BLOG

Question: How important is it to evaluate the cybersecurity risk and protocols of our vendors?

Answer:

In today’s environment, it is critical for mortgage companies and financial institutions to evaluate the cybersecurity risk and protocols of their vendors. A significant number of the network intrusions and data breaches occurring today originate with a third party, including vendors. Mortgage companies and financial institutions not only need to maintain adequate written third-party vendor management policies and procedures, but they must also perform a sufficient cybersecurity risk assessment of each vendor and ensure they conduct thorough due diligence of vendors deemed to be medium or high risk prior to on-boarding and on an ongoing basis. Due diligence may include, but is not necessarily limited to:

• Determining if the vendor maintains qualified information security personnel, internally or externally;
• Identifying and evaluating controls implemented to protect confidential data and/or non-public personal information (i.e. password protocols, access management, multifactor authentication, network scanning, etc.);
• Reviewing the vendor’s disaster recovery and incident management plans and related testing of such plans;
• Reviewing security awareness training, including phishing exercises;
• Reviewing external security audits performed (i.e. SOC, SSAE16, penetration tests, etc.); and
• Determining whether the vendor utilizes subcontractors and, if so, whether confidential data and/or non-public personal information is shared with those subcontractors.

Failing to perform appropriate cybersecurity reviews of vendors opens a mortgage company and financial institution up to significant risk.