Compliance

Referrals and Breach Notification Requirements

I've recently been asked whether a financial institution has Breach Notification responsibility in the case where the institution refers customers to vendors such as financial service providers where the institution merely vetted several vendors as a convenience for its customers, has no contract with the vendors, passes no PII/NPPI to the vendor, receives no referral fees [...]

2017-03-16T12:43:13+00:00 February 8th, 2017|3rd Party Risk, Audit, Compliance, Vendor Management|0 Comments

You’re Not Too Small for Multiple Lines of Defense

Classic risk management employs 3 lines of defense. But there's also a possible 4th line when it comes to regulatory issues, specifically vendor management. Please note that I have seen multiple titles that fit the roles below so don't get hung up on the titles. If you're a smaller institution and you wear multiple hats, you [...]

Are your vendors delivering value beyond just meeting SLA’s? How are you measuring their value?

How do you measure your vendor's value?  s vendor management programs mature, we need to understand the value a vendor delivers beyond meeting its Service Level Agreements. While we frequently outsource significant functions (critical and high risk) because a vendor can help us meet our strategic goals, including doing something better/faster/cheaper, what else are we obtaining [...]

So many SOC’s to review, so little time and staff to go around. Here’s a crash course:

Crash course here: http://bit.ly/1Oobnan Everyone is heavily overburdened with the demands of trying to comply with regulations. So if your IT or Info Security team doesn't have enough staff to review all SOC reports (or possibly just reviews those with exceptions) yet your internal audit dept wants proof that reviews of all SOC reports are conducted, [...]