Audit

NY DFS Cybersecurity Regulation: Are your 3rd Party Controls in Place Before the Hammer Drops?

With the March 1, 2019 deadline looming for complying with NY’s Cybersecurity regulation, the NY DFS must be licking its chops at the prospect of imposing fines. Actually, I’m sure they really hope that all covered entities are up to snuff and have sent in their signed certifications or exemptions. “Signed certifications or exemptions?” you ask. [...]

3rd Party CryptoCurrency Risk & Controls: Hot Wallets? Cold Wallets? Standards? Insurance?

February 5, 2019 Copyright 2019 Compliance Education Institute If you’re considering or have already taken the plunge into cryptocurrency as an asset or a viable form of payment or value, then you’ve likely engaged a 3rd party as a repository or an exchange. Like any other vendor managing our deposits/transactions/assets, we must certainly be concerned about [...]

2019-02-05T10:20:38+00:00February 5th, 2019|3rd Party Risk, Audit, ERM, Governance, Risk, Vendor Management|0 Comments

Simple Things to Lower Your Vendor Management Program Risk Profile

I recently conducted a Vendor Management Program Audit and Risk Assessment as a part of our Advisory Services for a midsize financial institution. Performing both gives you a more complete picture of where the institution is at and helps document current state, desired state, gap analysis and create a prioritized road map for a healthier program. This particular [...]

2017-10-20T08:04:48+00:00October 20th, 2017|3rd Party Risk, Audit, Compliance, Risk, Vendor Management|0 Comments

SSAE 18: A Practical Analysis for 3rd Party Risk Management

I've read a ton of SSAE 18 analyses ranging from comic book style infographics with inadequate, lightweight, poorly explained content to others that are very detailed, well written analyses targeting auditors. I particularly like Ryan Buckner's concise, practical analysis in ACCOUNTING TODAY. In any case, I've had many requests from our Certified Regulatory Vendor Program Managers [...]

2017-03-16T12:42:05+00:00March 10th, 2017|3rd Party Risk, Audit, Risk, Vendor Management|0 Comments

Referrals and Breach Notification Requirements

I've recently been asked whether a financial institution has Breach Notification responsibility in the case where the institution refers customers to vendors such as financial service providers where the institution merely vetted several vendors as a convenience for its customers, has no contract with the vendors, passes no PII/NPPI to the vendor, receives no referral fees [...]

You’re Not Too Small for Multiple Lines of Defense

Classic risk management employs 3 lines of defense. But there's also a possible 4th line when it comes to regulatory issues, specifically vendor management. Please note that I have seen multiple titles that fit the roles below so don't get hung up on the titles. If you're a smaller institution and you wear multiple hats, you [...]

A Vendor’s Incident Response Plan is Only Half the Story!

When outsourcing services to vendors where sensitive/confidential data or critical services are involved, most of us request some combination of Business Continuity Plan, DR Plan, DR test results and Incident Response Plan. That's only half the battle. Of particular interest is the Incident Response Plan. The IRP is certainly something you'd want to review but all [...]

Critical Vendor or Critical FUNCTION?

You have HOW MANY critical vendors?!?!?!?!? I always find the perception of CRITICAL VENDOR to be very interesting. As Certified Regulatory Vendor Program Managers (CRVPM) know, when reviewing vendor management programs we typically see way too many vendors listed as critical, usually for a couple of reasons; 1) either the business unit thinks that their vendors [...]

2017-03-16T12:55:25+00:00March 24th, 2016|3rd Party Risk, Audit, ERM, GRC, Risk, Vendor Management|0 Comments

So many SOC’s to review, so little time and staff to go around. Here’s a crash course:

Crash course here: http://bit.ly/1Oobnan Everyone is heavily overburdened with the demands of trying to comply with regulations. So if your IT or Info Security team doesn't have enough staff to review all SOC reports (or possibly just reviews those with exceptions) yet your internal audit dept wants proof that reviews of all SOC reports are conducted, [...]

Reassessing Vendor Risk – An Ongoing Necessity

So you've done your initial INHERENT risk rating of your vendor and then conducted your due diligence to determine the RESIDUAL risk and you're comfortable doing business with the vendor so you sign a contract. A year from now you plan to conduct the periodic review. But a number of things might have occurred from the [...]

2017-03-16T12:58:50+00:00February 9th, 2016|3rd Party Risk, Audit, ERM, GRC, Risk, Vendor Management|0 Comments