3 Critical Stages of Third-Party Vendor Management

By Vanessa Stanfield, Insurance Solutions powered by Affinion

Did you know your credit union could be responsible for the performance of your vendors? No credit union wants to encounter regulatory trouble or face reputational risk; especially as a result of vendor activities. It’s because of that fact that vendor management due diligence is a topic of increasing importance.

But what is the right way to go about choosing  third party vendor? The National Credit Union Administration (NCUA) has provided clear direction regarding vendor due diligence. Additionally, the NCUA has deemed the following areas as critical in third-party vendor management: Risk Assessment & Planning, Due Diligence, and Risk Measurement, Monitoring and Control.

Risk Assessment & Planning

Risk Assessment

Prior to engaging a third-party relationship, assess the current risks and document how the vendor will relate to your credit union’s strategic plan. When conducting a comprehensive risk assessment, the key areas of focus are: credit, interest rate, liquidity, transaction, compliance, strategy, and reputational risk. In this discovery phase, your credit union can identify the current risks and establish expectations of the new relationship.

Due Diligence

There are four fundamental due diligence elements to consider when choosing a vendor: organizational, business model, financial health, and program risks. In these areas, your credit union can assess what degree of due diligence is required.

But remember- not all vendors are created equal. More complex vendor relationships with more risk will typically require increased due diligence; less complexity and risk means less rigorous due diligence. For a comprehensive report and the five key due diligence questions you need to ask your vendors, read the full whitepaper here.

Risk Measurement, Monitoring and Control

Credit unions must be able to continually measure performance and risk throughout the relationship with the vendor. To do this, your credit union should clearly outline the vendor’s responsibilities and policies before taking on the vendor. In the end, this will allow for proper vendor performance management so that you can ensure expectations are being met.

Credit unions should not think of vendors as a third party, but as an extension of their organization. Because of this, it is important to consider the three critical areas above when deciding on a vendor. As the NCUA has conveyed, the utilization of vendors does not in any way diminish the credit union’s level of responsibility and for that reason, credit unions should carefully select their vendors.

What Should We Ask Our Vendors?

To be confident that the vendor’s management programs are the right fit, credit unions must discuss the vendor in great detail and ask the hard questions. Failure to conduct thorough due diligence and effectively monitor these vendors place the credit union at risk. Again, not all vendor relationships call for the same level of due diligence and ongoing monitoring, but in order to determine what level is necessary there are key questions that your credit union must contemplate.

For an in-depth look at the five key due diligence questions that credit unions must ask when selecting a third-party vendor, read the full whitepaper here.

InsuranceSolution_4CAffinion is the NAFCU Services Preferred Partner for AD&D Insurance

Cyber Security Awareness Month: Third Party Cyber Risk Management

By: Jacob Olcott, VP of Business Development, BitSight Technologies

How not to become a “Target”
October is cyber security awareness month, and there are few things more haunting to financial or retail institutions than the security breach that affected Target stores a few years back. The attack resulted in more than $40 million in debit and credit card numbers being stolen, and more than likely affected at least some of your members.

The scariest part of the security breach may be where it originated: its HVAC supplier. The attack highlights how important it is for financial organizations to have a well thought-out program to mitigate third party cyber risk.

Regulators are taking a closer look at third party risk management so the importance of employing best practices is not just practical, but legal as well.

Five Key Steps to Develop a Third Party Risk Management Program

Developing a risk management program doesn’t have to be difficult. There are five key points to consider for a plan, and several vendors and services that can help you to do so.

