Vendor Vulnerabilities

Risky Business

Being vigilant on cyber security requires companies to have confidence in the IT protections of their vendors and partners.
By: | December 18, 2014

Like everyone else, I shop at Target, Home Depot and TJ Maxx and as a consequence of their security breaches and for my future protection, I have had to exchange my credit card several times.

Although I am very careful about sharing personal data and keep a shredder very busy, clearly the companies with whom I do business have vulnerabilities that they and I were unaware of.

Such vulnerabilities impact our industry as well.

In July, the Consero group conducted a survey of Fortune 1000 companies that indicated that 65 percent of their executives do not believe their vendors are sufficiently focused on minimizing risk.

We are in an industry where vendors abound and we rely heavily on them to provide services to our clients, our employees, our medical and ancillary providers, and to each other.

What are the risks if our vendors do not meet the highest standards and have vulnerabilities that affect the various stakeholders in our business?

Data security – We must be certain that all the data we collect and share (much of which is highly personal and confidential) is secure. How can we be sure that all of our vendors have the “right” level of controls to keep all of your and your client’s data secure?

Financial impact – Financial transactions are at the core of our businesses. In today’s highly technology-based business practices, many of these transactions are performed electronically. How do you know if your and your vendor’s systems are protected against unauthorized access?

Compliance/regulatory impact – Is your vendor’s system processing complete, accurate, timely, regulatory compliant and authorized?

Controls – Exactly what controls do your vendors have in place to prevent the security breaches that have become all too frequent?

Compliance Standards

Remember the SAS 70? Since 1992, SAS 70 has provided the auditing standard guidance for internal controls, including IT-related controls, of service organizations.

However, two key authorities, the American Institute of Certified Public Accountants (AICPA) and the International Auditing and Assurance Standards Board (IAASB) identified the limits of the SAS 70 and acknowledged the need for greater controls.

Certainly, our recent experience of all types of security breaches would indicate that we do need to do more. Thus in 2011, new standards specifically for service organizations were developed with the SSAE 16 Trust Services Principles and Criteria.

Sparrow, Johnson and Ursillo, a full service accounting and technology firm serving a wide variety of clients all over the country including members of the banking community, describes the SSAE 16 standards this way:

“These attestation standards address engagements undertaken by a service auditor for reporting on controls at service organizations that provide services to user entities (customers). User entities in reality take on many of the risks of their outsource partners. These attestation standards provide the framework for CPAs to report on the internal controls over financial reporting as well as compliance and operations of the service organizations in order to determine and demonstrate the effectiveness of internal controls.”

With these new standards, entities can describe and document more precisely how services are being delivered and how controls are utilized within finance, operations and compliance. This new certification can be utilized to identify risks, evaluate the effectiveness of internal controls and provide assurances that we all need as it relates to our vendor partners.

Focus on Vendors

I would suggest that you make this a high priority in your organization.  We are, after all, in the business of risk management and we need to ensure that our vendors/partners are as focused as we are on minimizing risks.

Ask yourself these questions:

• How do you know that your vendors are doing what it takes to protect your systems and data?

• Have you talked to your vendor partners about their internal controls as they relate to their business with you?

• Is your vendor management department knowledgeable about the Trust Service Principles?

• Are you — or should you be — requiring your vendors to be SSAE 16 compliant?

All of us need to be more vigilant and better protected against security breaches. Are you and your company as protected as you need to be?

Maddy Bowling is a principal in Maddy Bowling Consulting, Inc., a WC consulting firm. Bowling has 35 years of broad-based executive management experience within operating, corporate and consulting environments. She can be reached at [email protected].

More from Risk & Insurance