FDIC: Improve Vendor ManagementMonitoring Service Providers Is Banks' Responsibility
Federal regulators are urging banking institutions to pay more attention to vendor management in light of recent breaches, such as one that compromised core processor Fidelity National Information Services, better known as FIS.
During a recent Community Bankers Advisory Committee meeting in Washington, D.C., examiners from the Federal Deposit Insurance Corp. stressed the obligations banks and credit unions have to ensure that the vendors they use maintain adequate levels of security.
Regulators regularly examine certain vendors to ensure that sensitive information is sufficiently protected through the use of encryption and other technologies. The vendors include those that have contracts with banks for core banking services or that provide services covered under the Bank Service Act.
The institutions that use those companies' products and services should request reports on those examinations and follow up to ensure security mandates are being met, regulators say. Due diligence is the responsibility of the institution, not the examiner.
"If you review a report and you see issues, then you should follow up with the vendor to find out what they have done," Kevin Pearson, an FDIC IT Examiner, said at the advisory committee meeting. Many vendors will provide quarterly updates to financial institutions about their security compliance, based on internal audits they conduct, he noted. But it's up to banks to request these updates and then carefully review them.
Regulators are prohibited from disclosing what they discover during an exam of a vendor unless a severe security flaw that exposed customer data is found, Donald Saxinger, a senior IT examination specialist within the FDIC's Division of Risk Management Supervision, said at the meeting.
"When we do find problems with a service provider, our goal is to get that written in a report to ensure they let their customers know," he said. But that's the extent of regulators' authority.
This is why regulators encourage banks to conduct due diligence and take their own steps to ensure vendors address security gaps, says Al Pascual, a financial fraud analyst with consultancy Javelin Strategy & Research.
"The hope is that ... by encouraging greater oversight of vendors by their FI [financial institution] clients, the pressure brought to bear by FIs will incentivize vendors to quickly and thoroughly address deficiencies," Pascual says.
Community institutions, which typically rely heavily on core processors and other third-party service providers, can find it difficult to hold those companies accountable for security lapses and breaches, he adds.
"Threats to take business elsewhere are rarely made," Pascual says. "The time and resources required to replace a vendor's products, especially those of a larger vendor who can often be providing a number of different products to business lines throughout a single institution, can be immensely prohibitive."
Impact of Breaches
But as third-party breaches become increasingly common, all banking institutions will be forced to take on more responsibility for vendor management, says Michael Versace, a risk and IT infrastructure specialist at data analysis firm International Data Corp.
"Vendor management is part of GRC [governance, risk management and compliance], and that's the bank's responsibility," he says. "Banks need more automated auditing for their vendor-management relationships. They need to design compliance into all of their outsourced relationships, but many are not doing that. Banks right now are not doing enough of heir own due diligence."
In June, security blogger Brian Krebs reported that an examination conducted by the FDIC had determined the 2011 network hack that compromised FIS' network exposed high risk information. The examination also found that the breadth of the breach was much wider than FIS first publicly reported in May 2011, Krebs reported.
Now, community banking institutions are questioning why banking regulators have failed to quickly share concerns about significant security flaws identified during examinations.
In the case of FIS, banking regulators had been examining the breach for nearly two years. But it was not until May 2013 that the FDIC, the agency that oversees FIS, notified FIS' bank customers that the 2011 breach was much more severe than initially thought.
Banking executives at the recent advisory committee meeting asked why FIS took so long to notify banking institutions about its breach and why more examination information could not be shared upfront.
"Why are we duplicating due diligence on the vendors when there is a repository of information available?" one banking executive asked. "It would be nice if community institutions could get some of this threat information upfront, in advance of signing a contract with a specific service provider, because due diligence is expensive."
But Versace says banking institutions across the board continue to lean too much on regulators.
"Due diligence is a risk and compliance obligation," he says. "Banks should be pushing for shared risk responsibilities with their third-party service providers. Notification of breaches or failures should be built into these contracts, and banks should be testing these systems themselves on regular basis. ... The banks should raise red flags before regulators do."