The Workplace of the Comptroller of the Foreign money (OCC) has outlined its third-party threat administration necessities for United States nationwide banks and federal financial savings associations within the OCC Bulletin 2013-29. These threat administration requirements do not solely apply to third-party vendor relationships; the OCC expects all banks to observe finest third-party threat administration practices, whether or not actions happen internally or by means of service suppliers.
This submit summarizes these Vendor Danger Administration (VRM) expectations and presents steering for complying with these requirements.
A Abstract of OCC’s Supreme Third-Celebration Danger Administration Course of
Based on the OCC Bulletin 2013-29, a financial institution’s Third-Celebration Danger Administration program ought to:
Have threat administration processes in locations which might be commensurate with the diploma and complexity of third-party dangers.Be able to complete oversights of all third-party relationships processing crucial information.Clearly define the financial institution’s technique for managing third-party dangers, together with particulars of how the third-party choice course of thought of operational dangers and data expertise dangers.Identification inherent dangers related to third-party vendor actions.Carry out correct due diligence when partnering with new third-party distributors.Full written contracts detailing the rights, obligations, and expectations related to utilizing third events.Have contingency plans in place very quickly terminate third-party relationships.The board of administrators and senior administration should guarantee all third-party actions are carried out safely and in compliance with relevant legal guidelines.Clearly outline roles and obligations concerned within the third-party threat administration course of.Have documentation and reporting processes in place to assist the oversight, accountability, monitoring, and threat administration of third events.Bear unbiased evaluations to measure and decide that the financial institution’s course of aligns with its technique and successfully manages dangers.Group banks ought to observe threat administration practices which might be commensurate with the chance publicity of every third-party relationship.Assembly the Third-Celebration Danger Administration Necessities of the OCC.
The OCC”s third-party threat administration expectations may be represented in a three-pillar compliance framework, the place every pillar addresses a collection of levels of the chance administration lifecycle.
Study concerning the prime Third-Celebration Danger Administration options available on the market >
1. Documentation and Reporting
The documentation and reporting pillar consists of the due diligence section of the third-party threat administration lifecycle. That is the place the inherent dangers of a potential vendor are evaluated and measured. This can be a crucial step within the Vendor Danger Administration course of because it determines whether or not a potential vendor might be an asset or a legal responsibility, growing the chance of third-party breaches.
To adjust to the OCC’s documentation and reporting necessities, organizations within the monetary companies {industry} must implement a course of for precisely measuring the safety posture of all potential third-party companions.
A great course of ought to embrace the next:
How Cybersecurity Can Assist
Cybersecurity helps monetary organizations streamline due diligence with the next options.
A library of industry-leading threat assessments – Cybersecurity’s library of threat assessments map to standard frameworks and rules, serving to you determine compliance gaps that might be indicative of information breach vulnerabilities.Customized questionnaire builder – Cybersecurity’s questionnaire builder permits monetary institutes to customise their due diligence course of primarily based on their distinctive onboarding safety necessities.Danger Assessments + Safety Rankings – By combining point-in-time assessments with safety rankings, Cybersecurity offers probably the most up-to-date reflection of a vendor’s safety posture, beginning on the onboarding section and persevering with all through your complete TPRM lifecycle.
Request a free trial of Cybersecurity >
2. Oversight and Accountability
The Oversight and Accountability pillar covers the next TPRM lifecycle section:
Contract ManagementOngoing MonitoringContract Administration
Apart from making certain service expectations by implementing the usage of contracts with all third-party relationships, the contract administration course of ought to clearly outline all roles and obligations concerned in Third-Celebration Danger Administration. This may set up a framework for efficient communication and collaboration between events concerned in third-party relationships.
To adjust to the contract administration element of the OCC Bulletin 2013-29, the next objects should be addressed:
Guarantee an efficient course of is in place to handle dangers associated to third-party relationships.Develop and implement a risk-based coverage that governs the third-party threat administration course of.Clearly outline all roles and obligations concerned in third-party threat administration.Conduct due diligence on potential third events.Define insurance policies and processes for contract negotiationsReview and approve contracts with third events.Carry out ongoing monitoring of third-party relationships.Keep applicable documentation and reporting all through the life cycle of all third-party relationships.Carry out ongoing benchmarking of service supplier efficiency towards the contract or service-level settlement.Escalate vital points to senior administration.Guarantee periodic unbiased evaluations of third-party relationships and the financial institution’s third-party threat administration course of.Maintain financial institution workers accountable inside enterprise traces or capabilities that handle direct relationships with third events.Carry out periodic unbiased evaluations of all TPRM processes involving crucial actions. An inside auditor or an unbiased third occasion can carry out these audits.Guarantee all third events conduct background checks of all individuals and entities with entry to crucial programs and confidential data, together with senior administration and subcontractors.
Learn to calculate threat urge for food for Third-Celebration Danger Administration >
Steady Monitoring
Steady monitoring is the method of repeatedly scanning the assault surfaces of third-party service suppliers for rising safety dangers. This course of ought to ideally be able to rating distributors primarily based on the severity of their safety dangers in order that crucial distributors may be prioritized in remediation efforts.
