Cook once again meets the criteria set by the AICPA Assurance Services Executive Committee to be compliant with SOC 2 Type 2 information security regulations. To obtain the seal and maintain compliance service, providers are required to pass an audit based on specific regulations for the vendor’s type of industry. The standards we are required to meet are based on the SOC 2 Type II criteria. The SOC 2 reports specifically address one or more five key trust system principles; security, availability, processing, integrity, and confidentiality. Digging deeper, the principles are defined as:
- Security – The system is protected against unauthorized access (both physical and logical);
- Availability – The system is available for operation and use as committed or agreed;
- Processing integrity – System processing is complete, accurate, timely and authorized;
- Confidentiality – Information designated as confidential is protected as committed or agreed;
- Privacy – Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.
FIs MUST ENSURE VENDORS HOLD A SOC 2 TYPE 2 AUDIT REPORT.
THE NEW INDUSTRY REQUIREMENT
With new industry requirements and the ever-increasing cyber threats, it has never been more important to require your vendors that installing and servicing network-connected assets to complete an annual SOC 2 Type 2 Audit.
By: Levi Daily, Chief Technology Officer & Steve Ryker, CPP, VP of Compliance & Risk
Many financial institution leaders remain unclear or unaware of the process, benefits, and protections afforded by a SOC 2 Type 2 report. This is especially important for vendors that provide infrastructure services or network connectivity. There have been multiple cyberattacks recently. Had the controls required by a SOC 2 Type 2 report been in place, proactive alerts would have signaled the attacks, allowing immediate mitigation steps to take place. As we are all aware, financial institution customer loyalty is paramount and built on trust. A breach of trust that is highly publicized by the media can destroy hard-earned trust and jeopardize the future of the financial institution. Any vendor that touches a financial institution’s network-connected equipment connected is at risk. One recent example was a video system where the default passwords were not updated, allowing easy access to the hackers.
SOC 2 TYPE 2 REPORT SHOULD BE REQUIRED
Vendors that install and/or service equipment connected to your financial institution’s network should complete a Service Organization Controls (SOC 2) Type 2 audit and possess the audit report as proof of successful completion. SOC 2 Type 2 requires an annual independent third-party audit to verify the vendor has controls and oversight in place that protect your credit union’s data. Request your vendor to share the third-party auditor’s annual final report as proof the vendor complies with all of the SOC 2 Type 2 requirements. A high-level summary of the annual SOC 2 Type 2 audit scope is listed below:
- Networks and Infrastructure– physical and hardware components are properly protected
- Software– programs and operating software are current along with virus protection
- Employees– appropriate level of access granted to employees involved in the operation
- Policies and Procedures– confirm the correct policies and procedures are in place along with demonstrated compliance
- Information and Data– information is protected, available when needed, and backed up when necessary
As the independent third-party auditors are completing the examination, they are verifying the following has been demonstrated by the vendor’s processes and controls:
- Information Security
- Data Classification and Confidentiality
- Privacy Protection
- System Integrity
- System Accuracy and Availability
One critical component of the SOC 2 Type 2 audit is the vendor controls on their employee’s computer devices. These controls include but are not limited to prohibiting certain application downloads or website access, operating system patching, and updated virus protection. Imagine for a moment a vendor that is not SOC 2 Type 2 certified and is not diligent about patching their technician’s computer operating system and updating virus protection. The technician accidentally downloads malware while searching the web at lunch, and then infects the credit union’s network while completing diagnostics and repair services. Some common equipment and services have been blind spots are:
- Cameras and video systems
- Alarm & Access Control
- ATMs & ITMs
- Teller Cash Recyclers (TCR)
- Remote Managed Services of any kind
- Server Hosting
Note: Most vendors servicing or connecting to these systems have NOT been properly SOC 2 Type 2 tested, leaving a huge risk hole for the FI (remember it was an HVAC vendor that breached Target).
EFFECTIVE VENDOR AGREEMENTS
Review your vendor contract agreements to make sure they include provisions to mitigate the current risk landscape and contribute to quality service. The following are recommended for high-performing agreements:
- Risk-based response times
- Rewards for quality
- Provide accurate response /resolve SLA reports for maximum product uptime
- Annual preventative maintenance visit
- Quarterly vendor meetings to review performance
- Effective vendor feedback
- Process for improving unacceptable vendor performance
- 30-day termination, no penalty clause
The 30-day termination, no penalty clause is a trend being utilized by service providers who are confident in their performance and dedicated to earning your business every day. These agreements are more like a month-to-month agreement and when a vendor knows they can essentially be terminated at any time, their service levels and response times stay at a very high level.
To request an hour consultation with industry expert Steve Ryker contact us.
Vendors should be expected to partner with your financial institution’s planning and future technology roadmap for implementing innovative technology, automation, remote technologies. Vendors often provide services to other financial institutions and perhaps even other sectors. This exposure provides the vendor an expanded view of different risk mitigation strategies and use of technologies or automation. The trusted vendor should routinely share information with your institution. Some examples include:
- Implementation and use of artificial intelligence
- Use of video analytics
Vendors should electronically track a financial institution’s technology assets or equipment and advise when a current platform or equipment has reached the end of life and replacement is prudent. The vendor can then:
- Work with the credit union to determine requirements for the new platform
- Locate available platforms that match the requirements
- Assist with acquisition of the new platform
- Development a plan for platform or equipment rollout, installation, and user training plan
Trusted partnerships between financial institutions and vendors are an incredible value add for both. The foundation of trust between a financial institution and a vendor begins with the vendor understanding the financial institution’s culture, expectations, policies, procedures, along with industry standards. The next step is to determine if the vendor’s technician footprint aligns with the financial institution’s footprint. The vendor’s skilled technicians must be trained and certified. It is critical to select vendors that have a track record of retaining skilled talent to maximize quality. Annual vendor employee turnover should not exceed 15%.
The trusted vendor must also reduce risk for the financial institution by completing background checks on their employees and sub-contracts. If sub-contractors are utilized for a project, management and performance expectations should mirror the vendors and be transparent to the financial institution. No one wishes to have a vendor blame a sub-contractor for poor performance. The buck stops with the vendor.
A vendor’s finances should be explored to verify multiple years of strong financial performance and cash reserves. Vendor’s experiencing financial problems can cause many negative issues. Among these are the following:
- Catastrophic closing of the vendor’s business
- Loss of talented employees
- Difficulty acquiring needed equipment from manufacturers and suppliers
- The financial institution having to make an unexpected and disruptive transition to another vendor
A trusted vendor’s equipment used to conduct their business and the equipment marketed to financial institutions must be hardened and tested to mitigate cyber and compliance risk. Vendor’s equipment and product offerings should include the following:
- Encryption capability
- Centralized patch management and firmware updates with remote capability
- Strong password management with no default passwords
- Open architecture and field serviceable product line
- Annual cyber penetration tests to verify protection level
Now is a great time to conduct an analysis of your current vendor engagements. Are your current vendor’s trusted partners? Have you verified your vendors have a SOC 2 Type 2 audit report? Do your current vendors offer advice to improve the technology performance of platforms and equipment? A Vendor Due Diligence Checklist is available to assist in your evaluation of existing or future vendor engagements.