You Are Only as Strong as the Weakest Link: A Vendor Due Diligence Checklist for CUs

You are only as strong as your weakest vendor link, and it is important to avoid permitting vendor engagements to increase risk for your credit union. Vendor selection and ongoing management of vendors has never been more important, based on the current threat landscape. Vendors can help your credit union achieve cost-effective and cyber-protected success through the prudent selection and maintenance of technology and equipment. But they are also capable of increasing cyber risk, making narrow-minded technology recommendations, looking back instead of forward and being resistant to change.

It is recommended to commit the same vetting process level to vendor selection as you commit to hiring key employees. Once selected, vendors should be managed effectively and treated as trusted members of your team. If the vendor is resistant to this level of partnership, we suggest you look elsewhere.

Trusted Partnerships

A trusted partnership between a credit union and vendor is an incredible value add for both organizations.  The foundation of trust between a credit union and vendor begins with the vendor understanding the credit union’s culture, expectations, policies and procedures, along with industry standards. The next step is to determine if the vendor’s technician footprint aligns with the credit union’s footprint. The vendor’s skilled technicians must be trained and certified. It is critical to select vendors that have a track record of retaining skilled talent to maximize quality. Annual vendor employee turnover should not exceed 15%.

Risk, Compliance and Legal Considerations

Vendors that install and/or service equipment that will be connected to your credit union’s network should be certified via a Service Organization Controls (SOC2) Type2 audit. SOC2 Type 2 certification requires an annual audit to verify the vendor has controls in place that protect your credit union’s data.  One component of the SOC2 Type2 audit is the vendor’s controls on employees’ computer devices.  These controls include but are not limited to prohibiting certain application downloads or website access, operating system patching and providing updated virus protection.

Imagine for a moment a vendor that is not SOC2 Type2 compliant and not diligent about patching their technician’s computer operating system or updating their virus protection tools. The technician accidentally downloads malware while searching the web at lunch, then introduces the malware to a credit union’s network while completing diagnostics and repair services.

The equipment a vendor uses to conduct their business and the equipment it markets to credit unions must be hardened and tested to mitigate cyber and compliance risk. A vendor’s equipment and product offerings should include the following:

• Encryption capabilities;
• Centralized patch management and firmware updates with remote capabilities;
• Strong password management with no default passwords;
• Open architecture and a field serviceable product line; and
• Annual cyber penetration tests to verify protection levels.

The vendor must also reduce risk for the credit union by completing background checks on their employees and sub-contractors. If sub-contractors are utilized for a project, management and performance expectations should mirror the vendor’s and be transparent to the credit union. No one wishes to have a vendor blame a sub-contractor for poor performance. The buck stops with the vendor.

A vendor’s finances should be explored to verify multiple years of strong financial performance and cash reserves. Vendors experiencing financial problems can lead to serious issues, including:

• Catastrophic closing of the vendor’s business;
• Loss of talented employees;
• Difficulty acquiring needed equipment from manufacturers and suppliers; and
• The credit union having to make an unexpected and disruptive transition to another vendor.

Innovation, Automation and Remote Technologies

The trusted vendor should be expected to partner with your credit union on its future roadmap for implementing innovative technology, automation and remote technologies. Vendors often provide services to other credit unions and perhaps even other sectors. This exposure provides the vendor with an expanded view of different risk mitigation strategies and use of technologies or automation. The trusted vendor should routinely share information with your institution, such as information on implementation and use of artificial intelligence, and use of video analytics

The vendor should help the credit union solve pain points. Major pain points for many credit unions are platform creep, vendor bid processes, and the timing and implementation of a new platform.

Platform creep is the repeated implementation of disparate systems. Each of these systems require hardware, firmware, an operating system and software support. An example of this is security video, access control and alarm systems. There are systems available today that integrate these functions and increase the performance of each, while reducing support requirements.

One potential vendor bid process trap occurs when vendors submit extreme low bids compared to their competitor bids. It is hard to say no to what appears to be a significant cost savings. However, close inspection of an extreme low bid is recommended. Many costs are equal for all vendors in a region or market. Bids can vary somewhat based on volume discounts for equipment and management of overhead costs, but extreme low bidders are often risking loss in the short-term for a return in a future bid for projects and equipment. You have to ask: What if that future work is not awarded to the extreme low bidder? How long will that low bidder be willing to suffer a loss every time work is performed? Another question to ask is whether the extreme low bidder is up to date with technology such as electronic dispatch and equipment tracking, SOC2 Type2 certification, training and certifications for employees, and proper levels of insurance coverage.

The trusted vendor can track a credit union’s equipment and advise when a current platform or equipment has reached the end of its life and replacement is prudent. The vendor can then:

• Work with the credit union to determine requirements for the new platform;
• Locate available platforms that match the requirements;
• Assist with acquisition of the new platform; and
• Development a plan for platform or equipment rollout and installation, and a user training plan.

The new year is a great time to conduct an analysis of your current vendor engagements. Are your current vendors trusted partners? Have you verified that your vendors are SOC2 Type2 compliant? Do your current vendors offer advice to improve the technology performance of platforms and equipment utilized by your credit union? Depending on how you answer these questions, now may be a great time to review the marketplace for new vendors and improved partnerships.

Steve Ryker, CPP is vice president of compliance and risk for the Portland, Ore.-based Cook Security Group.