New! The Security Ratings report is now the Executive Report. Request your report to see enhanced analysis such as your rating, likelihood of ransomware incidents, and likelihood of data breach incidents.
OCC Guidance: Ongoing Monitoring & Third-Party Risk Management
Tags:
In October, the Office of the Comptroller of Currency (OCC) issued new guidance for banks regarding third party risk management, listing one of their reasons for issuing these guidelines as failure by the banks "to perform adequate due diligence and ongoing monitoring of third-party relationships." Current means of assessing third party security risk include annual audits and questionnaires, tools that are useful but which fail to provide the continuous, evidence-based assessments banks need to truly understand their vendor risk, especially when it comes to security risk management.
The OCC suggests that banks need to apply more resources towards evaluating the information security posture of their vendors. Specifically, it recommends that banks: "Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities," and "Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies...."
These recommendations may seem obvious, but recent studies have shown that many organizations (not just banks) fail to assess the security posture of their vendors before outsourcing data. The increase in data breaches suggests that current annual assessment methods do not provide enough visibility into the changing risks in third party networks to allow for proactive remediation. Ponemon states that the top error organizations make when outsourcing consumer data is not applying the same level of rigor to information security in vendor networks as they do in their own. With that in mind, the OCC's recommendation to banks that they apply more stringent practices and monitor third party security risk on a continual basis makes perfect sense. While many large financial institutions, some of which include Bitsight customers, have already been following this advice, we hope to see OCC's guidance promote better third party risk management across the financial services industry.