How to Approach Third Party Reviews

One of the most important processes in cybersecurity for financial institutions today is third-party due diligence. However, it is also one of the most burdensome. There are ways to make the process easier.

1. Focus on Critical Third Parties
   Institutions should identify which third parties are truly important. Ask yourself: “What is the worst possible impact if a third party is breached or goes out of business?” If the answer is “no impact,” record that as the inherent risk of the third party and move on to the next one.
2. Collect Only Essential Documents
   Stop trying to collect documents that you would not share with your own customers. If a customer asked for a copy of your information security program, disaster recovery plan, strategic plan, or business continuity plan, you would likely decline, as these documents could be dangerous in the wrong hands. Why expect a vendor to provide these? Remember that possessing well-written policies does not guarantee that a third party has implemented them.
   Focus on collecting documents that demonstrate, through third-party audits, that a vendor has sound practices in place and is willing to contractually commit to being secure. Reviews of the vendor environment by a qualified third party (such as SOC 2 reports or other assessments) are most useful. These indicate that someone with access to all the documents the vendor refuses to send has tested the key controls and confirmed their implementation. Contracts are also important, as they show the vendor’s willingness to legally commit to controls.
3. Align Due Diligence with Your Own Controls
   Start with the controls in your own information security policy and ask whether the third party has those controls in place. Due diligence should assess whether a vendor adheres to your requirements—not just their own. For example, if your program requires regular vulnerability assessments and remediation, review the SOC 2 report to see if the auditor observed these activities. If your program requires a business continuity plan, check if the SOC 2 auditors reviewed the third party’s plan. If any controls cannot be verified by the SOC 2 report, follow up with the third party for clarification.
4. Review Deficiencies and Responses
   Look for any deficiencies identified by the SOC 2 auditor and review the third party’s responses. Are the responses reasonable, and do they show that the third party took the deficiency seriously? Or did the third party simply minimize its importance without remediation?
5. Pay Attention to Contract Clauses
   Finally, the recent Final Interagency Guidance on Third-Party Relationships from regulators focuses heavily on contracts. Yet, many third-party management programs ignore the contract or only require a “legal review.” The problem is that a lawyer may not look for the clauses required by regulators unless specifically asked. Spend time reviewing the guidance and provide a list of required clauses to the lawyer, or conduct a separate review for these clauses. For example, the guidance states that contracts for third parties with access to sensitive information should specify “when and how the third party will disclose, in a timely manner, information security breaches or unauthorized intrusions.” If nobody is specifically looking for this clause, it may be missed.

By following these steps, your third-party management program will likely become more focused and less burdensome. If you need further assistance, Bedel Security® has developed a comprehensive third-party management process for customers and can help you get up to speed quickly. Don't hesitate to get in touch with us for more information!