Outsourcing Technology Services – What’s the Risk?
Every day, banks are moving services from in-house to third parties. From the core processor to the Internet provider, financial institutions are offloading technology, ultimately enhancing the delivery of products and services to customers. However, without proper oversight, increased outsourcing will result in increased risk.
In December 2013, Target shoppers got an early holiday gift: news came out that 40 million credit cards were stolen through compromised point of sale (PoS) systems. The number of compromised cards was later revised to 70 million. How did the attackers access the Target network? Through a heating, ventilation, and air conditioning (HVAC) contractor.
Two months before the breach, attackers sent a phishing email to Fazio Mechanical, Target’s HVAC vendor. Password-stealing malware was attached to the email message, and someone at Fazio opened it. This malware stole credentials to an online vendor portal, allowing the attackers to access Target’s network via Fazio Mechanical. Once the attackers had access to Target’s network, getting access to the out-of-date point of sale (PoS) systems was trivial. The attackers quickly installed credit-card scraping malware on the terminals, ironically using Target’s own internal computer management software.
Retrieving the compromised card information was easy; the attackers used a Target computer system configured with a default login and password.
Interestingly, monitoring software installed on the network detected the attack; however, Target staff took no action once notified. Instead, Target found out about the attack when the Department of Justice contacted them.
There are many takeaways from this attack, but one which stands out is the lack of proper vendor management. Nearly every financial institution has similar risks; each has a connection to a core processor or third party vendor, with a lack of monitoring or firewalling on most of these connections.
What are the steps you should take to reduce these risks and ensure a consistent approach to managing IT vendors?
Perform a Vendor/Outsourcing Risk Assessment.
Use a spreadsheet and assign risk levels, calculating risk based on the function outsourced, such as the sensitivity of data accessed, transaction volume, and criticality to the financial institutions business. Then calculate risks related to the service provider, strength of financial condition, staff turnover, business continuity, etc. Finally, look at the risks associated with the technology used: reliability, security, and scalability to accommodate growth.
You may quickly determine that some of your outsourcing has more risk than the bank is willing to accept. Outsourced IT vendors commonly fall into this category, to the point that regulators are showing an increased interest in many IT vendors who perform critical services for a financial institution. The risk is partially due to IT vendors becoming more of a target for hackers. For over a year, the Chinese have been actively attacking Managed Service Providers (MSPs), and once compromised, allow an attacker unlimited access to every customer of the MSP.
Select the Service Provider.
This process may look easy on the surface but can get very deep, based on the results of the risk assessment. The FFIEC action summary involves the following four tasks; evaluate the service provider in light of the institution’s needs, perform due diligence, ensure arms-length selection, and pay particular attention to Foreign-Based Third-Party Service Providers.
In 2014, Apple loaned $578 million to GT Advanced to produce large boules of sapphire, which would be used as incredibly scratch resistant iPhone screens. GT Advanced filed for bankruptcy within months after beginning the manufacturing process. While many lawsuits were filed, an argument could be made for lack of vendor due diligence resulting in Apple’s loss of over a billion dollars.
When the relationship starts to unravel, the vendor isn’t performing, or a question arises as to service levels, nothing is more important than a properly written contract. Similar to the Service Provider selection process, the contract negotiation process can get very involved. From a regulatory perspective, the bank needs to ensure the proper compliance sections are included and enforceable. The major takeaway is to never sign a contract with a high-risk vendor without performing a legal review.
This step is cyclical and critical to ensuring consistent service and meeting expectations. It’s here that you’ll review Service Level Agreements (SLAs) and ensure contract provisions are met. Schedule reviews of the service provider’s financial condition, obtain proof of controls, and understand any changes in the provider’s environment. Review depth and frequency are directly related to the amount of risk involved.
These are the basics and barely scratch the surface of a proper vendor management program. As the burden of regulatory oversight continually increases, having a partial plan is far better than none and a mature program the goal.