Regulation & Compliance

OCC Guidance: Ongoing Monitoring & Third-Party Risk Management

Melissa Stevens | December 19, 2013

In October, the Office of the Comptroller of Currency (OCC) issued new guidance for banks regarding third party risk management, listing one of their reasons for issuing these guidelines as failure by the banks "to perform adequate due diligence and ongoing monitoring of third-party relationships." Current means of assessing third party security risk include annual audits and questionnaires, tools that are useful but which fail to provide the continuous, evidence-based assessments banks need to truly understand their vendor risk, especially when it comes to security risk management.

OCC Recommends Ongoing Monitoring for Third Party Risk ManagementThe OCC suggests that banks need to apply more resources towards evaluating the information security posture of their vendors. Specifically, it recommends that banks: "Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities," and "Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies...."  

These recommendations may seem obvious, but recent studies have shown that many organizations (not just banks) fail to assess the security posture of their vendors before outsourcing data. The increase in data breaches suggests that current annual assessment methods do not provide enough visibility into the changing risks in third party networks to allow for proactive remediation. Ponemon states that the top error organizations make when outsourcing consumer data is not applying the same level of rigor to information security in vendor networks as they do in their own.  With that in mind, the OCC's recommendation to banks that they apply more stringent practices and monitor third party security risk on a continual basis makes perfect sense.  While many large financial institutions, some of which include BitSight customers, have already been following this advice, we hope to see OCC's guidance promote better third party risk management across the financial services industry.


Suggested Posts

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

Far reaching in its applicability, GDPR extends well beyond Europe and affects any...


NERC CIP-013-1: Effective Date, Preparation Strategies, & Impact

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability...


Is Your Risk Management Program Ready for the New European Banking Authority’s Guidelines?

In June 2018, the European Banking Authority (EBA) put forth guidelines on outsourcing arrangements that highlighted the importance of risk management within financial organizations. The notice of these guidelines was announced in June...


Subscribe to get security news and updates in your inbox.