In the financial industry, third parties often guard the vault. For example, MSSPs (managed security services providers), such as the company I work for, deliver vital resources and expertise to many small to midsize banks. These services include firewalls and intrusion management, secure electronic document delivery, and oversight by trained security professionals. Many banks also rely on MSSPs to comply with regulatory mandates.
But who watches us?
Several months ago, I sat down with a bank executive who assured me “Keystone Security,” a local provider angling for his business, had been examined and approved by the Federal Financial Institutions Examination Council (FFIEC). There was only one trouble: I knew that was untrue. I had been speaking with an FFIEC rep earlier that week, and she had told me that only two companies in my area -- neither one of which was “Keystone” -- had actually been examined.
In fact, federal, state, and local regulators routinely examine bank operations to ensure that guidelines are met and customers are protected from malfeasance, negligence, or theft. Yet, it’s almost impossible for a bank to be sure its MSSP is competent, diligent, or even financially solvent!
How much do banks know about the corporate underpinnings of MSSPs like mine? How can banks investigate the background of key MSSP personnel? What do they really know about the technologies deployed by their MSSP? These queries beg an even bigger question: Shouldn’t MSSPs undergo the same due diligence and oversight as banks themselves?
During the past year, I have seen at least four instances in which MSSPs stated they had been formally examined by the FFIEC to make sure they were in compliance with federal data-handling requirements. And in all of these cases, they were lying.
The FFIEC’s IT Examination Handbook states: “Financial institutions should have a comprehensive outsourcing risk management process to govern their TSP [technology service provider] relationships. Such processes should include risk assessment, selection of service providers, contract review, and monitoring of service providers. Many TSP relationships should be subject to the same risk management, security, privacy, and other internal controls and policies that would be expected if the financial institution were conducting the activities directly.”
Notice the verb used in all three sentences: should. The verb must is conspicuously absent. Technology is evolving too rapidly for dubious interpretations of security compliance. In my opinion, banks and regulators must be required to perform due diligence on MSSPs. As it happens, although my company would have met all banking criteria when it was established in the late 1990s, no one ever checked to find out. For all anyone knew, we could have been a bunch of incompetent bozos.
Bankers often lack the technical expertise to scrutinize an MSSP. Consequently, federal and state regulators share this burden. Banks should insist that regulators institute protocols by which MSSPs are held to the highest standards for governance and security.
The best time to install a sprinkler system is before your house burns down.