All of the authorities -- bank regulatory rules and guidance, the PCI Data Security Standard (PCI DSS) and state data security laws -- strongly emphasize the need to conduct pre-contract due diligence and, to some extent, ongoing monitoring of a vendor's security measures as part of the financial institution's vendor risk assessment obligations. Therefore, if a contract doesn't specifically contain vendor audit and monitoring rights, and the vendor is uncooperative, a financial institution may not be able to meet is compliance obligations.
Accordingly, a well-written vendor audit provision should give the financial institution the ability to audit the vendor's security program and data environment at least annually and, where the vendor has possession of a significant amount of sensitive data, should permit onsite visits to the data environment as well as testing of security measures and controls. If the vendor has possession of cardholder data as defined by PCI DSS, the financial firm's audit rights should also encompass yearly validation of PCI DSS compliance.
Some vendors may balk at this audit requirement and complain that it risks disruption to their business or compromise of other clients' data in a shared hosting environment. Such arguments should be treated skeptically. Companies that build a business around providing outsourced transaction and/or data storage services to regulated organizations should expect and be equipped to deal with vendor audit and vendor monitoring requests; indeed, compliance is an essential part of the product they are marketing. Moreover, the language quoted above from the FFIEC handbook clearly contemplates rigorous auditing and testing of controls in higher-risk relationships. With respect to shared hosting environments, Requirement 2.4 and Appendix A of PCI DSS prescribe specific logical separation requirements for such settings in order to minimize the risk that one customer's access and use of its data will impinge upon another customer's data access or security.
Where there is an impasse with a vendor over audit rights, obtaining audit reports, such as SAS 70's from the vendor's own independent auditors, may be a workable compromise, provided that the auditor is suitably qualified in the information security field, the audits are conducted at least annually, and all relevant network and system protections and controls are contained within the scope of the audits.
About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at firstname.lastname@example.org.
HOW TO MANAGE SECURITY RISKS IN VENDOR CONTRACTS
Vendor contract management: Regulatory guidance is risk-based
Vendor audit and monitoring contractual rights
Data breach protection: Implementing vendor breach safeguards
Vendor risk management: process and documentation
This was first published in September 2009