FDIC: Improve Vendor Management

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.bankinfosecurity.com/fdic-improve-vendor-management-a-6053

Federal regulators are urging banking institutions to pay more
attention to vendor management in light of recent breaches, such as
one that compromised core processor Fidelity National Information
Services, better known as FIS.

During a recent Community Bankers Advisory Committee meeting in
Washington, D.C., examiners from the Federal Deposit Insurance Corp.
stressed the obligations banks and credit unions have to ensure that
the vendors they use maintain adequate levels of security.

Regulators regularly examine certain vendors to ensure that sensitive
information is sufficiently protected through the use of encryption
and other technologies. The vendors include those that have contracts
with banks for core banking services or that provide services covered
under the Bank Service Act.

The institutions that use those companies' products and services
should request reports on those examinations and follow up to ensure
security mandates are being met, regulators say. Due diligence is the
responsibility of the institution, not the examiner.

"If you review a report and you see issues, then you should follow up
with the vendor to find out what they have done," Kevin Pearson, an
FDIC IT Examiner, said at the advisory committee meeting. Many vendors
will provide quarterly updates to financial institutions about their
security compliance, based on internal audits they conduct, he noted.
But it's up to banks to request these updates and then carefully
review them.

Regulators are prohibited from disclosing what they discover during an
exam of a vendor unless a severe security flaw that exposed customer
data is found, Donald Saxinger, a senior IT examination specialist
within the FDIC's Division of Risk Management Supervision, said at the
meeting.

"When we do find problems with a service provider, our goal is to get
that written in a report to ensure they let their customers know," he
said. But that's the extent of regulators' authority.

This is why regulators encourage banks to conduct due diligence and
take their own steps to ensure vendors address security gaps, says Al
Pascual, a financial fraud analyst with consultancy Javelin Strategy &
Research.

"The hope is that ... by encouraging greater oversight of vendors by
their FI [financial institution] clients, the pressure brought to bear
by FIs will incentivize vendors to quickly and thoroughly address
deficiencies," Pascual says.

Community institutions, which typically rely heavily on core
processors and other third-party service providers, can find it
difficult to hold those companies accountable for security lapses and
breaches, he adds.

"Threats to take business elsewhere are rarely made," Pascual says.
"The time and resources required to replace a vendor's products,
especially those of a larger vendor who can often be providing a
number of different products to business lines throughout a single
institution, can be immensely prohibitive."

Impact of Breaches

But as third-party breaches become increasingly common, all banking
institutions will be forced to take on more responsibility for vendor
management, says Michael Versace, a risk and IT infrastructure
specialist at data analysis firm International Data Corp.

"Vendor management is part of GRC [governance, risk management and
compliance], and that's the bank's responsibility," he says. "Banks
need more automated auditing for their vendor-management
relationships. They need to design compliance into all of their
outsourced relationships, but many are not doing that. Banks right now
are not doing enough of heir own due diligence."

In June, security blogger Brian Krebs reported that an examination
conducted by the FDIC had determined the 2011 network hack that
compromised FIS' network exposed high risk information. The
examination also found that the breadth of the breach was much wider
than FIS first publicly reported in May 2011, Krebs reported.

Now, community banking institutions are questioning why banking
regulators have failed to quickly share concerns about significant
security flaws identified during examinations.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.