Due Diligence and Ongoing Monitoring

 View Only

  • 1.  NET BOND CERTIFICATION

    This message was posted by a user wishing to remain anonymous
    Posted 02-02-2021 02:42 PM
    This message was posted by a user wishing to remain anonymous

    My questions are:
    1. Is anyone familiar with the AT&T Net Bond Certification program?
    2. If so, how familiar? (I have asked level 4+ security engineers, CISO(s), CTO(s), etc. and none are familiar with, nor can vouch for, the robustness of this product)
    3. Has anyone ever accepted a 'letter' stating a vendor is AT&T NetBond Certified at face value in lieu of conducting your own audit and/or in lieu of requiring a copy of the actual AT&T Net-Bond Audit Assessment?

    SUMMARY:
    My organization is in the beginning phase of auditing a large financial institution (FI).  Upon asking the institution to complete our Privacy & Security Questionnaire, the FI provided an AT&T Net Bond Certification Letter.  Upon research, we found that the Net Bond Certification is an audit product offered by AT&T.  AT&T goes on-site and audits the FI, and then provides them with a completed audit assessment and a letter stating they are 'AT&T NetBond Certified'.

    My organization went back and asked for one of the following (Note: "Privacy and Security Questionnaire" is a custom questionnaire by my organization):

    Option 1

    SOC2 Type2, along with the completed tabs 'Business Information' and 'Privacy' within the attached Privacy and Security Questionnaire 

    Option 2

    Completed ATT Audit Assessment (not just the certification letter), along with the completed tabs 'Business Information' and 'Privacy' within the attached Privacy and Security Questionnaire

    Option 3

    Fully completed Privacy and Security Questionnaire which we provided

    The FI complete the Privacy tab in our questionnaire, but has not provided a SOC2, nor a copy of the completed Audit Assessment by AT&T, nor will they complete the Security portions of our questionnaire.  The FI responds with:

    • "The other documentation previously sent is sufficient for our other partners. 
    • No one else asks for what you are asking for.
    • We are in a highly regulated industry."


  • 2.  RE: NET BOND CERTIFICATION

    Posted 02-04-2021 08:00 AM
    I have never heard of AT&T NetBond certification nor have a sampling of InfoSec professionals I asked​.  I would push back and ask for the AT&T audit if this is a critical vendor with high data risk.  As the entity owning the data you are responsible for ensuring its security so I would argue back to your FI that you have a regulatory mandate to understand the specifics of the framework protecting your data once it leaves the confines of your servers.  I usually make the point in negotiating due diligence requirements that protecting the integrity and security of our customers information is our most important priority and that we are looking for partners who take this just as seriously as we do.  Maybe be honest that this certification is not one that your organization is familiar with and based on your discussions with others within the industry, it does not appear widely known.  My moto for due diligence "Trust, but verify".   

    Good Luck,
    Shelly
    Original Message


  • 3.  RE: NET BOND CERTIFICATION

    This message was posted by a user wishing to remain anonymous
    Posted 02-04-2021 12:01 PM
    This message was posted by a user wishing to remain anonymous

    Net Bond isn't a certification. It's the name of the service. (See URL below.) Your vendor is not answering your question at all. 

    https://www.business.att.com/products/netbond.html

    Original Message


  • 4.  RE: NET BOND CERTIFICATION

    Posted 02-04-2021 06:08 PM
    Hi! 

    I totally understand your predicament and frustrations. The fact of the matter is, in order to accept the AT&T NetBond Cert in lieu of your standard due diligence, you need to at least have enough information to see what it covered. After looking into this cert and consulting with some of my colleagues (to include some Big 4 auditors), this is not a well-known certification and likely only covers a portion of their overall control environment. We do recommend continuing to work with this vendor in order to get the validation you need.

    "We're a highly regulated industry" and "no one else has asked for this" are some pretty common responses to due diligence requests (especially from large corporations)… but they don't hold up. Given that they ARE so regulated, they should be well aware of their requirement to provide validation of information security controls, which include evidence of testing. They should certainly not be surprised by your inquiry, and the fact that they are is a big concern, in and of itself. (Being an auditor, I would explore this concern by asking for evidence of their Third Party Risk Management practices).

    My response might read something like, "Thank you for your reply. As a regulated industry, you're likely familiar with the FDIC's guidance for managing third-party risks (FIL 44-2008), which we intend to uphold. Provided that your services to us (will) include _____, we're accountable for the associated (operational, reputational, transaction… list all that apply) risks. As such, it is our responsibility to conduct comprehensive due diligence, which includes a review of our vendors' 'financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls.' We ask that you please reconsider our request (below), so that we can continue to meet our mutual regulatory requirements."

    Aside from citing regulations, these situations often come down to leverage. Is there an existing contract, or are you in the negotiation phase? Is there any way you could use either of these to your advantage?

    I hope this response is helpful, good luck!

    Nicole


    Original Message


  • 5.  RE: NET BOND CERTIFICATION

    Posted 02-05-2021 07:43 AM

    In dealing with a reluctant (or recalcitrant) vendor it is often helpful to quote directly from regulatory guidance that documents your responsibilities as a customer of a 'technology service provider' (to use regulatory terminology).  Any vendor arguing that they are exempt or somehow excused from regulatory standard will find themselves in a hard position to sustain.  I find that one of the best documents for the purpose is the OCC's FAQ (published a year ago on 3/5/2020) addressing common questions from their earlier bulletin 2013-29.  The OCC has been a 'thought leader' in recent years for TPRM and there is good material here.  The document is available at https://occ.gov/news-issuances/bulletins/2020/bulletin-2020-10.html

     

    Lee Beachy

     




    Original Message