BLOG
FAQ – Vendor Management and Cybersecurity
February 1, 2024 BY MQMR Blogger
Question: How important is it to evaluate the cybersecurity risk and protocols of our vendors?
Answer:
In today’s environment, it is critical for mortgage companies and financial institutions to evaluate the cybersecurity risk and protocols of their vendors. A significant number of the network intrusions and data breaches occurring today originate with a third party, including vendors. Mortgage companies and financial institutions not only need to maintain adequate written third-party vendor management policies and procedures, but they must also perform a sufficient cybersecurity risk assessment of each vendor and ensure they conduct thorough due diligence of vendors deemed to be medium or high risk prior to on-boarding and on an ongoing basis. Due diligence may include, but is not necessarily limited to:
- Determining if the vendor maintains qualified information security personnel, internally or externally;
- Identifying and evaluating controls implemented to protect confidential data and/or non-public personal information (i.e. password protocols, access management, multifactor authentication, network scanning, etc.);
- Reviewing the vendor’s disaster recovery and incident management plans and related testing of such plans;
- Reviewing security awareness training, including phishing exercises;
- Reviewing external security audits performed (i.e. SOC, SSAE16, penetration tests, etc.); and
- Determining whether the vendor utilizes subcontractors and, if so, whether confidential data and/or non-public personal information is shared with those subcontractors.
Failing to perform appropriate cybersecurity reviews of vendors opens a mortgage company and financial institution up to significant risk.