The vendor risk assessment is the lynchpin of every effective third-party risk management program. In theory, the essential components of an assessment are easily determined. However, in practice, the ability to effectively understand and assess third-party controls usually conflicts with the resources available to perform the assessments, and is further handicapped by the need to rapidly conclude assessments so contracts can be finalized and projects begun.

All too often this results in assessments that are performed based on resource availability and time rather than an appropriate review of required security controls.

(more…)

The FFIEC issued its general findings from an assessment of over 500 community based financial institutions this summer. In its November 3^rd   press release¹, the FFIEC discussed the growing need for tighter cybersecurity measures and indicated that it was already in the process of reviewing and updating the existing guidelines for managing cybersecurity risk.

(more…)

In reviewing recent security incidents at several New York City banks, an article in the October 21st New York Times¹ focused on an ever recurring theme – the need to closely scrutinize how well a financial institution’s vendors provide IT security to protect access to data and systems.  While the theme itself isn’t new, the article revealed that the Treasury Department is now engaged in a “sweeping effort”¹ to require banks to increase their procedures for determining if vendors are adequately protecting their data and access to their systems.

(more…)