The What, Why, and How of Complementary User Entity Controls

Reviewing Complementary User Entity Controls (CUECs) is an important part of any financial institution’s third-party management program. However, we often see many institutions either not performing or not documenting these reviews. Let’s breakdown the What, Why, and How of performing this review.

What?

SOC reports are meant to provide assurance that our third-party partners have expected controls in place and that those controls are adequate. However, looking only at the controls the third-party controls is not the complete picture, there are also controls which the financial institution is responsible for implementing. Those are the CUECs.

CUECs are included listed in SOC 1, SOC 2, or SOC 3 reports, typically identified as such, and included for institutions to review.  It is the financial institution’s responsibility to verify that the CUECs are in place within their own environment, and if it is not, a plan to implement it.

Some examples of CUECs:

• User entities must send data in an encrypted manner.
• User entities must monitor and update their own antivirus definition updates and security patches.
• User entities must notify the service organization of physical access changes.

Why?

CUECs are meant to “complement” the controls that exist at the third-party. Third-party controls are a shared responsibility and the CUECs are the financial institution’s responsibility to implement and include as part of the periodic review of the third-party relationship If financial institutions do not appropriately implement the required CUECs defined by the third party, then the third-party may not be able to meet their control objectives. These CUECs may look daunting when all listed out, however, they are normally relatively easy to review and determine if implemented.

How?

The business owner of the vendor is normally the best person to determine whether the CUECs are in place. However, if the CUECs are more technical in nature, the IT Department or IT provider should be involved in the discussion. CUECs should be included as part of your third-party due diligence, along with a documented review of compliance.

Don’t let CUECs scare you. Bedel Security assists our clients in managing Third Party Risks. We would be happy to review your program and provide feedback as appropriate. Send us an email at support@bedelsecurity.com to learn more.