Ssae 16 Reports

Vendor Management

The risks of Vendor Management and Outsourcing are numerous and complicated

A large number of critical processes are outsourced that contain customer and employee non-public information, along with the financial institution’ s intellectual property in many cases

Upon outsourcing you have countless risks; reputation and brand risks, security breaches and regulatory compliance concerns.

All of above; costs the financial institution money from legal liability, business interruption and compliance fees to name a few!

Vendor Management

Also have the issue of vendor relationships are scattered throughout the business units at the bank

Legal risks associated to lack of visibility into the vendor practices even if you get everything you would like into the contract

Information security issues at most banks lack the resources to monitor large number of potential security risks associated in-house, at the vendor, and at their vendors!

Vendor Management

How to Improve?

Vendor Management

Common knowledge are the requirements of a program including Service Providers, Third Parties and Subcontractors

Risk Assessment

Due Diligence/Documentation

Contracts

Monitoring

Vendor Management

Let’ s discuss some of the pitfalls or dilemmas we run into within each category

Risk Assessment

Due Diligence/Documentation

Contracts

Monitoring

Risk Assessment

A preliminary review should be performed upon every vendor. The philosophy they have been a long term vendor they warrant no review is flawed.

A list of all vendors should be maintained and reviewed annually. Without a preliminary and annual you may miss:

If the long term vendor has NPI you have no way of knowing how that data is being retained, secured or disposed of without performing a risk assessment.

Without the risk assessment you may miss the fact your contract with this long term vendor is obsolete for GLBA, cybercrime and other compliance requirements.

You may miss identifying the vendor’ s technology is outdated and vulnerable to the weekly attacks we all see.

Risk Assessment

We all agree the risk assessment needs to be tempered for the relationship.

We typically recommend an initial review of each vendor looking at five categories.

NPI
Financial
Operational/Impact
Reputation
Compliance

Build your risk assessment based on your findings above.

Risk Assessment

A risk assessment should also be performed for any prospective vendor or changed relationship.

Business change (merger and acquisitions)

Product change

Controls are changed

Regulations are changed (even if your contract states they will remain in compliance)

Risk Assessment

The Business Owner (Contract) is responsible for the Vendor and the Risk Assessment process.

If there are multiple relationships/contracts, all employees should be involved because the risks may vary by service.

Assign one employee as the primary. They are responsible to pull the team together.

The vendor management of a vendor should not be delegated to an employee unfamiliar with the vendor and the related processes.

Risk Assessment

Define and document up front the responsibilities of:

Business Owner
Legal
Vendor Management facilitator
Information Security
IT
Audit
Risk Management
Compliance

Risk Assessment

Require these employees to sign off on the risk assessment. If they are required to sign you will see a great deal more time and concern from them!

A big complaint is the time this process takes due to the number of vendors and the involvement of so many departments. Look at the time and costs your financial institution undergoes when something happens! It is worth the time.

Security Breach and customer reputation risk, notification, insurance and legal liability
Poor product implementation and impact upon IT infrastructure, security and compliance re-working!

Centralize the contracts and identify the business processes for DD and BCP.

Risk Assessment NPI

When reviewing NPI during the risk assessment make sure to identify the level and volume of NPI but also who is providing the NPI to the vendor.

Financial Institution?
Consumer?

What is the consumer’ s perception of the relationship? Do they realize they are providing information to a third party or feel it may be a division of the bank?

NPI and Reputation risk
Call Centers & Mortgage & Investment Services

Risk Assessment Reputation

Recent example of ATM branding vendor.

The machine does not notify the customer that the machine is not owned or operated by the financial institution. So, what is the customer to think?

The bank does not have any control over who has access for cash replenishment or maintenance to the machines.

Typically, the security controls at the stores in which the machines reside is very limited.

Risk Assessment Reputation

Will the customer blame the store or the financial institution in the situation of a security breach?

Will the bank’ s insurance cover a security breach?

A review of the vendor contract identified some concerns for the financial institution.

