Pub. 16 2021-22 Issue 3

NEBRASKA BANKERS ASSOCIATION 15 on a “watch list.” Your vendor watch list should mimic your loan watch list. It identifies problematic vendors that require additional oversight. If a vendor is on the watch list, increase their review frequency identified by the risk assessment until such a time that you’ve decided to either: • Accept the risk = Do nothing, but make sure you document it as a known risk exception! • Resolve the risk = Work with the vendor to address issues until they’re resolved. • Change the risk = Find a new vendor or bring the service in-house. • Transfer the risk = Insure against a loss. Vendor Management + Incident Response Your incident response plan should already identify the most severe threats your institution faces. Vendor compromise ought to be one of those. You should perform tabletop testing of your incident response plan. Develop scenarios based on your threat assessment and walk through those scenarios with the incident response team. When performing a tabletop test for a vendor compromise scenario, reach out to the vendor prior to the test and encourage their direct participation. If the vendor chooses not to participate (note that in your vendor management program), put together a list of questions or requested information resulting from the tabletop test. Don’t forget to ensure your tabletop test is well documented: Who attended? What was the scenario? What steps were determined to be taken? What did we do well? What can we improve? What additional questions do we need to answer? Bottom Line, It’s Your Data We’re more reliant on vendors than ever before. Vendors are storing, processing, or transmitting data on behalf of your organization. However, it’s your data, so it’s your responsibility to protect your customer information, your employees, and your institution, no matter where the data resides. Your vendor is not going to notify your customers about a breach for you or take the blame. Understand your vendor’s security practices through your vendor management program. Align those vendor relationships with your cybersecurity goals and standards. Ensure you’re tying vendor management and vendor relationships into your incident response considerations. Remember, it’s not IF something is going to happen, it’s WHEN. If we plan to fail well and build that capability into our vendor management process, we set ourselves up better to come out the other side as healthy as possible.  For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber.com. SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security, and education. Learn more at www.sbscyber.com. Everything that’s good in information security starts with a risk assessment. If you cannot measure it, you cannot manage it. All of your risk assessments, including your vendor risk assessment, should help you make better decisions.