Problem solve Get help with specific problems with your technologies, process and projects.

Vendor audit and monitoring contractual rights

Federal regulations, state laws and industry standards all stress the need for financial institutions to audit and monitor third-party security as part of their vendor risk assessment. Consequently, third-party contracts must include vendor auditing and vendor monitoring rights.

All of the authorities -- bank regulatory rules and guidance, the PCI Data Security Standard (PCI DSS) and state data security laws -- strongly emphasize the need to conduct pre-contract due diligence and, to some extent, ongoing monitoring of a vendor's security measures as part of the financial institution's vendor risk assessment obligations. Therefore, if a contract doesn't specifically contain vendor audit and monitoring rights, and the vendor is uncooperative, a financial institution may not be able to meet is compliance obligations.

The FDIC's Guidance on Managing Third-Party Risk and OCC Bulletin 2001-47, as well as the FFIEC's Outsourcing Technology Service IT Examination Handbook, all explicitly provide that important vendor contracts must reserve the right to audit or obtain suitable independent audit reports (such as a SAS 70) on the vendor's controls and performance under the contract. The OCC Bulletin, for example, states, "[r]eports should also include a review of the third party's security program and business continuity program." The FFIEC handbook goes even further, stating that where the services contracted for involve access to open networks such as the Internet, the institution should consider "contract terms requiring periodic control reviews performed by an independent party with sufficient expertise. These reviews may include penetration testing, intrusion detection, reviews of firewall configuration, and other independent control reviews. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to assess security adequately without compromising the service provider's security."

Accordingly, a well-written vendor audit provision should give the financial institution the ability to audit the vendor's security program and data environment at least annually and, where the vendor has possession of a significant amount of sensitive data, should permit onsite visits to the data environment as well as testing of security measures and controls. If the vendor has possession of cardholder data as defined by PCI DSS, the financial firm's audit rights should also encompass yearly validation of PCI DSS compliance.

Some vendors may balk at this audit requirement and complain that it risks disruption to their business or compromise of other clients' data in a shared hosting environment. Such arguments should be treated skeptically. Companies that build a business around providing outsourced transaction and/or data storage services to regulated organizations should expect and be equipped to deal with vendor audit and vendor monitoring requests; indeed, compliance is an essential part of the product they are marketing. Moreover, the language quoted above from the FFIEC handbook clearly contemplates rigorous auditing and testing of controls in higher-risk relationships. With respect to shared hosting environments, Requirement 2.4 and Appendix A of PCI DSS prescribe specific logical separation requirements for such settings in order to minimize the risk that one customer's access and use of its data will impinge upon another customer's data access or security.

Where there is an impasse with a vendor over audit rights, obtaining audit reports, such as SAS 70's from the vendor's own independent auditors, may be a workable compromise, provided that the auditor is suitably qualified in the information security field, the audits are conducted at least annually, and all relevant network and system protections and controls are contained within the scope of the audits.

About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (, a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at


  Vendor contract management: Regulatory guidance is risk-based
  Vendor audit and monitoring contractual rights
  Data breach protection: Implementing vendor breach safeguards
  Vendor risk management: process and documentation


Dig Deeper on Business partner and vendor security issues

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.