The global financial services sector has experienced increased competition over the last 10-15 years due to factors including the emergence of fintech and smaller, more nimble institutions. As part of having an operational environment that provides a competitive advantage, there has been an emerging practice of outsourcing business areas that were historically performed in-house in order to reduce cost and gain long-term efficiencies.
The need to be scalable, enhance operational synergies and have technology platforms that support customer expectations, product sophistication and distribution channel evolution will be key to ensure sustainable business growth, remain flexible and adapt to market changes.
Third-Party Risk Management
While outsourcing business areas and IT processes provides many benefits, it also requires enhanced oversight and assessment of third-party risks.
Effective third-party risk management processes are critical, as we have seen many data breaches effected through vendors who are connected to a financial institution’s infrastructure. This has led regulators to be increasingly concerned about third-party risk management practices. For example, in 2017, a financial institution acknowledged a data breach that exposed the personal information of 20,000 of its customers because a third-party vendor uploaded a file to a server without adequate cybersecurity protections. In that same year, another financial institution had their accounts hacked through one of their third-party vendors that led to the exposure of 400,000 customer loan accounts.
A recent survey revealed that at least 53% of organizations have experienced a data breach due to a vendor’s security shortcomings, costing an average of $7.5 million to remediate. Therefore, due diligence, monitoring and confirmation that vendors maintain a strong internal control environment is key to a proper third-party risk management program. It reduces the frequency and severity of data breaches, data leaks and cyber-attacks, protects sensitive data (such as PII, PHI, and intellectual property), and ensures business continuity.
What You Can Do
Risk officers should assess and monitor third-party vendors, ensuring they maintain a control environment that processes complete and accurate information or has controls in place to effectively protect your data. A key differentiator between vendors and their competitors is the ability to demonstrate the existence of internal controls in relation to the services they provide. A System and Organization Controls (“SOC”) report provides insight and stakeholder assurance, establishes credibility and trustworthiness of a vendor, and gives you the context needed to determine the amount of risk involved.
Third Party Risk Management Program
SOC reports are designed to provide information on the following main components:
Internal Controls – Controls the vendor has in place to protect their systems. It demonstrates the internal control structure and helps understand the vendor’s operating environment.
Test Procedures and Results – Independent audit of controls and testing results that provides assurance that your vendor’s control environment is operating as intended. A SOC audit can only be
performed by an independent Certified Public Accounting firm. The auditor’s opinion, as well as exceptions noted, are included in the report.
Your Responsibilities – Controls that you would need to implement (known as Complementary User Entity Controls) to assist your vendor in accomplishing their control objectives. When using a vendor, there are certain controls that remain your responsibility (e.g. managing user access rights, timely communication of issues, etc.).
Fourth-Party Vendors – Vendors are required to disclose their critical third-party vendors (your fourth-parties) and their procedures for monitoring them.
There are significant differences between the various types of SOC reports that are not obvious. The two most popular SOC reports are SOC 1 and SOC 2, each one with a different purpose.
SOC 2 Report
The SOC 2 report is directed toward non-financial controls. SOC 2 reports are important for organizational oversight, vendor management programs, risk management processes, and regulatory oversight. The non-financial controls that make up the SOC 2 report are based on the five Trust Services Categories (TSC):
Security – information and systems are protected against unauthorized physical and logical access that could affect the entity’s ability to meet its objectives, risks are communicated to senior management, and procedures are in place to monitor employees, contractors and vendors.
Availability – information and systems are available for operation and used as committed or agreed.
Processing Integrity – information and systems processing is complete, accurate, timely, and authorized.
Confidentiality – information that has been designated as confidential is protected to meet the user entity’s objectives.
Privacy – personal information is collected, used, retained, disclosed, and destroyed in conformity with the user entity’s privacy notice.
Risk management can be a challenging task, especially in the face of new and growing threats. The protection of sensitive data and ensuring your vendors can fulfill their principal service commitments and system requirements is essential to reducing your exposure to unforeseen risks.
You should consistently obtain and properly review and evaluate the SOC reports of your vendors. It is critical to understand the services being provided, the effectiveness of the vendor’s controls, the controls you need to implement to complement your vendor’s security commitments, and how it all impacts your organization.
By doing this, you will gain a better understanding of the risks posed by vendors and what actions you need to take to effectively address these risks.
Mazars USA LLP is an independent member firm of Mazars Group, an international audit, tax and advisory organization with operations in over 90 countries. With roots going back to 1921 in the US, the firm has significant national presence in strategic geographies, providing seamless access to 26,000+ professionals around the world. Our industry specialists deliver tailored services to a wide range of clients across sectors, including individuals, high-growth emerging companies, privately-owned businesses and large enterprises.
Mazars works as a single, integrated team, committed to helping our clients and people succeed by respecting who they are and how they work, adapting our approach accordingly. We take pride in what we do and are committed to playing our part in building the economic foundations of a fair and prosperous world.
For more information visit www.mazars.us/fs
Disclaimer of Liability
The information provided here is for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation.
Mazars USA LLP is an independent member firm of Mazars Group.