SLA regarding maintenance and uptime was not tied to a measurement period and no penalties or credits were identified if SLA’ s were missed.

Indemnification provision was too narrow and did not include verbiage for if any claim was made against FI as a result of Vendor’ s performance under agreement. Also did not include a provision regarding cybercrime, loss of data.

Risk Assessment NPI

Confidentiality provision was too narrow and did not address GLBA/NPI compliance although BIN numbers are provided.

Confidentiality provision did not address the retention, destruction and/or return of confidential information upon the termination of the agreement.

Contract was missing a provision giving the ability to audit the vendor/ or have access to vendor’ s audit reports. (subcontractors) Also the ability to audit the site of the ATM machines.

Risk Assessment Government

Fannie Mae and Freddie Mac

FHFA’ s annual examination program assesses Fannie Mae’s and Freddie Mac’s¬†financial safety and soundness and overall risk management practices.

Fannie Mae’s and Freddie Mac’s¬†financial condition, earnings, liquidity, and efforts taken to mitigate losses in its single-family and multifamily portfolios.

Assess their response to continued stress in the mortgage markets and its effect on their¬†risk profile, performance, and condition.

Risk Assessment Government

Reporting Framework¬†

Use a specific¬†framework¬†to summarize examination results and conclusions to¬†Fannie Mae’s and Freddie Mac’s¬†board of directors and Congress is known as GSEER, which stands for Governance, Solvency, Earnings, and Enterprise Risk (enterprise risk comprises credit, market, and operational risk management).

www.fhfa.gov/SupervisionRegulation/FannieMaeandFreddieMac.
¬†

Risk Assessment
Other Risk Questions to think of:

Identify All related vendors and subcontractors. You are responsible for the due diligence of all related parties.

This includes understanding the NPI and reputation risks associated with all vendors touching the NPI. More discussed under GLBA session.

What are their Security Breach notifications and Incident response plans for all parties involved? Involve IT in this discussion!

Review vendor and third party open source software usage and Patent infringement (contract)

Risk Assessment
Other Risk Questions to think of:

Does the financial institution need additional insurance coverage for the services?

Has a cost benefit analysis been performed?

Any lawsuits or legal proceedings involving the vendor, third parties or subcontractors?

Has the financial institution performed a reference review? (refer to sample risk assessment form)

Risk Assessment
Other remaining Risk Categories:

Transactional
Credit
Interest Rate
Liquidity
Out of Country

Due Diligence & Documentation

If you have collected it, you are responsible to review it.

Business Continuity/Disaster Recovery Plan –

Is it current and applicable to the bank’ s service?

Most Recent BC/DR Test Results –

Testing at least annual, applicable to the bank’ s service and are the banks involved in testing? Is there any involvement from an independent third party?

Due Diligence & Documentation

Internal Audits Reports for GLBA, BSA, Red Flag Compliance

Most Recent Audited Financials

SSAE 16 Reports

Information Security Policies and Procedures

Current and includes all areas of security documented in a SSAE16

Due Diligence & Documentation

Current GL and E&O Insurance Certificates
Cybercrime if applicable

Most Recent Penetration/Vulnerability Test Results
Performed at a minimum of annually (depends on the service).

PCI DSS Compliance Certification

Privacy Policies and Procedures
Current and in compliance with Bank’ s requirements

Due Diligence & Documentation
Recommendations for Documentation based on Risks:

NPI = High
SSAE16 or like Security Policy
Privacy Policy
PEN Test

If not in contract:
Red Flag, GLBA, BSA, PCI
Security breach notification and Incident response
NPI disposal, retention, return
Confidentiality
Insurance

Due Diligence & Documentation

Recommendations for Documentation based on Risks:

Financial = High

– Audited Financials

Operational/Impact = High

– BCP/DR

SSAE16 Reports

Reports should be used to evaluate the vendors internal controls.

Report should be within two year period

Report should include relevant products

Exceptions and Management Responses and User Control Considerations should be reviewed, noted and documented.

Exceptions should be audited to ensure vendor is correcting vulnerabilities and maintaining security controls.

