Financial Institutions Reap the Benefits by Forging Trusted Partnerships
Security Technology, August 2021
Financial institution customer loyalty is paramount and built on trust. A breach of trust that is highly publicized by the media can destroy a firm’s reputation and jeopardize the future of the financial institution. Any vendor that touches a financial institution’s network connected equipment connected poses a risk.
Seeking trusted vendor partnerships is nothing new. Often the definition of trusted vendors begins and ends with product and service pricing. Getting products and services at a fair price remains critical, but what other factors are even more critical to a trusted vendor partnership?
Trusted partnerships between financial institutions and vendors are an incredible value add for both. The foundation of trust between a financial institution and a vendor begins with the vendor understanding the financial institution’s culture, expectations, policies, and procedures, along with industry standards.
The next step is to determine if the vendor’s technician footprint aligns with the financial institution’s footprint. The vendor’s skilled technicians must be trained and certified. It is critical to select vendors that have a track record of retaining skilled talent to maximize quality. Annual vendor employee turnover should not exceed 15 percent. Avoiding high turnover provides the opportunity to maintain high quality.
An often-overlooked benefit is for long-term technicians to “know their customer.” Technicians that “know their customer” understand the culture of the financial institution they are serving, as well as know the people, facilities, equipment, equipment installation history, and equipment warranty information. This institutional knowledge benefits the vendor from a quality and customer service standpoint and benefits the financial institution with efficiency of repairs and keeping equipment operational.
The trusted vendor must also reduce risk for the financial institution by completing background checks on its employees and sub-contractors. If sub-contractors are utilized for a project, management and performance expectations should mirror the vendors’ and be transparent to the financial institution. No one wishes to have a vendor blame a sub-contractor for poor performance. The buck stops with the vendor.
A vendor’s finances should be explored to verify multiple years of strong financial performance and cash reserves. Vendors experiencing financial problems can cause many negative issues. These could include the loss of talented employees, difficulty acquiring equipment from manufacturers and suppliers, a disruptive transition to another vendor, or the closing of the vendor’s business.
A trusted vendor’s equipment must be hardened and tested to mitigate cyber and compliance risk. Vendor’s equipment and product offerings should include the following:
- Encryption capability
- Centralized patch management and firmware updates with remote capability
- Strong password management with no default passwords
- Open architecture and field serviceable product line
- Annual cyber penetration tests to verify protection level
A SOC2 Type 2 Audit Report
Financial institutions rely on a variety of technology to provide service to customers, facilitate transactions, and secure their assets. ATMs and ITMs, Teller Cash Recyclers, alarms and access control systems, and camera and video systems are integral to their operations but also often have vulnerabilities that can go undetected.
Vendors that install and/or service equipment connected to a financial institution’s network should complete a Service Organization Controls (SOC 2) Type 2 audit and possess the audit report as proof of successful completion. The audit was created by the American Institute of CPAs and is designed to create a report with detailed information and assurance about the controls at a financial service organization relevant to the security, availability, and processing integrity of the systems the organization uses to process users’ data.
SOC 2 Type 2 requires an annual independent third-party auditor to verify the vendor has controls and oversight in place that protect the financial institution’s data. Request a vendor share the third-party auditors’ annual final report as proof the vendor complies with all of the SOC 2 Type 2 requirements.
A high-level summary of the annual SOC 2 Type 2 audit scope is listed below:
- Networks and Infrastructure: Physical and hardware components are properly protected.
- Software: Programs and operating software are current along with virus protection.
- Employees: Appropriate level of access granted to employees involved in the operation.
- Policies and Procedures: Confirm the correct policies and procedures are in place, along with demonstrated compliance
- Information and Data: Information is protected, available when needed, and backed-up when necessary.
As the independent third-party auditors are completing the examination, they are verifying the following has been demonstrated by the vendor’s processes and controls:
- Information Security
- Data Classification and Confidentiality
- Privacy Protection
- System Integrity
- System Accuracy and Availability
One critical component of the SOC 2 Type 2 audit is the vendor controls on their employees’ computer devices. These controls include, but are not limited to, prohibiting certain application downloads or website access, operating system patching, and updated virus protection.
