Vendor Management...doveryai, no proverai.
 

When negotiating missile treaties with the Russians in the run up to the end of the Cold War, President Reagan often poked fun at his adversary with their own proverb; "doveryai, no proverai,".  The proverb translates to English as "trust but verify".   So how do missile treaty negotiations relate to vendor management? So glad you asked!

Federal Regulators are now enforcing their standards of vendor due diligence and monitoring.  They now insist each financial institution "trust but verify" when monitoring the critical functions of each of the vendors that could have a significant impact on an institution's ability to function or survive.  The days of viewing vendor management as a suggestion and simply trusting your vendors are gone.  Federal Regulators have begun to move the technology checks and balances to the forefront. For example:  In December of 2007 the FDIC issued an FIL revising the IT Officers Questionnaire to address vendor management and vendor oversight.  Further, the NCUA held a "Key Examination Issues for 2008: Evaluation of 3rd Party Relationships and Strategic Planning" webinar in January of this year and released a new Letter to Credit Unions highlighting their release of a new questionnaire evaluating third party relationships.  In other words, Federal Regulators are giving you advanced notice that if you haven't addressed vendor management at your institution you had better move quickly.

The reasons for the recent up tick in the importance of vendor management with your Regulators are too many to list so in the interest of time and mercy to my keyboard I will highlight only a few to emphasize why their attention to vendor management is not misplaced.

The cost of a data breach

In November of 2007 The Ponemon Institute released a study on the cost of a data breach.  Researching data breaches from 2005-2006, they found that breaches by third parties cost significantly more than if a company experiences the breach themselves, $231 per record vs. $171 per record.  To put that into perspective, recently a vendor for a financial institution lost 370,000 records for a potential breach cost of $60-$85 million.  Even more worrisome, the Ponemon found that breach costs for the Financial Services Industry were significantly higher than any other industry averaging $239 per record lost. In other words, it doesn't take a very large breach to reach your insurance cap.

Lost Business

A recent survey, also conducted by The Ponemon Institute, shows that 31 percent of respondents terminated their relationship with an organization as a result of a breach.  Further, an additional 57 percent said they lost trust and confidence in the organization. 

 GLBA

Specifically requires vendor management and the Regulator Guidelines put the Senior Management and Board of Directors squarely on the hook for it. Has your board read this?

Increasing Legal Liability Risk

Most past class action lawsuits related to data breaches were dismissed due to the plaintiffs being unable to show "actual" damages.  However, in a recent court filing it appears that the definition of "actual" may be changing to include ?an injury in the form of embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm?.  Should this definition of damages prevail in the courts you can expect breach costs to expand exponentially due to class action lawsuits.

Potential breach costs, loss of business, and Regulatory risks aside, financial institutions have a fiduciary duty to protect their client's data.  Now I'm not standing on a street corner wearing a sandwich board with the words "The End Is Near" painted in bold letters "YET" However, I think we can all agree that if the industry continues to lose data regularly, its customers will begin to lose trust and confidence in financial institutions as a whole.  Regulators fear the potential for people to lose faith in their financial institutions and will do whatever they deem necessary from the Federal level to prevent it.  While you may not be negotiating missile treaties with unfriendly countries, the financial services industry entire business model is based upon managing risk and any institution that ignores the risk their vendor portfolio represents does so at its own peril.  There are plenty of examples in recent history where only trust was employed and a company is in dire financial straights or no longer in existence as a result of a data breach.  Personally, I think President Reagan had a pretty good point.

That said, the question you must consider today is?

Have you Verified?

 

Brad Putnam

BPutnam@digitalcomply.com

President

Digital Compliance, LLC