Risk Assessments

Hi everyone, 

Can anyone share a risk assessment template for both online banking and ACH Positive Pay?

thank you very much. 

Hi Leah,

For a vendor that provides online banking and ACH positive pay services, I would suggest starting with something standard like the Standardized Information Gathering (SIG) questionnaire or one from NIST. These will give you a broad understanding of the vendor's overall risk profile in areas such as cybersecurity, IT, data security, and privacy.

From there, you can develop additional questions to ask the vendor, which are more specific to the product or service. Here are a few suggestions to consider:

• Does the vendor limit the number of ACH filters or payment rules?
• How often does the vendor perform security testing on its ACH fraud filter?
• What types of authorization alerts does the vendor provide?
• How often does the vendor perform security testing on its alert system?

When developing these questions, you'll also want to consider other attributes that are unique to your organization, such as your risk appetite and your strategic goals or objectives.

I hope these suggestions can help you get started on your own risk assessment and I'd welcome any feedback from the rest of the community.

Thank you for your insight Christine! This was really helpful. 

Hi Leah!

I see Christine already satisfied your request for ACH handlers.  I did see new 2-page document from NY DFS as possible areas to add to a risk assessment questionnaire.

The brand new resource from NY Dept of Financial services (May 2024) has helpful sections on Risk Assessment and Third party risk management

• Risk Assessment: see top of page 4, Appendix 1 (Risk Assessment definition) and especially the Appendix 3 (pages 10-11) which provides a great checklist on how you have controls to protect against risks
  • The very first is NPI 
  • I would ensure your third parties can at least answer all the items in the checklist on controls to protect NPI
    
    
• Third Party Service Provider -- skip right to Appendix 4 TPSP (page 13) that states:
  • Confirm TPSP uses multi-factor authentication when accessing my organization's information.
  • Confirm TPSP uses encryption policies and procedures to protect nonpublic information
  • Confirm TPSP contact includes requirement to notify me if there is a cybersecurity incident
  • Overall assessment that the TPSP is appropriate to provide the service, considering the type of service provided and the TPSP's position in the market (such as size, reputation, cybersecurity program [maturity]).
  • Other (describe): [_______________________________]
    
    
• The TPSP has a useful table with columns to track your third party service providers
  • TPSP (Name and Contact)
  • Level of Risk Posed (L, M, H)
  • Due Diligence Performed to evaluate their Cybersecurity practices
  • Frequency of Assessment (based on level of risk posed)
  • Other

See: https://www.dfs.ny.gov/system/files/documents/2024/05/Cybersecurity-Program-Template_05.2024.pdf

Best of luck,

Larry