Imagine for a moment a vendor that is not SOC 2 Type 2 certified and is not diligent about patching its technician’s computer operating system and updating the technician’s virus protection. The technician might accidentally download ransomware while searching the Web at lunch, and then infect the credit union’s network while completing diagnostics and repair services.
With the rapid growth of network connected devices and equipment in financial institutions, requiring vendors that install and service network connected equipment to comply with SOC2 Type2 requirements is a must. This is especially important for vendors that provide infrastructure services or network connectivity.
Many financial institution leaders remain unclear or unaware of the process, benefits, and protections afforded by a SOC 2 Type 2 report. It is incumbent upon the trusted vendor to share the requirements and benefits of a SOC2 Type2 report with financial institution senior leadership. Getting a group of senior leaders together is always a challenge from a calendar perspective but taking advantage of online tools that were used during COVID-19 may help with that. Online webinars are a great way to provide benefits and insights of the SOC2 Type2 to a group and the group benefits from questions and answers offered by attendees and presenters.
There have been multiple cyberattacks recently such as the costly ransomware incidents targeting pipelines, healthcare institutions, and municipal governments. The Kaseya ransomware attack is a timely example of when SOC2 Type2 controls would have reduced or mitigated impacts of the exploited vulnerability. In the case of the Kaseya ransomware incident, hackers exploited a vulnerability that permitted authentication with the Kaseya system and then a clear path to core controls for ransomware attacks on on-premises Kaseya managed service provider (MSP) customers. MSP customers with proper controls in place may have been able to block the ransomware, or by having early warning, powered down their server to prevent the ransomware from spreading.
Effective Vendor Agreements
Institutions should review their vendor contract agreements to make sure they include provisions to mitigate the current risk landscape and contribute to quality service. The following are recommended for high-performing agreements:
- Risk-based response times
- Rewards for quality
- Accurate response /resolve SLA reports for maximum product uptime
- Annual preventative maintenance visit
- Quarterly vendor meetings to review performance
- Effective vendor feedback
- Process for improving unacceptable vendor performance
- 30-day termination, no penalty clause
The 30-day termination, no penalty clause is a trend being utilized by service providers who are confident in their performance and dedicated to earning business every day. These agreements are more like a month-to-month agreement. When a vendor knows it can essentially be terminated at any time, its service levels and response times stay at a very high level.
Vendors should be expected to partner with financial institution’s planning and future technology roadmap for implementing innovative technology, automation, and remote technologies. Some great examples of this strategy are migrating from appliance-based network video recorders that are marketed as an all-inclusive unit with hardware, software, licensing, and operating system to an open architecture system that allows software to be loaded on a broad range of hardware and operating systems. A trusted vendor should assist the customer with identifying business requirements for video systems. IT professionals should also provide business requirements because the current trend is to treat networked security systems as technology assets for patching and firmware updates. The business requirements are compared to systems available in the marketplace for a selection tailored to the institution.
Vendors often provide services to other financial institutions and perhaps even other sectors. This exposure provides the vendor an expanded view of different risk mitigation strategies and use of technologies or automation. The technology section is often testing an implementing new security technology ahead of the traditionally more conservative financial sector. By leveraging the lessons learned during the early adoption of new technologies within the technology sector, the financial sector could accelerate testing and approval of the new technology.
Vendors should electronically track a financial institution’s technology assets or equipment and advise when a current platform or equipment has reached the end of life and replacement is prudent. The vendor can then:
- Work with the firm to determine requirements for the new platform.
- Locate available platforms that match the requirements.
- Assist with acquisition of the new platform.
- Develop a plan for platform or equipment rollout, installation, and user training plan.
Now is a great time to conduct analysis of your current vendor engagements. Are your current vendors trusted partners? Have you verified your vendors are SOC 2 Type 2 certification? Do your current vendors offer advice to improve the technology performance of platforms and equipment? These questions should be top-of-mind and will help you on your path to building a trusted partnership.
Steve Ryker, CPP, is the vice president of compliance and risk at Cook Solutions Group.