1 min read

Outsourcing IT

Vance Monical : Aug 26, 2022

Vendor Management Governance Banks IT Outsourcing 3rd party Third-Party
Outsourcing IT

OutsourcingIT

It’s common practice for financial institutions to outsource some or all of their Information Technology (IT) functions to a Managed Service Provider (MSP) to gain access to higher levels of expertise and reduced staffing costs.

In most circumstances, it simply doesn’t make business sense to maintain the level of internal staff necessary to keep up with the requirements of a 21st-century organization. This is where MSPs can help fill the technological gap between small and large financial institutions.

Yes, cost is always an important factor, but I would like to take a moment to highlight the significance of completing appropriate third-party due diligence before signing on the bottom line.

It is important to have a solid third-party management program in place to identify and manage risk posed by outsourced or contracted services. Outsourcing does not relieve the organization of the risk, but it does change the way we manage it.

  • Start with a risk assessment to assess how much access (direct or indirect) the MSP will have to client data and their involvement in critical operations. Oftentimes, an MSP will have 24/7 access to their client’s network resulting in a “High” or “Critical” rating.

  • Perform risk-based vendor due diligence. This simply means that higher rated third parties such as an MSP should be subject to enhanced scrutiny from a contract and security control perspective.

  • Request and follow up with references of organizations similar to your size and complexity. There is no “one size fits all” MSP which is why it is important to ensure they understand your business requirements.

Financial Institutions operate in arguably, the most heavily regulated industry in the world. This means that we should maintain high expectations for our partners, particularly those that store or have access to client data.

Bedel Security assists many of our clients with this process and we would be happy to discuss options to enhance your program. Send us an email at support@bedelsecurity.com to learn more.

 

Additional Resources:

The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper

Assessing Risk: Outsourced Service Providers
https://www.bedelsecurity.com/blog/assessing-risk-outsourced-service-providers

Independent Collaboration Part 2: A Framework for Outsourcing IT in Financial Institutions
https://www.bedelsecurity.com/blog/independent-collaboration-part-2-a-framework-for-outsourcing-it-in-financial-institutions
Reviewing the New Interagency Third-Party Risk Management Guidance

Reviewing the New Interagency Third-Party Risk Management Guidance

Brian Petzold : Jun 9, 2023

On June 6th, the Federal Reserve, FDIC, and OCC released new interagency guidance on third-party risk management. The new guidance, based on existing...

Regulation Vendor Management Banks Credit Unions 3rd party Third-Party OCC FDIC
Read More
Helping Board Members Sleep at Night

Helping Board Members Sleep at Night

Brian Petzold : Jul 14, 2023

Banks Board of Directors 3rd party Third-Party
Read More
Addressing the MOVEit Vulnerability: Actions for Financial Institutions

Addressing the MOVEit Vulnerability: Actions for Financial Institutions

Trisha Durkin : Jun 23, 2023

Financial institutions rely on numerous third-party providers to support their operations and deliver essential services. However, these partnerships...

Risk Threats Banks Access Access & Authentication 3rd party Third-Party
Read More