their overall financial health and whether they are going to be in existence a year or even a few months from now, particularly if you are reliant on them for a core function. Perhaps their management team may start leaving, they may also cut their level of support and service. Any of these could be problematic."
Q4: If a vendor isn't critical, meaning we can function without them, but their financials aren't very strong, would they be considered critical? Or is criticality solely based on our business need and not their financials?
Answer: "Only if their sudden loss would cause a material disruption to your institution or your customers. Criticality is related to business need."
Download this infographic for the 3 questions to ask to determine criticality.
Q5: We've been told internally and by external attorneys their professional standards meet or exceed anything we would be requiring and they push back any requests for information or rights to audit their processes. Do you experience that?
Answer: "I have certainly heard that and they'd been correct on their licensing and bar admission, but as we have seen there have been cases where certain attorneys have been less than reputable. Branan would always recommend a check of their credentials and a reputation risk check. Additionally as mentioned in the session, you definitely need to look at their information security practices."
Q6: Do you maintain due diligence on the alternate vendor list if they are not currently active, but you need them in an immediate pinch to assume an active role?
Answer: "If they are an alternate to a Critical vendor and we may need them quickly, yes; otherwise, since low likelihood of needing quickly, no."
Q7: How would I find out if a vendor is having hiring/employee retention issues?
Answer: "Best way is to ask them (or if they are a larger company, can check Glassdoor or Salary.com)."
Q8: We have some vendors that could be easily replaced but may handle or see NPPI. Why would the sole fact that the vendor subject to NPPI not make it a critical vendor?
Answer: "That would make them higher regulatory risk rather than critical."
Q9: How would one go about implementing an exit strategy?
Answer: "Usually, sit with the business relationship owner and IT/IS manager and discuss what steps would need to happen to replace the vendor; then meet with the vendor and do the same thing, then commit to writing, contemplating a gradual and immediate unwind."Please contact our information security team if you need additional assistance.
Q10: We have Title and Appraisal providers as Critical. Is this typical?
Answer: "Not in my experience. They would typically be non-critical. Criticality is from a business impact perspective."
Download this infographic for the 3 questions to ask to determine criticality.
Q11: What happens when you have a provider that does business with hundreds of lenders on testing? We all cannot ask them to take a day out of their schedule to test.
Answer: "Discuss with the vendor how best to handle. Perhaps they can set aside a specific time period for everyone to conduct their testing. Or conduct an internal test and ask for evidence of their own testing."
Q12: How do you recommend testing an exit strategy or contingency plan with a critical vendor? We have evidence that our vendors test, but are struggling with how we would test when an alternate vendor is not always approved/in production.
Answer: "You could look at how long the onboarding process was for the current vendor, determine how you could have shortened that process in the case of a rush and used the remaining time in your calculation of a Maximum Allowable Downtime for the institution. But, you also would need to take into account the influx of other institutions to that new vendor in the case of another vendor failing. So that would increase time required.
How do you test contingency plans with a critical vendor? Most larger vendors that acknowledge they’re offering a critical service allow their customers to participate in at least disaster recovery testing each year. From what we see, only a very small percentage of institutions take advantage of this opportunity, but with the OIG’s statement on FDIC regulated institution's regarding continuity, that should greatly increase.
It can also depend on the vendor and how they’re integrated into your operations. If it’s a critical vendor, do you have a copy of your data in a format which isn’t proprietary to the vendor so that in the case of a failure, another vendor could import that data, even if it takes a little data mapping? That would really help with mitigating overall risk and the downtime while switching vendors during a business impacting event."
Q13: So Criticality lends to ease of replacement and Risk lends toward access to PPI?
Answer: "Generally, yes – though there is more than ease of replacement, it truly is disruption – before you even consider replacing them, please think more from a continuation of services standpoint and what could be done to bridge any interruptions."
Please contact our information security team if you need additional assistance.
Q14: Risk rating for large suppliers/vendors delivering multiple services/products across multiple contracts and contract owners: What is a good strategy to arrive at an overall risk rating for one such supplier?
Answer: "Opt for the most conservative rating – if any product or service for a supplier is High Risk or Critical, be conservative, it's always easier to determine that you can back down later than to get burned potentially by underestimating risk."
Q15: Is it a standard procedure to perform due diligence and risk assessment for a vendor's products?
Answer: "Yes, when needed or when they have different risk profiles (think of FIS having Regulatory University education website which would be Non-Critical and low risk; think of their multiple processing platforms, which would be Critical and high risk, each of which may have different SSAE 18 reports, for example)."
For a reminder of what SSAE 18 is, download our infographic.
Learn how we can help you lower your vendor managment workload - download our samples.