Limiting Third-Party Risks

Why Contracts Must Address More Than Security Compliance
Limiting Third-Party Risks
Wayne Dunn
Wayne Dunn, CTO of HarborOne Bank in New England, says improving vendor management is a top security priority for institutions in 2014. As more core banking functions are outsourced, due diligence becomes increasingly critical.

Security risk mitigation surrounding outsourced remote-deposit capture and mobile payments will be top of mind in the coming year, says Dunn, who serves as the chief technology officer of this $1.9 billion bank based in Massachusetts.

"It's about making sure that we are doing all the due diligence that we can possibly do," he says during this interview with Information Security Media Group.

Third-party relationships are becoming more complex, especially as more functions are outsourced to cloud providers, Dunn says.

The potential to expose card data and other personally identifiable information about customers, as well as the bank's intellectual property, has increased because of the cloud, he says. This is why banking institutions need to ensure they are performing adequate due diligence upfront, Dunn adds.

"Our core system's provider is a hosted environment, so that's a private cloud," he says. "But the challenge there is visibility."

Risk Assessments

HarborOne has taken steps to ensure it's addressing visibility challenges during the project planning process, which includes detailed risk assessments, Dunn says.

The bank established an operational risk committee that meets quarterly to share information with all of the institution's business units, Dunn explains. The group keeps those units updated about where due diligence stands, he says.

And due diligence includes more than just ensuring that third parties are meeting minimal security obligations, Dunn adds. "We have also have improved our process ... where contracts are concerned," he says. For example, contracts must address ongoing risk assessments as well as disaster recovery and business continuity, Dunn says.

During this interview, Dunn also discusses:

  • HarborOne's debit portfolio migration to EMV, also known as the EuroPay, MasterCard, Visa standard;
  • Why ongoing customer education about security risks is so critical, and an area with which most banking institutions continue to struggle; and
  • Why security concerns surrounding wireless connectivity are getting renewed attention.

In addition to serving as HarborOne's chief technology officer, Dunn also serves as senior vice president, overseeing the bank's strategic direction and initiatives that leverage technological investments and provide operational efficiencies. He recently led efforts to migrate HarborOne to the Microsoft platform for authentication, collaboration, and messaging; conversion of the institution's core system; and implementation of a direct branch image capture system.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.