9 minute read
SolarWinds Breach
ON THE TOPIC OF CYBERSECURITY What are You Doing to Secure Your Data?
You may be aware of a major and widely publicized cybersecurity breach involving SolarWinds software, which is used by over 300,000 customers, including U.S. government agencies and most of the U.S. Fortune 500 companies. Threat actors, believed to be from Russia, inserted malicious code into SolarWinds software to gain access to confidential information of SolarWinds’ customers.
Advertisement
Because the SolarWinds’ technology (legitimate SolarWinds software) was leveraged to compromise its clients’ infrastructure, the incident was labelled as a “supply chain attack.” Successful attacks tied to SolarWinds came to light as a sophisticated combination of leveraging the compromised SolarWinds components and stealthy movements in the victims’ network environment in order to access and extract confidential information.
While known indicators related to compromise have been released, there was no “quick fix” to fully identify and recover from these attacks because the threat actors basically had an “open door” deep in the victim’s networks—potentially dating as far back as March 2020. The follow-up activities would be specific for each impacted organization.
While we do not yet know the full impact of the attack, banking institutions need to think through cybersecurity risk management. It could be tempting to dismiss doing anything about cybersecurity: after all, the U.S. Treasury, the Departments of Homeland Security, State, Defense, and Commerce, and big security companies like Microsoft and FireEye were compromised—so what could your financial institution do to prevent the risk of cyber-attacks if these giants were unable to do so?
First and foremost, if your organization, or the managed IT service provider who is supporting your organization, is using SolarWinds, you may need to perform a comprehensive security risk in order to fully understand the potential exposure. The backdoor was activated for a few organizations but if the compromised SolarWinds components were installed, it will be necessary to look through logs for indicators of compromise activity released.
Supply chain security is not something most organizations have the resource to implement—which is why it is important to focus on detective controls and look for anomalous behavior. It is never too late to start becoming more proactive with your cybersecurity posture and this is an opportunity to get your organization in gear to begin defending against more advanced threats.
SolarWinds Breach
It is important to emphasize that most financial institutions need to implement pragmatic security measures based on their threat model. Different threat actors have different motivations, techniques, and capabilities. Your IT service provider should design its assessment and planning process around a capability based maturity model which helps you determine the correct control levels needed for your organizations threat model.
By assessing your cyber risk and prioritizing remediation activities based on real world threats, your provider can help your organization building a strong, resilient, and cost-effective information security program.
Dean Dorton Cybersecurity offers a comprehensive portfolio of services designed to meet all your organization’s information security needs, from understanding your information security posture, building and maintaining an effective information security program, to responding to incidents.
To learn more about Dean Dorton Cybersecurity, visit deandorton.com/cybersecurity.
KBA ENDORSED VENDOR The True Cost of Contract Management
by Michael Berman, Founder & CEO, Ncontracts
Keeping a lid on expenses is a top concern for banks, credit unions, and other financial service companies. Is your institution overlooking a prime opportunity to improve efficiency and better control costs?
Poor contract management costs American companies billions of dollars every year. Experts estimate that failing to properly manage contracts and engage in vendor risk management can impact the bottom line by as much as 9 percent of annual revenue. Another study from research groupAberdeen estimates collective losses of around $153 billion annually.
What Is Contract Management?
Contract management is the process a financial institution uses to organize and oversee third-party vendor contracts and agreements. Agood contract management system creates value by ensuring contracts are accessible, tracking key dates, and making it easy to identify important contract terms, including cost and performance expectations.
Many financial institutions rely on manual and uncoordinated contract management processes. Contracts are stored in desk drawers, filing cabinets, personal hard drives instead of a centralized location, making them difficult to retrieve and review. Contracts can be lost when the person who filed it forgets where he or she puts it—or leaves the company. They can be damaged or destroyed in a fire, flood, or other disasters. The contract may be at one company’s location when it’s needed at another—or needed by someone working from home.
As a result, employees responsible for monitoring vendor performance (including IT, compliance, and accounting) don’t have all the data they need. This includes contract information relating to:
• Nature and scope of the arrangement • Pricing • Performance measures, benchmarks, and reporting • Audit and remediation • Compliance and complaint management • Data security • Liability, dispute resolution, and termination • Business continuity and resiliency • Subcontracting More than a simple document, a third-party vendor contract serves as a blueprint for the entire relationship. It contains the basic building blocks needed for vendor management—a regulatory requirement for banks and credit unions. Vendor management the process of identifying, measuring, monitoring, and controlling the risk of third-party vendor relationships. This includes vendor risk assessment, vendor due diligence, contract structuring and review, and oversight.
