Hello Merritt,
Critical may be defined different depending on the organization.
For my organization, "Critical" is any Third Party Provider that provides any service or product designated by our Systems and Technology committee as critical for continued operations for purposes of safety and soundness laws. Generally, these are vendors whose services support our ongoing operations and have a RTO of less than 24 hours. Further, we include a financial consideration, any vendor whose annual expenditure exceeds $2 million is also considered a critical service provider.
Many vendors in our critical services category are technology, however, some providers, we utilize multiple products, meet the financial consideration.
Rachel Kenyon
Division Third Party Risk Management Senior Analyst
CRVPM IV
Original Message:
Sent: 01-13-2021 09:36 AM
From: Merritt Wofford
Subject: Risk assessment
Can someone provide a general list of types of services that are always critical besides the core processor?
I would think you would also have IT network service providers.
Merritt Wofford, Esq
Assistant Vice President
Security Officer, Heritage Southeast Bank and
Heritage Bank, Division of Heritage Southeast Bank
Facilities, Projects and Vendor Management
Original Message:
Sent: 1/13/2021 9:01:00 AM
From: Anonymous Member
Subject: RE: Risk assessment
This message was posted by a user wishing to remain anonymous
Hi Payal,
Thought I don't have a list - I always refer back to my main set of inherent risk questions... For example -
- Does the vendor or product align with strategic goals?
- Does this product or service in any way impact clients and/or customers?
- Will the vendor have direct access to clients and/or customers?
- Is sensitive data being accessed by this vendor?
- Will / does this vendor in any way host or store NPI or PII of employees, clients or customers?
- Will/does vendor have unescorted physical access to facilities?
- Does the vendor have access to or process any PCI (payment card industry) data?
- Does the vendor process financial transactions on our behalf, or on behalf of our customers or employees?
- Do we rely on this product or service in order to maintain compliance with any regulatory guidance?
- Will any services provided by vendor be supported by any location outside the continental United States?
- Will/does this product or service require an expense of over $50,000 within a single year?
- Does this product or service provide or support a significant revenue stream?
- Would a disruption in service cause a material impact to us or our clients/customers?
- Is this a technology-related service that will in any way require integration with our Network?
- Is the product or service a newly launched or emerging technology product?
- Will/does the vendor have access to our network?
- Will this product or service be accessed via the internet?
If there's no way a service type would ever really have an inherent risk based on these sort of questions, they can be scoped out, for the most part. I know there is a lot of gray area. I have seen justification for scoping out regulatory services, telephone and utility companies, and some types of software licenses and subscriptions. Aside from the utilities, I get wary about making it a rule to bucket an entire 'category' as out of scope, mostly because of how things can be interpreted by different people. I always like to make sure things come across my plate to at least make a risk-based determination and ultimately scoping out if warranted, with documented justification.
Original Message:
Sent: 01-10-2021 09:31 AM
From: Payal Bhojwani
Subject: Risk assessment
Hi All,
Happy New Year!
Is there a list of services outsourced by a financial institution which is out of scope for risk assessment like telephone and utility bills,statuatory and regulatory services,softwares and licenses,
temp staff hiring?
Thanks!