Vendor Management: An Increasingly Critical Issue in Financial Services

June 04, 2021by Smarsh

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

Pop quiz: what motivates data breaches? Money? Espionage? A disgruntled employee? A competitor looking for an edge? Something else entirely?

As it turns out, according to a data breach report by Verizon, 71% of data breach cases were financially driven, whereas only 21% were the result of corporate espionage. Think about it: financial institutions deal with huge datasets related to an individual’s personal finances, which makes that data quite lucrative for a criminal to acquire and sell.

Here’s the catch: in the digital age, that personal information can live in a huge variety of places. Especially as financial institutions increasingly rely on third-party vendor partners to streamline their capabilities and enhance their efficiencies.

This is why vendor risk management is more important for financial institutions than ever.


How Secure is Your Financial Organization?

First, you need to answer the basic question: how secure is your financial organization. The problem, as you’ll soon discover, is that assessing the security of your organization is more complicated than it sounds.

In this day and age, assessing your organization doesn’t actually end with your organization. All of your third-party vendors with access to sensitive financial information play an equal role in ensuring the security of that data. And if they’re not doing their part, or if their security is much weaker than yours, it doesn’t matter how strong your organization’s protections are. That vendor’s poor risk management practices leave you wide open.

Of course, there may also be critical weaknesses within your risk management program itself, which translates to risk management deficits within your whole organization. Some common weaknesses in financial institutions’ vendor risk management include:

  • Insufficient oversight

  • Lack of specificity regarding security practices and risk response

  • Vague or nonexistent outsourcing policies

  • Inadequate or nonexistent disaster recovery tests

  • Insufficient review of the vendor’s risk management practices

  • Risk management assessments performed by untrained personnel

As you can see, many of these issues arise in two areas: poorly written contracts spelling out your risk management agreement with your third-party vendor, and mismanagement by employees who are not trained to assess risk.

Oh, and your program has to successfully monitor your third-party vendors just as much as you manage risk in your own organization. The catch is that they’re not actually part of your organization, and it’s unlikely that they’re your only third-party vendor.

In short? There are complications in a dozen different directions, but the net result is the same: if you don’t understand risk management practices, and you don’t know what your vendors are doing, you’re not managing your organizational risk successfully. And that can have serious penalties.


The Risk Management Life Cycle for Financial Organizations

A good place to start is to understand the risk management life cycle for financial organizations. This still gives you a bird’s eye view of the situation, but as a process guidance tool, it gives you a good sense of where you’re headed.

Broadly speaking, the risk management life cycle consists of six parts:

  1. Planning

  2. Due diligence

  3. Contract negotiation

  4. Termination

  5. Oversight and accountability

  6. Periodic independent review

To put it in simple terms, you start out by creating a plan to manage your vendor relationship. This is especially important if your relationship involves critical activities. From there, you perform due diligence on your potential third-party vendor, which helps ensure that you select an appropriate partner in terms of your risk appetite.

Next is contract negotiation, which is critical to getting off on the right foot. Your contract is how you spell out the terms of your risk management agreement, and without specific terms, you won’t have a clear understanding.

You may not terminate a relationship right away, but you still need a contingency plan for a transition. Maybe you switch to a new vendor, or you reach the end of your contract, or you decide to move those outsourced activities in-house. Whatever the reason, you need to have a plan in place to ensure this process happens smoothly.

The last two points are part of your ongoing relationship with the vendor, which is why they have to be planned in advance. Appointing roles and responsibilities for oversight ensures that you know what to expect and how to allot resources. Independent reviews are part of this oversight process, and they relate closely to documentation.


Why You Need to Go Beyond Regulatory Compliance

Those are your basic responsibilities under regulatory compliance. In reality, you have to go much deeper than this.

Regulatory compliance is simply the tip of the iceberg. But if you want to truly mitigate risk, you have to go beyond the basic steps required to remain compliant. Remember, risk is ongoing, and there’s a large margin of error between the bare minimum to stay compliant and mitigation of risky activity.


Third-Party Risk Assessments as a Way to Continuously Monitor Risk

The best way to think of third-party risk assessments is not as an annual checklist. That leaves you a huge margin of error between assessments and a great deal of risk exposure in the interim.

Instead, think of third-party risk assessments as a way to continuously monitor risk.

This goes well above and beyond your manual checklist. Truly successful third-party risk management is data-driven and centralized, allowing financial institutions like you to see the whole picture and make informed decisions in real-time.

But in order to do that, you have to have the right tools for the job.


We Make Risk Management Easy

Continuous third-party risk assessment isn’t easy, but it gets that much easier when you have tools to simplify the process. That way, instead of chasing small details, you can see the whole landscape at once.

That’s where we come in, with third-party risk management software designed to take the headache out of risk management. We built our system around integrated industry-standard frameworks, as well as your unique questionnaires. From there, you get a collection of high-powered tools that make it easy to assign assessments, score your performance, and manage vendor access in one easy dashboard.

Ready to take a smarter approach to risk? Then get in touch today to schedule a demo.

Share this post!

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.