Regulation & Compliance

OCC Guidance: Ongoing Monitoring & Third-Party Risk Management

Melissa Stevens | December 19, 2013

In October, the Office of the Comptroller of Currency (OCC) issued new guidance for banks regarding third party risk management, listing one of their reasons for issuing these guidelines as failure by the banks "to perform adequate due diligence and ongoing monitoring of third-party relationships." Current means of assessing third party security risk include annual audits and questionnaires, tools that are useful but which fail to provide the continuous, evidence-based assessments banks need to truly understand their vendor risk, especially when it comes to security risk management.

OCC Recommends Ongoing Monitoring for Third Party Risk ManagementThe OCC suggests that banks need to apply more resources towards evaluating the information security posture of their vendors. Specifically, it recommends that banks: "Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities," and "Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies...."  

These recommendations may seem obvious, but recent studies have shown that many organizations (not just banks) fail to assess the security posture of their vendors before outsourcing data. The increase in data breaches suggests that current annual assessment methods do not provide enough visibility into the changing risks in third party networks to allow for proactive remediation. Ponemon states that the top error organizations make when outsourcing consumer data is not applying the same level of rigor to information security in vendor networks as they do in their own.  With that in mind, the OCC's recommendation to banks that they apply more stringent practices and monitor third party security risk on a continual basis makes perfect sense.  While many large financial institutions, some of which include BitSight customers, have already been following this advice, we hope to see OCC's guidance promote better third party risk management across the financial services industry.


Suggested Posts

FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...


Australian Companies Now Have 6 Months For APRA Compliance

Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong...


Texas Senate Bill 820: New Regulation Takes Aim at Cyber Threats in Education Sector

Schools and colleges are facing an alarming increase in cybersecurity incidents. Some hackers seek ransoms while others see value in scooping up personally identifiable information to sell to identity thieves.


Subscribe to get security news and updates in your inbox.