Today I am writing to those who wish to sell their products or services to a financial institution. If you work at a financial institution, feel free to pass this on to any prospective vendors to help them understand your plight.
I recently worked with a bank that wanted to contract with a new service provider. The product the provider was offering was innovative and would have likely helped the bank grow. The problem was that the provider did not want to share any information about their security practices and did not have any attestation from an outside auditor that there were effective controls in place. We had to tell the provider that we were not going to purchase their product. During that conversation I came to the realization that those outside the financial services industry often do not understand what it is like in this industry.
If you want to sell your product or service to a financial institution, you need to put yourself in the shoes of that institution. Banks and credit unions are usually examined annually by government regulators. These exams can be intense, and the regulators can take action up to shutting down an institution if they find that there is not an adequate security program in place.
The exams include a review of how the institution assesses its third parties. No institution wants to be accused of not doing enough due diligence on their vendors, so you need to be prepared to demonstrate to the institution that you have a security program that is appropriate for your product or service if you want to do business with them.
When determining what level of scrutiny is needed to review a vendor, institutions need to consider the criticality of the product or service as well as what data that product or service will have access to. Criticality refers to whether your product could potentially interrupt services provided to the customers of the institution.
If you are providing a product or service that could seriously impact operations or will give you access to personally identifiable information of institution customers, you will be expected to prove that you have strong controls in place. This usually means that you will need to provide a recent SOC 2 Type II report that demonstrates that an outside auditor has reviewed your operations and has attested to their effectiveness.
The SOC 2 report needs to be for you, not for a data center that you house your servers in. If you do not have a SOC 2 report, you should be prepared to provide as much documentation as possible regarding the effectiveness of your information security program. This might include sharing your policies and other documentation, filling out a lengthy questionnaire, and attesting that you have specific controls in place. If you do not have a SOC 2 report and do not want to share information about your security program with an institution, you should not be surprised if you do not get their business.
The good news is that regulators are transparent about what their expectations are regarding sound security programs and service provider oversight. The Federal Financial Institutions Examination Council (FFIEC) provides booklets that outline regulator expectations, and these booklets are publicly available here: https://ithandbook.ffiec.gov/. If you are a vendor looking to sell to financial institutions, it is well worth the time it takes to review these booklets to ensure that you see the world from their perspective.
If you are a financial institution having difficulty with your third-party management program, you can email us any time at support@bedelsecurity.com. We regularly help institutions build programs and assess vendors.
Additional Resources
The Simple Vendor Management Program Quick Reference Guide
https://www.bedelsecurity.com/lp-simple-vendor-management-program-quick-reference-guide
The Problem We STILL See with Vendor Management
https://www.bedelsecurity.com/blog/the-problem-we-still-see-with-vendor-management
IT Risk Assessment vs Vendor Risk Assessment
https://www.bedelsecurity.com/blog/it-risk-assessment-vs.-vendor-risk-assessment-simplified
Managing Your Outsourced IT Provider
https://www.bedelsecurity.com/blog/managing-your-outsourced-it-provider