Vendor management has always been a key part of financial institution (FI) compliance and risk management efforts. And recently, FIs have witnessed the importance of proper vendor management begin to receive even more emphasis. One area in particular that is contributing to this emphasis is the Statement on Standards for Attestation Engagements (SSAE) No. 18 (SSAE 18) report. That’s right, SSAE 18, not 16. Effective May 1^st, 2017, the SSAE 18 became the new standard report for vendors to provide to financial institutions.

Now, in my opinion, there has not been a lot of hype regarding this change. At least not like what we saw when the SAS70 report became the SSAE 16. The reason for this is due largely to the fact that the SSAE 18 does not appear to be drastically different from the SSAE 16. Which is definitely good news for community FIs.

While the changes between the SSAE 16 and 18 will not completely change an FI’s approach to vendor management, there are some changes that will impact the due diligence efforts of FIs, especially in regard to more critical vendors.

You may have noticed 2016 was quite the busy year for IT regulatory compliance. OK, that’s probably a bit of an understatement.

Last year saw the release of Appendix E on Mobile Financial Services, the new InTrex exam format, the updated Information Security Handbook, and the promise of more to come in 2017. With this plethora of information being directed at financial institutions (FIs), I wanted to take this opportunity to highlight one particular factor that is already coming under examiner scrutiny-incident response. I have written about incident response a couple of times in the past. In fact, in my previous blog I provided some best practice items for FIs to consider in their Incident Response Plans. But with increasing attention on this subject, I think it is necessary we re-visit a couple of established incident response standards and acknowledge a new best practice.

Incident Response Plans have been a critical component for financial institutions (FIs) for quite some time now.

The foundation was outlined as part of GLBA and guidance was later issued on the requirements for these response programs where customer information had been accessed. So this raises the question, if Incident Response Plans have been a necessity for so long, why do so many FIs continue to have ineffective plans in place? I can only speculate as to the reasons why; however, I do know that the expectations for Incident Response Plans are beginning to change. I have spoken with a number of institutions who have shared that their examiners are honing in on Incident Response Plans. With this increasing focus on plans, I want to share with you a few of the most critical pieces that I often see missing from Incident Response Plans.

If you find yourself in need of a stark reminder on how quickly time passes by, consider this: May marks one year since the FFIEC officially announced their focus on cybersecurity for financial institutions. Even though official guidance is still pending, the FFIEC has been using the past year to continue underscoring the importance of cybersecurity. In addition to periodic updates being provided by the FFIEC, there have been a multitude of articles on the topic of cybersecurity. While there has been an emphasis on areas such as C-Suite training and information sharing, I have noticed two items in particular that seem to be getting lost in the mix of cybersecurity discussions. Those items are Incident Response Plans (including testing plans) and critical vendor management. Let’s look at Incident Response Plans first.