BreachExchange mailing list archives
FDIC: Improve Vendor Management
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Tue, 10 Sep 2013 13:23:09 -0400
http://www.bankinfosecurity.com/fdic-improve-vendor-management-a-6053 Federal regulators are urging banking institutions to pay more attention to vendor management in light of recent breaches, such as one that compromised core processor Fidelity National Information Services, better known as FIS. During a recent Community Bankers Advisory Committee meeting in Washington, D.C., examiners from the Federal Deposit Insurance Corp. stressed the obligations banks and credit unions have to ensure that the vendors they use maintain adequate levels of security. Regulators regularly examine certain vendors to ensure that sensitive information is sufficiently protected through the use of encryption and other technologies. The vendors include those that have contracts with banks for core banking services or that provide services covered under the Bank Service Act. The institutions that use those companies' products and services should request reports on those examinations and follow up to ensure security mandates are being met, regulators say. Due diligence is the responsibility of the institution, not the examiner. "If you review a report and you see issues, then you should follow up with the vendor to find out what they have done," Kevin Pearson, an FDIC IT Examiner, said at the advisory committee meeting. Many vendors will provide quarterly updates to financial institutions about their security compliance, based on internal audits they conduct, he noted. But it's up to banks to request these updates and then carefully review them. Regulators are prohibited from disclosing what they discover during an exam of a vendor unless a severe security flaw that exposed customer data is found, Donald Saxinger, a senior IT examination specialist within the FDIC's Division of Risk Management Supervision, said at the meeting. "When we do find problems with a service provider, our goal is to get that written in a report to ensure they let their customers know," he said. But that's the extent of regulators' authority. This is why regulators encourage banks to conduct due diligence and take their own steps to ensure vendors address security gaps, says Al Pascual, a financial fraud analyst with consultancy Javelin Strategy & Research. "The hope is that ... by encouraging greater oversight of vendors by their FI [financial institution] clients, the pressure brought to bear by FIs will incentivize vendors to quickly and thoroughly address deficiencies," Pascual says. Community institutions, which typically rely heavily on core processors and other third-party service providers, can find it difficult to hold those companies accountable for security lapses and breaches, he adds. "Threats to take business elsewhere are rarely made," Pascual says. "The time and resources required to replace a vendor's products, especially those of a larger vendor who can often be providing a number of different products to business lines throughout a single institution, can be immensely prohibitive." Impact of Breaches But as third-party breaches become increasingly common, all banking institutions will be forced to take on more responsibility for vendor management, says Michael Versace, a risk and IT infrastructure specialist at data analysis firm International Data Corp. "Vendor management is part of GRC [governance, risk management and compliance], and that's the bank's responsibility," he says. "Banks need more automated auditing for their vendor-management relationships. They need to design compliance into all of their outsourced relationships, but many are not doing that. Banks right now are not doing enough of heir own due diligence." In June, security blogger Brian Krebs reported that an examination conducted by the FDIC had determined the 2011 network hack that compromised FIS' network exposed high risk information. The examination also found that the breadth of the breach was much wider than FIS first publicly reported in May 2011, Krebs reported. Now, community banking institutions are questioning why banking regulators have failed to quickly share concerns about significant security flaws identified during examinations. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- FDIC: Improve Vendor Management Jake Kouns (Sep 10)