Third Party Vendor Management - Looking out for the Weakest Link
No company can do it all. Every organization relies on specialized outside providers to perform tasks which are outside of their core competencies and when doing that, information must be shared. When we offload a business function to a third party, we don’t get to offload the responsibility for keeping the associated information secure. Our employees, customers, regulators and the investing public expect financial firms to choose business partners who will treat their personal and corporate information with the same level of care as we (or they) would.
When even a “minor” third party service provider has a security incident, the impacts can be quite unexpected and dramatic. For example, the 2014 security breach of Target’s air conditioning maintenance provider started a chain of events which resulted in the theft of 100 million and more credit card numbers from their point of sales system. In addition to the costs of cleaning up the intrusion, Target suffered a serious hit to its reputation and the CEO and CSO lost their jobs. Millions of customers were inconvenienced when their credit cards had to be reissued. Credit card companies had to spend millions to get new cards into the hands of consumers and reimburse them for fraudulent charges. And it all started because the air conditioner folks didn’t secure their systems.
Third party vendor relationships and the increasing focus on protecting sensitive information, it would seem that the industry is reaching the point where our existing model needs to be more scalable and efficient
The Target case is an example of why vendor management programs must be a key part of any institution’s overall information security program and why information security must be a key selection criterion when deciding which vendors to entrust with sensitive information.
It is unrealistic to think that we can perform in depth security assessments of every third party vendor that walks through the door—most vendors won’t allow this and even if they do, the costs would be prohibitive for all but the largest firms.
As Chief Security & Risk Officer for Liquidnet, an institutional trading network, I have the dubious honor of getting to see this issue from both sides. We have third party vendors that we need to vet and our members need to vet us to ensure that we are going to protect their confidential information.
Here at Liquidnet, we get a jump start on the assessment process by engaging a third party auditor to put us through the wringer each year and produce an SSAE16 SOC2 report and an ISO27001 certification.
The SOC2 report requires us to describe our business and the security controls that we have in place to meet a set of specific security criteria determined by the American Institute of Certified Public Accountants (AICPA). These controls are then tested by the auditors to determine if they are well designed and if we are implementing them correctly and consistently. The SOC2 provides a detailed look at the substance and performance of our security programs, with any discrepancies laid out.
The ISO27001 certification provides assurance that we are in compliance with the International Standards Organization’s criteria for the proper design and implementation of an Information Security Management System (ISMS).
We provide both of these documents to prospective customers in the hope that they will answer all of their security questions and concerns. Most commonly, we are then asked to complete a security questionnaire, developed by each of our customers. In most cases, all of the answers to the questionnaire can be found in the SOC2 or ISO27001 reports. However, in 90 percent of cases, we are asked to fill out the questionnaire as well, and when you have 800 and more customers, this leads to a lot of time spent filling out questionnaire filling out.
Why does this happen?
First and foremost, because the financial industry has not been able to come to an agreement as to what questions need to be asked about information security and what the right answers are to those questions. Second, evaluating the results of a questionnaire is perceived to be easier and quicker than dealing with a SOC2 report which can run to over 100 pages.
Third, companies have a lot invested in their existing assessment processes and are not eager to make changes to a system which has been in place for years.
The AICPA has been trying to get the financial industry to accept the SOC2 report as a standard way of assessing vendors for years. Their latest attempt to do this is by introducing a SOC2+ report which adds a number of additional outsourcing specific criteria as “Additional Subject Matter”. These include a description of the physical characteristics of a service organization’s facilities, historical data regarding up time, statement of privacy practices, and reporting of the service provider’s compliance with industry standards such as ISO27001, COBIT, etc.
While this is a step in the right direction, I am not sure that the SOC2+ is going to make a serious dent in the number of questionnaires my team sees every year, and that is a shame. What the financial industry needs to do to reduce the time and cost of the vendor review process is to come to an agreement on what questions need to be answered to determine if a vendor has an acceptable security program in place. Ninety percent of the questions should be standard with room for some custom questions centered on the specific service being provided.
The industry has tried to do this in the past. Most notably, the Shared Assessments Group Standard Information Gathering (SIG) questionnaire has garnered some support in the industry, but has not managed to replace the myriad of home brewed questionnaires in use across the industry. This is unfortunate, as the SIG is very comprehensive and regularly updated.
Given the increasing number of third party vendor relationships and the increasing focus on protecting sensitive information, it would seem that the industry is reaching the point where our existing model needs to be more scalable and efficient. A new model could save the industry millions of dollars and redirect needed resources to implementing and improving security, rather than talking about it.