Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Oversight Requirements

    Posted 03-08-2022 12:41 PM
    I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
    For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
    but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me


  • 2.  RE: Oversight Requirements

    Posted 03-10-2022 10:44 AM
    My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on.


  • 3.  RE: Oversight Requirements

    Posted 04-25-2024 03:50 PM

    Hi All,

    How do you look at DD for Equifax and/or TransUnion? I am performing DD on both of them for the first time and when looking at the Better Business Bureau and CFPB, there are alot of complaints on both of them. They also have low customer ratings on some of the customer review sites.

    They are both huge companies though, with hundreds and thousands of customers that they offer credit reports for. Many of them haven't complained. Do you consider the nature of the product or the number of complaints based on their overall volume?

    I haven't looked at Experian, but imagine they get alot of complaints too.

    Thanks so much!

    Cheryl Turner




  • 4.  RE: Oversight Requirements

    This message was posted by a user wishing to remain anonymous
    Posted 04-25-2024 04:20 PM
    This message was posted by a user wishing to remain anonymous

    I review Trans Union annually and although there are a lot of complaints, we take it as the nature of the business they provide. For them, we primarily focus on the business aspect and how it pertains to us, and if there is anything questionable on the Executive Summary reports I reach out for a further explanation. 




  • 5.  RE: Oversight Requirements

    This message was posted by a user wishing to remain anonymous
    Posted 05-24-2024 03:35 PM
    This message was posted by a user wishing to remain anonymous

    What information are you able to obtain from Transunion?  I haven't been able to gather much from them - just a general "Data Security" document that states WHAT they have in place but offers no evidence of controls, testing, etc.  Thanks!




  • 6.  RE: Oversight Requirements

    Posted 05-24-2024 07:56 PM

    One should ask if the vendor has a SOC 2, Type II report and if yes, obtain it.  The report would provide information on the internal controls according to the AICPA Trust Principles and would indicate Complementary End User Controls the one's company should have.

     



    Sensitivity: Company-Internal

    ====================
    This email/fax message is for the sole use of the intended
    recipient(s) and may contain confidential and privileged information.
    Any unauthorized review, use, disclosure or distribution of this
    email/fax is prohibited. If you are not the intended recipient, please
    destroy all paper and electronic copies of the original message.





  • 7.  RE: Oversight Requirements

    Posted 05-24-2024 07:57 PM

    You may need a better contact at TU. We can gather:

    COI, Incident Response Policy, Cyber Security, SSAE, GAP letter BC Plan, Disaster test results, Financials, and Information Security. 




  • 8.  RE: Oversight Requirements

    Posted 05-24-2024 07:59 PM

    We are actually currently vetting them for a new product we are considering. They answered our questionnaire and sent several documents, including financials, BCP Summary, SOC2, Pen testing Summary, Business License and other items.

     

    Maybe we got lucky?

     






  • 9.  RE: Oversight Requirements

    Posted 05-28-2024 08:00 AM

     

     

    We obtain the following:

    1. SOC 2 Type 2 Report
    2. Certificate of Insurance for all Active Policies – including cyber/e&o
    3. Form their website:
    1. Form 10k – annual report under their investor section
    2. Code of Conduct
    3. Privacy Policy

    Hope this helps.

     

     

    This message was posted by a user wishing to remain anonymous What information are you able to obtain from Transunion? I haven't been able to...

    Community dedicated to third party risk professionals.


    Third Party ThinkTank

    Due Diligence and Ongoing Monitoring

     

    Re: Oversight Requirements

    May 24, 2024 3:35 PM

    Anonymous Member

    This message was posted by a user wishing to remain anonymous

    What information are you able to obtain from Transunion?  I haven't been able to gather much from them - just a general "Data Security" document that states WHAT they have in place but offers no evidence of controls, testing, etc.  Thanks!


    I review Trans Union annually and although there are a lot of complaints, we take it as the nature of the business they provide. For them, we primarily focus on the business aspect and how it pertains to us, and if there is anything questionable on the Executive Summary reports I reach out for a further explanation. 


    Original Message:
    Sent: 04-25-2024 03:50 PM
    From: Cheryl Turner
    Subject: Oversight Requirements

    Hi All,

    How do you look at DD for Equifax and/or TransUnion? I am performing DD on both of them for the first time and when looking at the Better Business Bureau and CFPB, there are alot of complaints on both of them. They also have low customer ratings on some of the customer review sites.

    They are both huge companies though, with hundreds and thousands of customers that they offer credit reports for. Many of them haven't complained. Do you consider the nature of the product or the number of complaints based on their overall volume?

    I haven't looked at Experian, but imagine they get alot of complaints too.

    Thanks so much!

    Cheryl Turner


    Original Message:
    Sent: 03-10-2022 10:43 AM
    From: Meg Smith
    Subject: Oversight Requirements

    My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on.
    Original Message:
    Sent: 03-08-2022 12:40 PM
    From: samantha mckenzie
    Subject: Oversight Requirements

    I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
    For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
    but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me

      View Thread   Like   Forward   Flag as Inappropriate  



     

     

    You are subscribed to "Due Diligence and Ongoing Monitoring" as dlavin@fpcu.org. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.




    Original Message:
    Sent: 5/24/2024 12:22:00 PM
    From: Anonymous Member
    Subject: RE: Oversight Requirements

    This message was posted by a user wishing to remain anonymous

    What information are you able to obtain from Transunion?  I haven't been able to gather much from them - just a general "Data Security" document that states WHAT they have in place but offers no evidence of controls, testing, etc.  Thanks!


    Original Message:
    Sent: 04-25-2024 04:12 PM
    From: Anonymous Member
    Subject: Oversight Requirements

    This message was posted by a user wishing to remain anonymous

    I review Trans Union annually and although there are a lot of complaints, we take it as the nature of the business they provide. For them, we primarily focus on the business aspect and how it pertains to us, and if there is anything questionable on the Executive Summary reports I reach out for a further explanation. 


    Original Message:
    Sent: 04-25-2024 03:50 PM
    From: Cheryl Turner
    Subject: Oversight Requirements

    Hi All,

    How do you look at DD for Equifax and/or TransUnion? I am performing DD on both of them for the first time and when looking at the Better Business Bureau and CFPB, there are alot of complaints on both of them. They also have low customer ratings on some of the customer review sites.

    They are both huge companies though, with hundreds and thousands of customers that they offer credit reports for. Many of them haven't complained. Do you consider the nature of the product or the number of complaints based on their overall volume?

    I haven't looked at Experian, but imagine they get alot of complaints too.

    Thanks so much!

    Cheryl Turner


    Original Message:
    Sent: 03-10-2022 10:43 AM
    From: Meg Smith
    Subject: Oversight Requirements

    My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on.
    Original Message:
    Sent: 03-08-2022 12:40 PM
    From: samantha mckenzie
    Subject: Oversight Requirements

    I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
    For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
    but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me



  • 10.  RE: Oversight Requirements

    Posted 03-10-2022 11:35 AM
    We categorize our vendors as Critical, Significant or Non-Essential. Critical vendors are reviewed annually, significant, every other year and non-essential, every 3 years. Of course, if we are aware of any possible issues, then we can review more often.

    Within those categories, we determine if the vendors are a high, medium or low risk. If the risk level goes up at the time of the review, then we discuss how we want to handle it. Do we want to review and re-negotiate the contract? Do we want to leave as is? Do we want to terminate the relationship? Communicate with the vendor, regarding our issues and request them to resolve them? Things like that.

    I hope you find this helpful. ​

    ------------------------------
    Cheryl Turner
    ------------------------------