Vendor Risk Management: It’s More Than a Checklist

by Terry Ammons, Porter Keadle Moore

Risk management and cybersecurity are again top of mind for financial service providers heading into 2019. Recent data breaches at sizeable organizations have posed a significant question for these bankers: “Does our bank have the proper safeguards to defend against tomorrow’s cyber attack?” 

Likewise, federal regulators have also indicated their desire for banks to more stringently manage and oversee their risk management efforts. In particular, these regulators are spending an increasing amount of time examining the role data liquidity plays in banks’ operations, particularly as it relates to the data moving between banks and their vendor partners. 

Of course, engaging and working with third-party vendors, such as fintechs, has become a key tactic in a financial institution’s ability to serve and engage customers. Working with these vendors however, entails a certain degree of risk as potentially critical consumer information flows from the bank’s network and on to the vendor’s. 

Just as cybersecurity threats pose a risk to banks’ daily business and internal networks, in order to mitigate future reputational, operational and legal damages, banks must take a more active approach in overseeing their vendor relationships. 

Different Levels of Risk
Because of the nature of their business and the sensitive personal and financial data in their care, banks have a higher threshold than other industries when it comes to developing their risk management programs. Federal regulators are constantly monitoring for potential missteps, and consumers are becoming more vigilant in their scrutiny of financial service providers as well. This means bankers must take the added step of ensuring their risk management programs hold up to the highest level of inspection. 

Not all threats are equal when it comes to risk management, however, and the first step to creating a modern risk management program is to stratify risk categorically. Most bankers recognize that some vendors pose a more serious threat of risk to an institution, yet many continue to treat all vendors equally, applying the same level of risk to each regardless of type of service or sensitivity of data shared. 

For example, most financial institutions are leveraging one vendor for their instant issuance technology, and another for their mobile banking platform. While both vendors play a role within the institution’s technological framework, the mobile banking vendor is potentially logging and storing significantly more important data from the bank within their own servers, presenting an opportunity to potentially be compromised if the vendor is not as stringent with its security protocols. 

So, how do bankers securely manage the data moving throughout their organization? While internal intrusions are as much of a risk for banks as external ones, what could be more risky than allowing data to leave? After all, once data is outside of a bank’s network, bankers have little to no control over it, and it’s up to the vendor to hold up their end of the data security bargain. 

Due Diligence
Once all of a bank’s risks have been identified, categorized and are actively tracked, it’s up to the bank to conduct its own due diligence and ensure its vendor partners are upholding their end of the contract. The end-product of this is typically a requirement on the vendor’s part to provide documentation and reporting that both validates and demonstrates its security protocols. Unfortunately however, this is usually only done at the start of a relationship, as conducting further analysis can be time consuming and often treated as an unnecessary, cumbersome expense. 

In reality, successful due diligence is an ongoing effort rooted in how well a bank and vendor can collaborate and communicate with each other. While it is a vendor’s job to maintain the security controls and safeguards established at the start of the relationship, cybersecurity threats are constantly evolving. Banks, by taking the added step of continuously working with their vendors, and not viewing it as a once-a-year, check-the-box situation, can better protect their own networks, and in turn, their customers. 

Keep in mind however, that with so many potential avenues of attack, a cybersecurity breach can still occur. Whether it’s missing a patch or an employee clicking a malicious email link, a bank’s risk management strategy must include steps for how to mitigate damage once a breach has occurred. Every institution wants to avoid this situation, but when and if one does transpire, the bank must take a three pronged approach of remediation, mitigation and finally, acceptance. This allows the bank to fix or correct any damages, prepare for any similar attacks in the future and create a more robust strategy for responding to future cybersecurity threats. 

Effective risk management is often a balancing act between meeting the latest security standards, managing evolving regulatory requirements and the recognizing the potential for malicious actors to create new, and oftentimes more sophisticated, traps. There is no finish line when it comes to compliance and protecting consumer information – rather it’s an ever moving target that requires constant review and evaluation. 

Terry Ammons, CPA, CISA, CTPRP is systems partner at Porter Keadle Moore (PKM), an Atlanta-based accounting and advisory firm serving public and private organizations in the financial services, insurance and technology industries. Ammons is also host of PKM’s podcast GroundBanking. To learn more, please visit