Pub. 10 2021 Issue 3

13 Fall | 2021 providing assurance that the vendor meets the institution’s needs. Understanding how to spot the right vendor requires knowing what to look for. • Review the vendor’s corporate history, including qualifications, backgrounds, and reputations of company principals. Verify that the vendor and your institution are a good fit from a mission and business strategy aspect. • Analyze the vendor’s audited financial statements to ensure their financial stability. • Evaluate the vendor’s experience and ability in the industry, including institutions with similar size and operations to your institution. • Request and review references from current users about the vendor’s reputation and performance. • Review the vendor’s technology and systems architecture. Verify that the technology requirements of the service and vendor are compatible with your institution. • Look at the internal controls, security history, and audit coverage of the prospective vendor. • Assess the vendor’s information security program and resiliency. • Check for any legal and regulatory compliance issues. • Review the vendor’s insurance coverage. • Review the vendor’s reliance on and management of subcontractors. • Evaluate the vendor’s fee structure and incentives. • Verify with your I.T. Department that the technology requirements of the service are in-line with your institution’s current technology. Different vendor services may have very different requirements, so having your I.T. Department review all vendor information could help point you to the best vendor for your institution. Contract Negotiation Time Contracts provide you with the ability to clearly identify rights and responsibilities and address significant issues. Financial institutions can feel like they must sign the vendor’s contract as-is, especially when dealing with a big company. However, you have the right to negotiate what is included in a contract. In fact, this step may clearly indicate which vendor will best suit your institution’s needs. If a vendor is not willing to include what your institution has decided is integral language, you may choose to continue searching for a vendor that will. Here are some important elements the contract should address: • Scope of Service including description of activities, timeframes for implementation and assignment of responsibilities • Security and Confidentiality concerns • Internal controls such as system monitoring, notification requirements, records maintenance, and cybersecurity • Requirements to provide audit reports (state specific types and frequency) • Requirements to provide performance and financial reports (state specific types and frequency) • Requirement to provide Business Resumption/ Contingency Plans • Resilience on subcontracting • Choice of law and jurisdictional provisions for foreign based third parties • Compliance with regulatory guidance and applicable laws • Right to audit and require remediation • Indemnification, insurance, dispute resolution and limits on liability • Defaults and termination • Performance standards including measurable standards, minimum service level requirements, remedies, and Service Level Agreements (SLAs) • Notification standards for service disruptions, security breaches, significant changes to the contracted activities, etc. • Data access, ownership, and license Vendor Selection can be time consuming and overwhelming. But, using good outsourcing policies and procedures, understanding what to look for in vendor due diligence, and knowing the important elements to include in vendor contract negotiation will make identifying the best vendor for your institution a bit easier and more successful. Missy Oliver works at CoNetrix as a Compliance & Security Consultant with seven years of technical and security experience in the educational and financial sectors. She has a B.A. in Advertising/Public Relations from Texas Tech University. She assists with the creation, customization, and maintenance of information security programs, facility in security programs, facilitation in the security committee meetings, and Cybersecurity Assessment Tool board training. The first step of any outsourcing is understanding the importance of developing risk-based policies and procedures to govern your outsourcing process .