BLOG

FAQ – Vendor Management and Cybersecurity

February 1, 2024 BY MQMR Blogger

Question: How important is it to evaluate the cybersecurity risk and protocols of our vendors?

 

Answer:

 

In today’s environment, it is critical for mortgage companies and financial institutions to evaluate the cybersecurity risk and protocols of their vendors. A significant number of the network intrusions and data breaches occurring today originate with a third party, including vendors. Mortgage companies and financial institutions not only need to maintain adequate written third-party vendor management policies and procedures, but they must also perform a sufficient cybersecurity risk assessment of each vendor and ensure they conduct thorough due diligence of vendors deemed to be medium or high risk prior to on-boarding and on an ongoing basis. Due diligence may include, but is not necessarily limited to:

 

  • Determining if the vendor maintains qualified information security personnel, internally or externally;
  • Identifying and evaluating controls implemented to protect confidential data and/or non-public personal information (i.e. password protocols, access management, multifactor authentication, network scanning, etc.);
  • Reviewing the vendor’s disaster recovery and incident management plans and related testing of such plans;
  • Reviewing security awareness training, including phishing exercises;
  • Reviewing external security audits performed (i.e. SOC, SSAE16, penetration tests, etc.); and
  • Determining whether the vendor utilizes subcontractors and, if so, whether confidential data and/or non-public personal information is shared with those subcontractors.

 

Failing to perform appropriate cybersecurity reviews of vendors opens a mortgage company and financial institution up to significant risk.