Why you should review additional due diligence documents for your critical vendors
Written by Josh Layne, VP of Vendor Management & Compliance
Your critical vendors can potentially have a huge impact on your institution when something goes wrong. Obviously, this isn’t news. They’re critical to your operations, usually have direct access and use of enormous amounts of non-public personal information. These vendors are crucial to your institution being able to serve your members or customers, and if something goes wrong your members and customers won’t blame your vendor – They’ll blame you.
More care, focus and deeper dives need to be made when critical vendors are involved to ensure they can maintain service levels, minimize interruptions and have the capacity to manage through large-scale events. When reviewing and risk assessing it’s not enough to just evaluate the key due diligence documents like insurance certificates, SOCs and financials. You need to look at more.
Specifically, you should look at critical vendors’ BCPs, penetration testing reports and pandemic plans.
Maple Street always requests each of these in our due diligence document gathering efforts. It doesn’t guarantee every critical vendor will provide or even have these documents (though they should), but we do make every reasonable effort to secure them for you. When available, you should be including these documents in your overall residual risk assessment.
Below are some general tips on what to look for in each document.
Business continuity plans
Business continuity plans, or BCPs, can come in all flavors. They can also be tricky because they’re typically written by the vendor, and can be very simple and generic to the point of almost being useless, to very dense, detailed and difficult to interpret. Ideally, a vendor’s BCP should include the following sections:
- Roles and responsibilities – This ensures all areas are assigned an owner that will be responsible for completion of a required process.
- Succession plan – This ensures the vendor can continue to operate effectively when key personnel are unavailable.
- BIA (Business impact analysis) – This should include a description of each department’s functionality and its impact on the vendor’s business should an interruption take place. It may document required resources for that department to function or ratings of the criticality of the department. Inclusion of a BIA demonstrates the vendor has considered each department or areas of dependency in the overall flow of business during an interruption.
- Activation triggers/processes – Defined activation triggers are key to ensuring timely activation of the BCP or its parts. These activation triggers require notification to the vendor’s assigned staff and may include descriptions of potential incidents, extent of damage or disruption, external or internal support requirements, and estimated recovery times.
- Emergency procedures – This demonstrates the vendor intends to protect its personnel and property during an emergency, including securing its people and offices and protecting any critical or non-replaceable business assets.
- Testing requirements and results – Testing demonstrates the vendor is proactive in maintaining its BCP and can make corrective actions as needed. Testing descriptions should include what’s tested, how often and include post-test results actions.
Penetration testing reports, results
Like BCPs, penetration testing reports, more commonly called “pen tests,” can be very simple or very complex. The good news is these tests are almost always performed by and the results written up by a third-party, giving more weight and validation to their accuracy. When reviewing a pen test, the best reports will clearly outline the following areas:
- Executive summary for strategic direction – This provides a high-level view of both risk and business impact in plain English. It should be something that non-technical readers can review and gain insight into the security concerns highlighted in the report. Visual aids can also be helpful in getting complex points across clearly. Look for graphs, charts and similar visuals in communicating the summary data provided here.
- Walkthrough of technical risks – Accurate and contextualized explanation of the risks uncovered in the tests are important. They indicate not only the technical aspects but the business impact as well. The most valuable reports are those that speak to all audience members in the language they understand.
- Potential impact of vulnerability – A break-down of how a vulnerability and how it specifically impacts the vendor. Identifying and estimating both the likelihood and scope of the impact of a breach into the overall risk is a major component in an excellent report.
- Multiple vulnerability remediation options – A quality pen test report will list multiple fixes recommended that are detailed enough for the vendor’s IT team to make changes and updates.
Traditionally an afterthought, pandemic plans are more important than ever – as we’ve all experienced why in recent months. When looking at a pandemic plan, we’ll point to our certification and what key components certified regulatory vendor program managers are taught to look for and what questions to ask, which include:
- Plan Overview – Is it preventative and does it include outbreak monitoring processes? Does it include education and training for staff? Does it include staff accommodations for remote work? Does it include communication and coordination with the vendor’s critical vendor partners?
- Escalation Strategy – Does the plan outline an escalation strategy? Does it increase response processes from when a potential pandemic is identified, to when/if staff is impacted, to account for the first and subsequent waves?
- Framework – Does the plan account for facilities, systems and procedures? Does it consider its customers’ reactions, including increased reliance on online services and transactions? Does the plan account for the infrastructure needed for increased reliance on communication technologies and remote support?
- Testing – Is the plan tested periodically, both as tabletop testing and real-world scenario testing? Are critical partners and/or customers included in testing efforts?
- Oversight – Does the plan share that an oversight program is in place, ensuring it’s reviewed, updated and communicated to staff? This is particularly important for pandemic plans because pandemics can be fluid in nature and guidance from government and regulatory agencies is always changing to adapt.
What you should do with your review results:
- Prioritize findings
- Escalate anything completely unacceptable – Vendor Watchlist
- Note anything needing future attention, follow-up – Due Diligence Notes
- Note anything impacting long-term vendor risk – Vendor Notes
- Use as a part of contract strategy like renegotiation or replacement, including as critical questions in an RFP
The bottom line: critical vendors can have a monumental impact on your credit union or community bank when things don’t go as planned. At Maple Street, it’s our recommendation to review additional due diligence documents for these vendors. Does your institution need assistance? Call us at 800-513-6839 or email email@example.com to learn how we can help.