Authored by Timothy Kosiek and Mark Boettcher
Workshops and conversations at the recent Third Party Risk Management for Banks and Financial Services conference were heavily centered on companies regulated by the Office of the Comptroller of the Currency (OCC). Specific themes were incorporating best practices in vendor risk management (VRM) programs, retrieving information from service providers that are private and understanding the importance of technology / cybersecurity risk assessments when utilizing third party vendors.
Incorporating VRM best practices
The OCC’s “Risk Management Guidance” bulletin requiring national banks and federal savings associations to assess and manage risks of third-party relationships has been in effect since October 2013. Since the release of this mandate, institutions have been enhancing their compliance efforts. Many institutions shared best practices from their experiences, including whether to use a centralized or de-centralized third party risk management governance model, how to evaluate fourth parties and strategies for obtaining information from private third parties.
Collecting information from private company service providers
In addition to implementing best practices, another major topic discussed was gathering information from private companies during the due diligence and third party selection phase of a VRM program.
In order for companies to conduct their due diligence, many banking institutions are requesting third parties provide copies of their System and Organization Controls (SOC) reports to ensure proper controls related to financial reporting and other risks are in place. If the vendor has not undergone a SOC report assessment, an alternative is to have them complete a questionnaire to determine what controls are in place. Although SOC reports are the preferred method for collecting additional information from vendors, there is no wide-spread solution that has been developed to address the gaps between SOC reports and matters of concern with VRM groups.
Understanding cybersecurity and technology risks
Along with SOC 1, SOC 2 and SOC3 reports, the American Institute of CPAs (AICPA) recently released a new type of SOC report, SOC for Cybersecurity. The increase in cyber-attacks targeting the vulnerabilities of third-party vendors underscore the importance of ensuring third parties have a comprehensive cybersecurity risk management program. This new SOC report helps companies during the selection phase and will be able to give assurance over certain aspects of a vendor’s controls regarding cybersecurity. With states beginning to explore or implement cybersecurity regulations, the rules, frameworks and assurance over technology controls are areas that will continue to develop at a rapid pace over the next few years.
As with previous years, the Third Party Risk Management for Banks and Financial Services conference provided information about trends and hot topics to financial services institutions looking to enhance and improve their vendor risk management programs.
For more information on this topic, or to learn how Baker Tilly banking specialists can help, contact our team.