It’s common practice for financial institutions to outsource some or all of their Information Technology (IT) functions to a Managed Service Provider (MSP) to gain access to higher levels of expertise and reduced staffing costs.
In most circumstances, it simply doesn’t make business sense to maintain the level of internal staff necessary to keep up with the requirements of a 21st-century organization. This is where MSPs can help fill the technological gap between small and large financial institutions.
Yes, cost is always an important factor, but I would like to take a moment to highlight the significance of completing appropriate third-party due diligence before signing on the bottom line.
It is important to have a solid third-party management program in place to identify and manage risk posed by outsourced or contracted services. Outsourcing does not relieve the organization of the risk, but it does change the way we manage it.
- Start with a risk assessment to assess how much access (direct or indirect) the MSP will have to client data and their involvement in critical operations. Oftentimes, an MSP will have 24/7 access to their client’s network resulting in a “High” or “Critical” rating.
- Perform risk-based vendor due diligence. This simply means that higher rated third parties such as an MSP should be subject to enhanced scrutiny from a contract and security control perspective.
- Request and follow up with references of organizations similar to your size and complexity. There is no “one size fits all” MSP which is why it is important to ensure they understand your business requirements.
Financial Institutions operate in arguably, the most heavily regulated industry in the world. This means that we should maintain high expectations for our partners, particularly those that store or have access to client data.
Bedel Security assists many of our clients with this process and we would be happy to discuss options to enhance your program. Send us an email at support@bedelsecurity.com to learn more.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Assessing Risk: Outsourced Service Providers
https://www.bedelsecurity.com/blog/assessing-risk-outsourced-service-providers
Independent Collaboration Part 2: A Framework for Outsourcing IT in Financial Institutions
https://www.bedelsecurity.com/blog/independent-collaboration-part-2-a-framework-for-outsourcing-it-in-financial-institutions