Vendor Management / 3rd Party Due Diligence

Security Compliance Associates (SCA) simplifies vendor management and due diligence with our Vendor Solutions cloud-based software. This user-friendly tool helps you conduct an evaluation of your institution’s arrangement with 3rd parties that process, maintain, or are granted access to non-public information. The tool will help you review whether the 3rd party service provider’s business processes include appropriate physical, administrative and technical safeguards to protect non-public information against unauthorized access or use. You can also review the controls the service provider has to ensure any sub-contractor it uses employs appropriate security measures.

SCA Vendor Solutions is available through a yearly license subscription. There is nothing to install on your network making deployment and on-boarding quick and easy! Actual data input and vendor management is completed by the financial institution. As an option, SCA will manage some, or all, of your vendors for you!

Due diligence will include, as appropriate:

  • A background evaluation consisting of verification of recent references appropriate to the job the service provider proposes to perform
  • A check of local Better Business Bureau complaint files
  • A check of Federal Trade Commission complaint files
  • A review of the service provider’s years of experience and an evaluation of the qualifications of its key employees
  • A review the service provider’s insurance and bonding coverage including errors, omissions, property, casualty, information losses, dishonesty or fraud
  • A risk rating for each service provider based on the criticality, access to non-public information, and security measures the vendor has in place
  • A review and assessment of the service provider’s SSAE 16 or equivalent

Review of your contracts with service providers will determine if the contracts contain:

  • Acceptable confidentiality and non-disclosure provisions
  • A requirement the 3rd party service provider complies with all applicable state and federal privacy and information security laws and regulations
  • A requirement that the service provider to take appropriate action to address incidents of unauthorized access to the institutions member or customer information
  • A requirement that the service provider disclose breaches in security resulting in unauthorized access to non-public information or to systems where the information is maintained