Posted by: David Schneier
Audit, bank, banking, compliance, FDIC, FFIEC, GLBA, NCUA, regulatory, Regulatory Compliance, requirements, risk, SAS 70, vendor, Vendor Management
A few years back we hired a local painting contractor to do some work around my house. Upon completing his sales spiel he announced that he often relies upon subcontractors for the less skilled work and wanted to be upfront about that before we entered into any sort of deal with him. Anyone he used was both legal and covered under his insurance and so he assured us we needn’t worry that we were relying on illegal immigrants or exposing ourselves to any unusual risks. The first day of the project one of those subcontractors cracked the expensive glass top of our brand new oven and true to his word the contractor completely covered the cost of repair. What was interesting in hindsight was how much value the contractor placed upon being able to issue such guarantees up front and how he felt it was important to illuminate his dependency upon what we in the banking industry call third-party vendors. I wish all my business partners felt the same way.
Over the past few weeks I was stunned by the number of email mea culpa’s I received from a long list of companies I conduct business with and whom were affected by the recent Epsilon email breach. For those not already in the know, Epsilon is a third-party vendor that specializes in email and digital marketing services for thousands of businesses and as a result have one of the largest collections of valid emails in the world. At some undisclosed point last month an undisclosed number of personal accounts were breached in a, yup, you guessed it, undisclosed manner. And because of the breach it’s quite possible that your name and email are now in the hands of someone who plans to use it for unauthorized or unwanted purposes.
I find it truly amazing how many companies I choose to conduct business with who in turn choose to conduct business with Epsilon. The breach by itself doesn’t overly concern me as my cadre of email addresses is already in wide spread circulation and I can throttle what makes it all the way through to my in-box anyway. What does concern me is how many companies used this one outfit and how despite having such a rich repository of personal information still allowed for conditions to develop that resulted in the loss of data. How could this happen and why didn’t the nearly dozen companies I do business with and who were affected by the breach make absolutely certain that my information was safe?
But here’s the bigger question: Who else are they doing business with that I need to worry about?
Seriously, think about all the information you trust to your business partners be it a credit card company, a utility company, a doctors office, your bank, your financial services firm or even your grocery store. Think about how many times you’ve filled out forms either online or in writing and turned it over to the long list of companies you routinely engage with. They all make a big deal about security and issue disclaimer after disclaimer about how they protect your information. But along comes a third-party vendor that they conduct business with and you no longer get to decide how your information is used or protected, They negotiate deals, conduct varying degrees of due diligence (and by varying it could range from almost none to remarkably extensive – but usually closer to none) and typically go with the deals that best serve their interests. And you haven’t a clue.
This is not a new type of risk either. Vendor management has long been a regulatory requirement and over the past few years has been receiving greater scrutiny from the examiners. But you’d be amazed by how many business entities and financial institutions I’ve encountered who either don’t do enough or anything meaningful at all to address this properly. I often encounter vendor management programs that are really just spreadsheet repositories with pitifully thin information and a lack of supporting documentation. And the majority of financial institutions tend to focus what efforts they do make on those vendors they deem as critical – whose numbers can usually be counted on one hand. I wonder how many of the companies affected by the Epsilon breach either had a vendor management program in place to manage that relationship or had them listed as a critical vendor. And if they did, what information did they collect to assess the related (and required) controls and how did they arrive at the conclusion that they were properly managing sensitive data?
Remember, GLBA requires that that rules that govern how a bank manages non-public, personal information (NPPI) also extend to the vendors that bank conducts business with. And so the Epsilon breach cannot be considered a separate and distinct breach; for those institutions that use its services they are directly responsible for what happened. What will likely occur should the issue be pressed is that Epsilon’s business partners will wave copies of a recent SAS 70 in the air and claim they did everything reasonable to protect their customers data. But the truth is that reports such as SAS 70′s are more subjective than we’re lead to believe and typically only prove that functioning controls are functioning – it’s rare to encounter a SAS 70 that details failed controls. And so you have to question who your business partner is in turn doing business with because as a byproduct of that relationship you’re now also doing business with them even if you’ve never heard of them before.
Ultimately what we need is for financial institutions and Corporate America to step up and adhere to the same standards as my afore-mentioned painting contractor. They need to offer full disclosure up front when they share your information with another business entity (and not just via veiled references that are poorly detailed in the fine print) and need to extend protection of that information in a way that’s more explicit than tacit. We should be able to trust that the handshakes we make and the relationships we enter into protect us in a seamless fashion. And this shouldn’t be something that’s done simply because a regulatory oversight agency makes them do it but rather because it’s the right way to manage their relationships.
How is it that my painting contractor understands the value of full disclosure and extending trust to every facet of his business relationships but the Ivy League-ish educated leaders of America don’t?