All of the authorities -- bank regulatory rules and guidance, the PCI Data Security Standard (PCI DSS) and state data security laws -- strongly emphasize the need to conduct pre-contract due diligence and, to some extent, ongoing monitoring of a vendor's security measures as part of the financial institution's vendor risk assessment obligations. Therefore, if a contract doesn't specifically contain vendor audit and monitoring rights, and the vendor is uncooperative, a financial institution may not be able to meet is compliance obligations.
The FDIC's Guidance on Managing Third-Party Risk and OCC Bulletin 2001-47, as well as the FFIEC's Outsourcing Technology Service IT Examination Handbook, all explicitly provide that important vendor contracts must reserve the right to audit or obtain suitable independent audit reports (such as a SAS 70) on the vendor's controls and performance under the contract. The OCC Bulletin, for example, states, "[r]eports should also include a review of the third party's security program and business continuity program." The FFIEC handbook goes even further, stating that where the services contracted for involve access to open networks such as the Internet, the institution should consider "contract terms requiring periodic control reviews performed by an independent party with sufficient expertise. These reviews may include penetration testing, intrusion detection, reviews of firewall configuration, and other independent control reviews. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to assess security adequately without compromising the service provider's security."
Accordingly, a well-written vendor audit provision should give the financial institution the ability to audit the vendor's security program and data environment at least annually and, where the vendor has possession of a significant amount of sensitive data, should permit onsite visits to the data environment as well as testing of security measures and controls. If the vendor has possession of cardholder data as defined by PCI DSS, the financial firm's audit rights should also encompass yearly validation of PCI DSS compliance.
Some vendors may balk at this audit requirement and complain that it risks disruption to their business or compromise of other clients' data in a shared hosting environment. Such arguments should be treated skeptically. Companies that build a business around providing outsourced transaction and/or data storage services to regulated organizations should expect and be equipped to deal with vendor audit and vendor monitoring requests; indeed, compliance is an essential part of the product they are marketing. Moreover, the language quoted above from the FFIEC handbook clearly contemplates rigorous auditing and testing of controls in higher-risk relationships. With respect to shared hosting environments, Requirement 2.4 and Appendix A of PCI DSS prescribe specific logical separation requirements for such settings in order to minimize the risk that one customer's access and use of its data will impinge upon another customer's data access or security.
Where there is an impasse with a vendor over audit rights, obtaining audit reports, such as SAS 70's from the vendor's own independent auditors, may be a workable compromise, provided that the auditor is suitably qualified in the information security field, the audits are conducted at least annually, and all relevant network and system protections and controls are contained within the scope of the audits.
About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at email@example.com.
HOW TO MANAGE SECURITY RISKS IN VENDOR CONTRACTS
Vendor contract management: Regulatory guidance is risk-based
Vendor audit and monitoring contractual rights
Data breach protection: Implementing vendor breach safeguards
Vendor risk management: process and documentation