We obtain the following:
- SOC 2 Type 2 Report
- Certificate of Insurance for all Active Policies – including cyber/e&o
- Form their website:
- Form 10k – annual report under their investor section
- Code of Conduct
- Privacy Policy
Hope this helps.
This message was posted by a user wishing to remain anonymous What information are you able to obtain from Transunion? I haven't been able to...
Community dedicated to third party risk professionals.
|
|
|
Re: Oversight Requirements
|
|
|
May 24, 2024 3:35 PM
|
Anonymous Member
|
|
|
This message was posted by a user wishing to remain anonymous
What information are you able to obtain from Transunion? I haven't been able to gather much from them - just a general "Data Security" document that states WHAT they have in place but offers no evidence of controls, testing, etc. Thanks!
Original Message: Sent: 04-25-2024 04:12 PM From: Anonymous Member Subject: Oversight Requirements
This message was posted by a user wishing to remain anonymous
I review Trans Union annually and although there are a lot of complaints, we take it as the nature of the business they provide. For them, we primarily focus on the business aspect and how it pertains to us, and if there is anything questionable on the Executive Summary reports I reach out for a further explanation.
Original Message: Sent: 04-25-2024 03:50 PM From: Cheryl Turner Subject: Oversight Requirements
Hi All,
How do you look at DD for Equifax and/or TransUnion? I am performing DD on both of them for the first time and when looking at the Better Business Bureau and CFPB, there are alot of complaints on both of them. They also have low customer ratings on some of the customer review sites.
They are both huge companies though, with hundreds and thousands of customers that they offer credit reports for. Many of them haven't complained. Do you consider the nature of the product or the number of complaints based on their overall volume?
I haven't looked at Experian, but imagine they get alot of complaints too.
Thanks so much!
Cheryl Turner
Original Message: Sent: 03-10-2022 10:43 AM From: Meg Smith Subject: Oversight Requirements
My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on. Original Message: Sent: 03-08-2022 12:40 PM From: samantha mckenzie Subject: Oversight Requirements
I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me
|
|
View Thread Like Forward Flag as Inappropriate
|
|
|
Original Message:
Sent: 5/24/2024 12:22:00 PM
From: Anonymous Member
Subject: RE: Oversight Requirements
This message was posted by a user wishing to remain anonymous
What information are you able to obtain from Transunion? I haven't been able to gather much from them - just a general "Data Security" document that states WHAT they have in place but offers no evidence of controls, testing, etc. Thanks!
Original Message:
Sent: 04-25-2024 04:12 PM
From: Anonymous Member
Subject: Oversight Requirements
This message was posted by a user wishing to remain anonymous
I review Trans Union annually and although there are a lot of complaints, we take it as the nature of the business they provide. For them, we primarily focus on the business aspect and how it pertains to us, and if there is anything questionable on the Executive Summary reports I reach out for a further explanation.
Original Message:
Sent: 04-25-2024 03:50 PM
From: Cheryl Turner
Subject: Oversight Requirements
Hi All,
How do you look at DD for Equifax and/or TransUnion? I am performing DD on both of them for the first time and when looking at the Better Business Bureau and CFPB, there are alot of complaints on both of them. They also have low customer ratings on some of the customer review sites.
They are both huge companies though, with hundreds and thousands of customers that they offer credit reports for. Many of them haven't complained. Do you consider the nature of the product or the number of complaints based on their overall volume?
I haven't looked at Experian, but imagine they get alot of complaints too.
Thanks so much!
Cheryl Turner
Original Message:
Sent: 03-10-2022 10:43 AM
From: Meg Smith
Subject: Oversight Requirements
My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on.
Original Message:
Sent: 03-08-2022 12:40 PM
From: samantha mckenzie
Subject: Oversight Requirements
I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example.
For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually.
but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me