By Brad Putnam
When I was working for a large financial institution back in the late 1990s, vendor management, as a regulatory requirement, was just beginning to become a big deal. Examiners were beginning to push vendor management, even though they really couldn’t identify it or who should be managed.
Institutions reacted by sending out huge questionnaires, requests for documentation, and demands for SAS70s. Some vendors tried to respond as best they could to the clamor of hundreds of unique client requests. Some simply ignored them. Many vendors had to reevaluate their business model to accommodate the huge costs of a SAS70, and some just plain stopped working with financial institutions. Needless to say, the whole process for all involved was a painful and convoluted mess. Here we are over 10 years later and things haven’t changed all that much. Sure, the federal regulators have issued some broad guidance and requirements for institutions and their vendors, but they also placed responsibility for vendor management directly on an institution’s senior management and board of directors. Further, vendor management is now “third party management,” greatly broadening the scope of who an institution is required to scrutinize prior to contract and monitor over the life of the contract. The term “vendor management” now encompasses review and monitoring of any company that provides critical services, any contact with non-public information (NPI), and any contact with internal networks/software. In other words, well beyond an institution’s core processor and internet banking providers. We’re talking employee benefit providers (i.e. payroll, 401k, health/life insurance), business partners (i.e. partner brokerage and insurance companies), security providers, and more. The broadening of this definition has again left institutions scrambling and a whole new slew of vendors and business partners reacting to the onslaught of vendor management requests.
All that said, vendor management is the right thing to do and allocating resources to do it properly is imperative. The risks are simply too high not to. In today’s business environment, information blasts around the world in the blink of an eye, and we’ve seen evidence that there are thousands of people willing to steal it. Breaches occur daily due to human error, insider theft, social engineering and outright hacking. Millions of people have their personal information for sale on the black market and ID theft continues to rise. If a business partner or vendor loses member or employee information, even if it isn’t used nefariously, those members and employees will hold accountable not who lost it, but the institution itself. By itself, a hit to an institution’s reputation is costly, but not nearly as costly as the hard costs involved after a breach. The Ponemon Institute recently pegged the cost per record lost at $250. It doesn’t take a huge breach to have costs rising to the millions and don’t count on insurance covering it unless the institution has done at least the industry standard due diligence. Oh, and don’t forget about the visit from the examiner who will most certainly be asking questions about the vendor management policy and program.
In these tight economic times, finding the internal expertise and money to create a vendor management program is no easy task. However, trying to create a vendor management program after a breach is guaranteed to be a lot more expensive and a lot more painful.
Thankfully, with the increased burden, we are also seeing an increase in solutions to help! From vendor management software, consulting or outsourcing the whole task, many options are available. Whether you manage this process yourself or find a tool to assist, the message is: Do it today!
Brad Putnam is the CEO of Digital Compliance, LLC. The company manages outsourced relationships, compliance documentation and client information for both financial institutions and companies who serve the financial sector.