Client Alert: Data Breach Highlights Importance of Bank Vendor Management
- Review and update your agreements with vendors that have access to bank customer information.
- Assess whether your vendors have adequate resources and plans in case of a data breach.
- Perform extra due diligence on vendors that have access to bank customer information.
The recent credit bureau data breach of personally identifiable information (“PII”) could potentially affect millions consumers. If your bank has contracted with the affected credit bureau, or if one of your vendors has, some of those millions of consumers could be your customers, for which your bank is ultimately responsible in the eyes of the regulators. This data breach should serve as an opportunity for your bank to review its agreements with vendors that have access to your customers' PII.
Reviewing Your Agreements With Vendors Who Have PII Access
The most immediate concern for your bank is to review your current vendor agreements (and any potential new agreements) to determine:
- whether your vendor has adequate security procedures;
- whether your vendor has the resources, including adequate insurance, in case of a catastrophic data breach;
- whether your vendor and your bank have a plan in case of a data breach to protect your bank’s reputation; and
- whether your bank is properly indemnified in case of a data breach.
Although the data breach highlights these issues, they are not new, and the regulators have increasingly focused their attention on vendor data breaches. For example, earlier this year, the OCC issued new supplemental examination procedures for third-party risk management that updates OCC Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance.” This bulletin provided guidance to banks for assessing and managing the risks inherent throughout the life-cycle of their arrangements with third-parties, including by providing a framework for evaluating vendor contracts. To the extent that the 2013 bulletin has created an industry standard for third-party risk management, the 2017 supplement is also likely to inform evolving best practices in this area. This guidance directly addresses cyber-attacks and third-party security procedures.
- 2017 Supplemental Procedures: https://www.occ.treas.gov/news-issuances/bulletins/2017/bulletin-2017-7.html
- 2013 Bulletin: https://www.occ.treas.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
We Can Help You
Please contact us if you are interested in discussing any issues with your vendor contracts in light of the data breach and whether your organization is compliant or if you are contemplating entering into new material contracts or modifying existing material contracts with vendors that have access to your customers’ PII.