Tips For Selecting An IT Service Provider For Financial Institutions In today’s ever-evolving world of technology, it’s common for financial institutions to outsource many of their IT needs, such as banking software and systems, and day-to-day technical support for employees. In fact, utilizing a third-party provider can allow you to save time and enable you to focus on growing your business, instead of managing technology. In many cases it makes sense to leverage third-party experts, because their services can make you more efficient and often times reduce costs. When you’re deciding on partners, you want to ensure that you’re making the right choice and choosing an organization that is stable, trustworthy, and good at what they do. To do that, it’s critical that you request a vendor due diligence report from the third-party vendor. This can provide increased confidence and clarity that the vendor you’re considering working with is financially stable, ethical, and compliant with your industry’s specific regulations and standards. Once you’ve chosen a provider, it’s also important to conduct these reviews with your provider on a regular or annual basis, so you can ensure the organization is still in good standing and in compliance with regulatory standards. Here are some additional tips and questions you should use to help you select an IT service provider. SOC2 Report If you’re using an IT or data processing service provider for “mission critical” services, you must obtain a Service Organization Control (SOC) 2 Report from your service provider. Established by the American Institute of Certified Public Accountants, SOC2 is the industry recognized auditing standard for service organizations to demonstrate that they have adequate security controls and other process controls designed and in place. The SOC2 Report focuses on an organization’s non-financial reporting controls as they relate to the Trust Service Principles of security, availability, processing integrity, confidentiality, and privacy. Each principle has a set standard of predefined controls that must be met to demonstrate adherence to the principles. Example: A service provider with a SOC2 Report addressing the Trust Service Principle of security provides an entity with a description of the service provider’s systems and controls. It assures customers that the service organization maintains the confidentiality of its customers’ information in a secure manner and that the information will be available when needed. The system is protected against unauthorized access, both physical and logical. A SOC2 Report is a regulatory requirement for financial institutions that replaced Statement on Auditing Standards (SAS) 70. The standards of Section 501(b) of the Gramm-Leach Bliley Act (GLBA) require that financial institutions protect the security and confidentiality of their customers’ non-public personal information. Bank regulators will look for a SOC2 Report to assess compliance with the requirement of the GLBA that measures have been taken to oversee third party service providers, ensuring adequate security controls have been implemented to safeguard customer information. Make sure your service provider is SOC2 compliant and can provide you with proof that they are certified. Service Level Agreements (SLAs) SLAs are an essential part of every technology service provider contract. An SLA will lay out the exact requirements and expectations for service, including the work provided and the quality. It is necessary that your third-party vendor provide you with an SLA. If you don’t have one, now is the time to get one. 15 QUESTIONS TO ASK YOUR VENDOR 1. How do you specifically protect customer information? 2. Describe the process you have in place to communicate to us security incidents affecting our data. 3. Have you ever experienced a cybersecurity incident or data breach? Please define and describe each event in the past five years. 4. What processes do you have in place to prevent the exfiltration of sensitive data, particularly sensitive customer data like ours? 5. How do you monitor your third-party service providers? 6. How frequently are your employees trained on your IT security policies, and do you use automated assessments? 7. What were the results of your most recent vulnerability assessment or penetration test? 8. How do you plan for and train for a cybersecurity incident? What processes do you have in place to respond to an incident? Do you regularly practice those things? 9. Do you conduct regular external and internal tests to identify vulnerabilities and attack vectors, including penetration testing, red team exercises, or vulnerability scanning? 10. Where is your data located and how is it protected? 11. Do you have/use a data center (co-location or other)? If so, what controls are in place for information security? 12. What types of physical protection do you have in place to prevent unauthorized access to data or infrastructure assets? 13. How do you manage remote access to your corporate network? 14. Do you have a data recovery capability? 15. Do you have a disaster recovery plan? Describe it. While you may be hesitant to use a third-party service provider or resistant to seeing if your current provider has these options available, the benefits can immensely pay off for your organization. Knowing that your vendors are compliant and trustworthy is essential for your organization to grow and thrive, and third-party solutions can help you save time, cut costs, and stay secure. Could your business benefit from outsourced services? Rob Griffith Rob Griffith is an Account Executive for Aureon, focusing his attention to the Aureon Technology business unit. Over the past 8 years Rob has worked exclusively with small to midsize businesses with an emphasis on the banking vertical. His focus has been helping companies with data center strategy, security and compliance.