How to Cultivate a Vendor Risk Management Strategy

In light of recent events in the CU industry, the Pure IT CISO team is sharing information on vendor risk management and what it looks like for our credit union partners.

Third-party vendors expose organizations to compliance risk if they violate governmental laws, industry regulations, or companies’ internal processes. Vendor non-compliance could subject the companies hiring them to massive monetary penalties. For example, Pure IT has implemented its own vendor risk mitigation strategies to ensure our company complies with the SOC2 auditing standard. SOC2 ensures that third parties protect their customers’ sensitive data from unauthorized access.

Internally, you may comply and have the necessary controls in place, but when you bring a third-party service provider into the mix, are you sure they comply with your compliance and security position?

How to Get Started

Selecting a competent and qualified service provider is perhaps the most critical part of the outsourcing process. The process of choosing a vendor and determining their qualifications may vary in its formality and requirements for time and resources. If you do not have a documented vendor selection process, now is the time to start. While the creation process can be complex, it is easier when broken into five critical elements:

1. Security and Compliance

2. Applicable Experience and Depth of Bench

3. Strategy Experience

4. Robust change management practices

5. SLA flexibility and governance

To help, here are 7 Questions to Ask Third Party Vendors to get you started with some of the basics.

In general, look for a provider who can clearly say what they do in terms of risk management, with documentation, SLAs, and a continuity plan to back it up. To be a good customer means to collaborate while also demanding compliance because you may be betting your business on its ability to be secure and resilient.

Why does this matter?

Last month, a well-known technology supplier was the target of a ransomware attack that caused interruptions for about sixty credit unions. What can we learn from that event?
Reliance on third-party services such as technology and cloud vendors is increasing, the risk of picking a vendor that does not comply with your compliance programs is also increasing. If the provider’s systems are compromised, the impact could include reputation and brand damage, fines or penalties, and remediation costs.

In general, there has been a surge in cyberattacks targeting credit unions, credit union service organizations (CUSOs), and other external providers of financial services. On September 1, 2023, the NCUA instituted new rules that require a federally insured credit union to notify the agency of a cyberattack within 72 hours. Since that time, 60% of reported cases have involved a third party.

Want more guidance?

Pure IT’s vCISO program helps credit unions holistically improve their security posture, including assisting with vendor selection to building incident response programs, and crafting disaster recovery programs. Our experienced risk professionals are ready to help!