Outsourced Third Party (Vendor) Risk Management is a top priority with the regulators. Therefore, ensuring your Program is not only going to be effective but also meet with their expectations needs to be a priority for financial institutions. When you outsource, you are placing your confidential customer information in someone else's hands along with the availability and security of that information, but you still retain the responsibility for ensuring the integrity, confidentiality, availability, and security of the information making this Program a crucial part of your overall Information and Cyber Security Program.
There are numerous FFIEC, OCC, FRB, and FDIC guidances that demonstrate the importance of third-party risk management. The OCC and the FRB both issued guidance relating to third party relationships in October and December of 2013, respectively while the FDIC reissued its Technology Outsourcing Informational Tools in April of 2014. On November 14, 2019, a revised Business Continuity Planning handbook was released that addresses: Third Party Management, Third Party Capacity, Testing with Third-Party Technology Service Providers, and Cyber Resilience. The FFIEC Cybersecurity Assessment Tool (CAT) also includes declarative statements relating to Outsourced Third Party Risk Management practices.
Your Outsourced Third Party Risk Management Program should address both Vendor and Third Party Service Provider relationships and activities including cloud providers, managed service providers, core banking and digital banking providers, and critical infrastructure providers like telecommunications, utility, and Internet service providers. Management of these relationships starts with performing due diligence prior to contracting, risk assessing each relationship to identify critical and significant relationships and those that present high risk no matter of their significance, reviewing contracts, and performing annual oversight.
Susan Orr has assisted numerous institutions with developing their Outsourced Third Party Risk Management Program and will share her insights into developing an effective program in this webinar.