It’s a mistake we see surprisingly often. An FI will have a policy that includes a handful of factors for identifying a critical vendor—and each factor holds the same weight. If a vendor checks just one of those boxes, they are automatically considered a critical vendor.
Related: Are BOLI Providers Critical Vendors? The Answer Might Surprise You.
This may seem like a smart, simple way to identify critical vendors, but it’s actually an error that can cause a financial institution to misdirect vendor management resources to a vendor that isn’t necessarily critical.
Consider a policy that includes these three factors to identify critical vendors:
1. Unsupervised access to data. A vendor that has access to sensitive data is a critical vendor regardless of whether that access is “supervised.” Even if a vendor’s access to sensitive data is limited, there is the opportunity for that data to be breached. Supervision of data access shouldn’t be a factor for identifying critical vendors.
2. Annual cost. Cost alone isn’t grounds for identifying a critical vendor. While there are critical vendors that require significant investments (we’re looking at you, core processors), others are expensive but not critical. For example, if an FI is building a branch, it will hire a construction company. That construction company will be one of the most expensive vendors in the FI’s budget, but it’s not really a critical vendor requiring the analysis of a SOC 2 report or the company’s financial condition. The worst-case scenario is that the branch won’t be built. It’s not an ideal outcome, but it won’t be fatal for the bank.
3. Reputation. Some FIs want to believe that if they work with a large, long-established vendor with a sterling reputation, nothing could possibly go wrong. As a result, large vendors with good reputations are considered lower risk. These FIs are taking a big leap of faith that bigger means better.
As we’ve learned from Equifax, Jack Henry, Fiserv, and others, large vendors can experience disruptions and data breaches. Big companies can make for big targets. Size and reputation shouldn’t give a company a pass when it comes to being evaluated as a critical vendor.
The next time your FI answers pre-exam questions about vendor management, make sure you’ve read through your vendor management policie