SSAE16 SOC1
SOC 1SM¬†Report¬† -¬†Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SSAE 16)

These reports, prepared in accordance with¬†Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user’ auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

User auditors use these reports to plan and perform audits ¬†of the user entities’ financial statements. ¬†¬†There are two types of reports for these engagements:

SSAE16 SOC1
SOC 1 Report¬† -¬†Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SSAE 16)

Type 2¬†- ¬†report on the fairness of the presentation of management’ s description of the service organization’ s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

Type 1¬†-report on the fairness of the presentation of management’ s description of the service organization’ s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

SSAE16 SOC2
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.

These reports are performed using the AICPA Guide:¬†¬†Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity,¬† Confidentiality, or Privacy¬† and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its¬† internal controls.
¬†

SSAE16 SOC2
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports can form an important part of stakeholders:
Oversight of the organization
Vendor management program
Internal corporate governance and risk management processes
Regulatory oversight

Similar to¬† SOC 1sm¬† engagement there are two types of report : Type 2, report on management’ s description of a service organization’ s system and the suitability of the design and operating effectiveness of controls; and Type 1, report on management’ s description of a service organization’ s system and the suitability of the design of controls.¬† These reports may be restricted in use.¬†¬†
¬†

SSAE16 SOC3
SOC 3SM¬†Report î Trust Services Report for Service Organizations

These reports are designed to meet the needs of users who need assurance about ¬†the controls at a service organization that affect ¬†the security, availability, and processing integrity of the systems used by a service organization to process users’ information ,and the ¬†confidentiality, or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.

These reports are prepared using the AICPA/Canadian Institute of Chartered Accountants (CICA)¬†Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.¬† Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a SysTrust for Service Organizations seal.¬†
SSAE16 SOC1
SOC 3SM¬†Report î Trust Services Report for Service Organizations

For more information about the SysTrust for Service Organization seal program go to www.webtrust.org.

Unlike a SOC 1 report, which is only an auditor-to-auditor communication, SOC 2 Reports are generally restricted use report¬† (at the discretion of the auditor using the guidance in the standard) and ¬†SOC 3 Report (in all cases) will enable the service organization to share a general use report that would be relevant to current and prospective customers or as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.¬†

** American Institute of CPA’ s www. Aicpa.org

SSAE16 Determination
When determining which SOC to require for a vendor consider the following areas:

What level of Operational/Impact, NPI and Reputation Risk has been assessed?

What is the availability of the service? Is it in-house, private server, data center, public cloud?

Are there any restrictions for the service? Time of usage, employee and vendor access, etc.

SSAE16 Determination

What are the known security controls? Are they adequate in comparison to the NPI and Reputation Risk rating?

What are the potential confidentiality issues that could arise? Security breach, loss of data by vendor or employee, disgruntled employee, etc.

What is the customer usage level for the service?

What are the legal ramifications of loss or data or service interruption?

Red Flags

Be cautious if you run into any of the following during Risk Assessment or Documentation review:

Incomplete answers to your questions.

Confidential, we can’ t share?

We have to run it by legal and get back to you.

IS Policies are not based on any accepted security standard (ISO27001).

Red Flags

Be cautious if you run into any of the following during Risk Assessment or Documentation review:

No formal security awareness training program noted for employees and subcontractors.

Old documentation such as Privacy policy.

Difficulty providing the overall material.

Monitoring

Review all due diligence documentation. Question if reports are not being updated at a minimum of every two years

Review of Penetration Test results (more during IT session

Monitor vendors with NPI risk for any changes in volume, data changes
Encryption
New technology for sending files
Remote access
Employee terminations

Annual Reporting Five Components
Annual report of High risk vendors should include:

Vendor Overview

Vendor Risk Level Assessment

Operational Review

Legal/Regulatory Review

Conclusion

Annual Reporting 1. Vendor Overview
Service provided

Location of vendor corporation

If it is publicly traded or not

Experience in the financial industry

Number of other financial institutions using vendor

General reputation of the Vendor