As a result of digital transformation retains multiplying the variety of potential information breach assault vectors, ongoing monitoring efforts ought to cowl the widest doable area of the third-party assault floor.
Implementing the next motion objects will maximize the breadth of your threat monitoring scope, serving to you adjust to the continuing monitoring element of the OCC Bulletin 2013-29.
Periodically assess current third-party relationships to find out whether or not their outsourced processes contain a crucial exercise or vital financial institution capabilities.Deploy monitoring initiatives each time outsourcing inside capabilities, making certain they’re commensurate with the extent of threat and complexity of the connection.Conduct common on-site visits to grasp absolutely the third occasion’s operations and ongoing capacity to fulfill contract necessities.Be certain that financial institution workers have ample threat administration steering to determine potential third-party safety dangers.Pay explicit consideration to the standard and sustainability of the third occasion’s controls, its capacity to fulfill service-level agreements, efficiency metrics, and different contractual phrases, and to adjust to authorized and regulatory necessities.Be certain that ongoing monitoring adapts to modifications within the stage and sorts of dangers over the lifetime of third-party relationships.Assess modifications to the third occasion’s enterprise technique, fame, compliance with authorized and regulatory necessities, monetary situation, insurance coverage protection, key personnel, capacity to handle threat, and different crucial areas of consideration.Escalate vital points or considerations arising from ongoing monitoring to senior administration.Group banks ought to have processes in place for figuring out distributors processing crucial actions and prioritizing them throughout monitoring efforts.Check the financial institution’s controls to repeatedly handle dangers from third-party relationships, notably the place crucial actions are concerned.Reply to points when recognized, together with escalating vital points to the board, primarily based on ongoing monitoring and inside management testing outcomes.
Learn to talk third-party threat to the Board >
How Cybersecurity Can Assist
Cybersecurity helps monetary organizations adjust to the Oversight and Accountability element of the OCC”s TPRM standards with the following features:
Third-Party Attack Surface Monitoring – UpGuard continuously scans third-party vendors against a list of 70+ critical attack vectors, helping you instantly identify and address emerging third-party risks.Vendor Tiering – UpGuard’s Vendor Tiering feature allows you to categorize vendors based on the severity of their security risks, helping you prioritize vendors at the most significant risk of suffering a data breach. This feature is especially useful for community banks since they are expected to prioritize critical vendors during monitoring processes.Trust Page – UpGuard’s Trust Page feature simplifies contract management by offering a central repository for hosting all vendor contracts and any other relevant security documentation.Regulatory Compliance Risk Monitoring – By mapping vendor questionnaire responses to popular regulations, UpGuard identifies compliance gaps that must be addressed to avoid costly violations.
Request a free trial of UpGuard >
3. Independent Reviews
The Independent Reviews pillar addresses the following stages of the third-party risk management lifecycle:
Termination
Risk management is as important in the termination phases as it is in the onboarding phase of the TPRM lifecycle. Overlooked third-party connections in terminated vendor partnerships are dormant attack vectors that could facilitate a devastating data breach if they’re discovered by hackers. This is why it’s critical to decommission all end-of-life software.
Addressing the following action items will help you comply with the OCC’s third-party risk management principles in the termination phase of the TPRM lifecycle.
Ensure that relationships terminate efficiently, whether the activities are transitioned to another third party, in-house, or discontinued.Have a plan to bring the service in-house if there are no alternate third parties in the event of contract default or termination, ensuring minimal customer impact during the transition.Address risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party relationship.Address handling of joint intellectual property developed during the arrangement.Manage reputation risks to the bank if the termination happens as a result of the third party’s inability to meet expectations.Recognize that the extent and flexibility of termination rights may vary with the type of activity.How UpGuard Can Help
UpGuard’s attack surface monitoring feature detects unmaintained internet-facing assets that should have been decommissioned during the vendor termination process. Visibility into those commonly overlooked attack surfaces mitigates the risk of suffering data breaches through the security risks of terminated vendors.
Request a free trial of UpGuard >
Planning
Though being addressed at the end of this post, the planning phase is actually the first stage of the TPRM lifecycle. This is where a bank assesses the security risks associated with a prospective vendor, confirms that their inherent risks fit within the corporate risk appetite, and outlines a third-party risk management plan ensuring a secure working relationship with that vendor moving forward.
When a bank decides to partner with a vendor, an independent reviewer should review all contracts and proposed TPRM strategies.
The following action items should be addressed to comply with the OCC’s third-party risk management standards within the planning stage.
Develop a plan to manage the relationship as the first step in the third-party risk management process, particularly for contracts involving critical activities with third parties.Conduct due diligence on potential third parties before signing a contract to ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.Review the vendor’s business continuity plan to determine the impact on your business should they suffer a data breach. These plans should be carefully assessed before any business arrangements are formalized.How UpGuard Can Help
UpGuard’s managed TPRM service allows financial institutions to offload the entire Vendor Risk Management process to risk analysts. By entrusting UpGuard’s security experts with managing your TPRM processes, you can have confidence in the efficacy of your TPRM strategy for new and existing vendors.
Watch the video below for a quick tour of the UpGuard platform.
Ready to save time and streamline your trust management process?