Why Mismanaging Contracts Is Expensive
From cost and performance impacts to compliance risks, poor contract management can hurt a financial institution’s bottom line in many ways.
• Contract creation, routing, filing, and retrieval all take unnecessary time and trouble. • Amendments and other changes aren’t attached to the original contract, leaving the impression the original contract is complete and curent. • Off-contracting buying can happen because the relationship isn’t documented. It’s usually at a higher price than was negotiated, and it can invalidate lucrative contracts with important suppliers. • When there is no previous contract to draw on or refer to, sourcing and sales cycles are longer because document drafting and approvals take longer. The contract ultimately negotiated may be uncompetitive or even risky because any well-crafted terms used in the past (prices, protective clauses, restrictions, and penalties) aren’t included. • If those charged with monitoring a vendor’s performance aren’t aware of contract stipulations and service level agreements (SLAs), the vendor may fall short. • Regulators make no distinction between the action of a financial institution and the action of a vendor working on an institution’s behalf. If financial institutions can’t access contracts, they can’t monitor performance. • Rebates and discounts may be unclaimed or lost. • Inadvertent renewals (auto-renewals) may prolong an unprofitable relationship or cause an institution to miss an opportunity to negotiate for better rates or terms. • Inadvertent terminations may cause an institution to incur fees, spend significant time reinstating the agreement, or find itself suddenly unable to provide a product or service. continued on next page
• Sarbanes-Oxley (SOX) makes executives at publicly traded companies attest to the company’s adherence to contract terms. They are putting themselves and their companies at risk if they don’t have access to the contracts. • Duplicate vendors resulting in overpayment for goods and services. • Failing to meet regulatory requirements for vendor management due to missing information.
Any one of these oversights can cost a financial institution. Put several of them together and the cost of poor contract management really starts to add up.
Four Tips for Better Contract Management
While poor contract management is expensive, good contract management helps an institution save a great deal of money with minimal expense. Here are four ways to improve your contract management.
1. Store contracts in a secure, centralized location. Make sure all your contracts are stored in one centralized location, giving employees access to the most up-to-date vendor agreements and information. Consider cloud storage as a solution. Cloud storage provides extra layers of security by storing your contract information off-site and online, making it possible for staff to access contracts regardless of location. Restricting access to data is also easier because many standard cloud storage security protocols require permission-based logins.
2. Identify key dates and provisions. When it comes to critical vendor contracts, invest the time to identify key dates (like renewals and expirations) and provisions (pricing, performance expectations, compliance controls, etc.). This lets you know when action is needed and gives your vendor management team the information it needs to effectively manage the vendor relationship.
3. Use proactive task management tools. Reminders are an essential part of contract management, but not every reminder is built the same. Calendar alerts are great when setting an appointment, but when it comes to reminding the institution of a pending contract expiration, it’s a high-risk gambit. Staff turnover is a prime source of missing calendar alerts on longterm contracts. There is always the possibility that contract calendar alerts can be overlooked or deleted.
Spreadsheets are also a common tool at financial institutions, but they aren’t the best fit for contract management. Spreadsheets can’t proactively alert you to action items. Spreadsheets can be lost, deleted, or corrupted. You can end up with multiple versions when staff download or make a copy of the spreadsheet, or they can also be overwritten. It’s a classic case of a so-called “free” tool costing more than you think. Find a contract management solution that proactively alerts the institution of contract deadlines and makes it easy to document activity.
4. Provide adequate oversight tools. Escalated notifications, incident tracking, extensive reporting, and dashboards allow senior management to spend less time on contract management while giving them deeper insights.
Good contract management has many benefits, including the ability to fully realize contractual discounts and rebates, better manage regulatory compliance, and save on administrative costs. Have you considered what your current contract management practices are costing your institution? Don’t wait for a contract management mistake to find out.
Michael Berman is the founder and CEO of Ncontracts, a leading provider of risk management solutions. His extensive background in legal and regulatory matters has afforded him unique insights into solving operational risk management challenges and drives Ncontracts’ mission to efficiently and effectively manage operational risk.
FOR MORE INFORMATION CONTACT | Selina Parrish Director of Membership sparrish@kybanks.com
Testimonial
“Without Ncontract’s executive summaries that are being provided, I can’t imagine coming up with the time to thoroughly review annual reports ranging from SOC/SSAE reviews, audited financials, business continuity plans and reviews and determining how well our vendors have performed, it would be overwhelming!”
Mr. Jonas Billingsley Vendor Management German American Bank, Owensboro
130th Annual KBA Convention