  1. Organize Internally. This means bringing together all teams that have an impact on, or are impacted by your cybersecurity or dealings with third party vendors. This would most likely include your legal, compliance, IT, and procurement teams.
  2. Identify and Prioritize Key Parties. It is important for credit unions to consider any third BitSight_identify_critical_vendorsparty that has either direct network connections to your organization or has access to sensitive data. This would include, but is not limited to, looking at your primary payment processor, largest software vendor, law firms, consulting firms, and benefits administrator. When prioritizing vendors, approach this from the position of your most sensitive data, likely your members’ financial data, and the level of access a third party has to that data.
  3. Evaluate your vendors’ security. This is traditionally done a number of ways such as using questionnaires, vulnerability scans, and audits. If you are not sure where to start, Shared Assessments is a good source that charges a fee for common questionnaires to send your partners regarding their cyber security efforts. If you are interested in developing your own questionnaire, the NIST cybersecurity framework is a good place to start. You can also do your own audits of your partners, but often companies will share their own documentation of audits they have done.
  4. Communicate. The importance of clearly communicating your expectations to your partners should not be overlooked. This should be done not only in writing in forms such as contracts, but verbally as well. It is important to develop a strong dialogue regarding your security concerns that is not just once, when you launch a partnership, but ongoing. The cybersecurity landscape changes on a daily basis so it is important for you and your partners to discuss where you are headed and how to stay ahead of the curve.
  5. Continuously Monitor Vendor Performance. This is another point not to be overlooked. Questionnaires and audits can only give you snapshots of a company’s security profile at one point in time. Actual security is much more fluid than that. NAFCU has partnered with BitSight Technologies as a preferred provider of monitoring services. BitSight essentially works like credit rating service for cybersecurity. They provide a number that indicates how strong a company’s security practices are on a continuous basis. BitSight calculates Security Ratings using a continuous process that gathers, processes, and assigns security data to arrive at the top-level security ratings.

For more dBitSightLogoetailed information on developing a third party cyber risk management plan you can check out NAFCU’s webinar with BitSight Technologies here or  download BitSight’s white paper on the topic.

What Brands Can Do to Circumvent Social Hacking

Originally published on ClickZ.com

Guest post by Sundeep Kapur, Author, Digital Evangelist and Director of Strategic Marketing for NCR Corporation.

A simple heist. I went for an afternoon stroll in my grandparents’ neighborhood (Mumbai, India) when I literally bumped into a young man on a bicycle. The “bump” slowed him down, I heard the words “thief,” and saw a group of people chasing him – the young man was caught. The strategy used by these thieves was innocent: young men play ball, the ball enters your community, three young men enter your community to look for the ball, two men steal stuff, a small truck meets them on a distant road, and they are off!

It happens online too. You get a “connection” request on social media. (I used the word connection to imply no one particular social media channel – it could be Facebook, Twitter, Google+, or even LinkedIn.) It’s from a brand you know. You join the forum and start paying attention to the discussions. You soon start noticing a couple of individuals who are actively involved on this brand’s page and are receiving “affirmations” (likes/endorsements/retweets) from the brand. You now get a friend request to connect personally, you do, and you end up downloading something malicious.

Your personal information is harvested and the trouble begins.

Read more

Data Breach Preparedness and Response – A Handy “How-To”

With the recent headlines about yet another data breach affecting credit unions and their members, I wanted to point you to a resource that might help you respond effectively. Because this isn’t the first data breach and it certainly won’t be the last.

We’ve posted a recording and accompanying slides from a Data Breach Preparedness presentation from the 2012 NAFCU Technology and Security Conference for your information, as you look to how to address this most recent incident.  The presentation was made by Christine El Eris, Director, Product Management for Affinion Group (one of our Preferred Partners, for ID Theft solutions), and focuses on best practices for responding to members, partners and stakeholders during and after a breach. Not surprisingly, Christine stresses the importance of putting steps in place in advance and provides tools and guidelines for breach preparation and response.

Read more

Tips to Prevent Identity Theft

It’s scary how easy it is for criminals to get to our personal information – as technology improves, so do the skills of fraudsters. In fact, I find myself being what some think is paranoid – triple checking for the https in online shop URLs, and shredding almost everything with my name on it. I mean look what happened to Sandra Bullock in The Net – if that could happen in the 90’s just think of what’s possible now!

As trusted financial advisors it’s imperative for credit unions to help educate members about what they can do to help prevent their own identity theft and the losses that often accompany that. Not to mention, the more careful your members are, the less at risk your credit union is of incurring losses due to identity theft. (Check out the landmark case involving Comerica Bank and your potential liability from a phishing scam.)

We teamed up with our Preferred Partner for identity theft, Affinion Group, to gather some key tips for you and your members to help prevent identity theft.

Read more