Why Regional Bank Compliance Requires SOC 2 Vendor Management

by John Allegro | 01, 19, 2021
SOC 2 Vendor Management

As technological advances break their way into financial institutions, a need for enhanced security protocols has surfaced. Businesses and clients alike need a way to verify that the information they collect and provide is being stored and accessed securely to prevent data breaches like the ones that took place at Capital One, Equifax and First American Financial.

A need for a standardized approach to information security has resulted in a provider auditing methodology called SOC 2. By requiring vendors to follow a framework for data security and obtaining SOC 2 Attestation, financial institutions have a concise way to verify that the vendors that have access to protected information in any form are following structured guidelines for handling that data.

If you are a bank storing the personally identifiable information (PII) of your accounts and clients, and you have vendors that provide services around that data, SOC 2 compliance should be on your radar. While financial institutions themselves do not need to be SOC 2 compliant, the vendors they utilize should be.

Let’s take a look at what goes into SOC 2 compliance, why your vendors should be compliant and how vendor non-compliance can impact your bank.

What Goes Into SOC 2 Compliance

SOC 2 was developed by the American Institute of CPAs (AICPA) and has to do with how confidential client data is managed. The criteria for verifying SOC 2 compliance consists of five pillars, known as the five Trust Service Principles. These five pillars – security, availability, processing integrity, confidentiality and privacy – each have certain requirements that must be met to obtain a certificate of compliance.

Vendors must review each pillar and define its controls around the categories that pertain to their specific business processes. Their responses to each category of compliance must be well documented and put into a system description that independent auditors will then review for validity and adherence. While all five principles may not be applicable to all SaaS and IT vendors, security and confidentiality pillars are fundamental if they’re working with financial institutions, as these would typically be relevant to most services provided.

Vendors that provide services for banks and other finance companies need to be sure that they pay special attention to electronic record retention, the time threshold for which information is held, and the specific types of information that are stored.

Why Your Vendors Should be SOC 2 Compliant

Being selective about vendors, especially IT managed service providers and Software-as-a-Service (SaaS) companies, shows your clients that you value their security and the protection of their personal data. It shows that although you may not be storing confidential data within your own infrastructure, you aren’t allowing client data to be handled by just anyone.

Maintaining SOC 2 compliance takes time and money, and service providers that take the time to do so prove that they take security seriously. This is no easy task; it demonstrates that an independent auditing firm has verified that the business processes and systems in play by service providers hold up to the stringent guidelines of the attestation.

How Vendor Non-Compliance Can Impact Your Bank

Vendors that don’t take the time and effort to become SOC 2 compliant pose a significant burden and additional risk to your bank and every client who chooses to do business with you. It shifts the risk of vendor process and policy review and adherence validation to the bank’s compliance department rather than a third party whose efforts are paid for by the vendor and attested to under strict guidelines and controls.

Banking institutions were the target of 47% of all data breaches in 2017. If that were not troubling enough, the average cost of a security breach is $3.92 million, and that number rises to over $18 million in the banking sector. With statistics like that, banks cannot afford to trust their critical business data to vendors that don’t take security seriously.

Are You in Need of Compliance Support?

Falling victim to a data breach can ruin the reputation of your bank in the blink of an eye. Trusting critical data to vendors that are compliant with SOC 2 policies is the best way to safeguard your business, clients and reputation from harm in a catastrophic event.

BBH is a New York City-based managed service provider that specializes in compliance support services. As a SOC 2 certified service provider, we understand the importance of utilizing the most stringent processes, procedures and security guidelines when handling client information.

Whether you opt for our Compliance Support Services offering or bundle it as a part of our full managed services package, our team of experts is committed to providing best-in-class support for all of your IT and compliance needs.

If you have questions regarding the status of your bank’s security and compliance posture, download a copy of our IT Audit Remediation Plan to see how you stack up against the competition.


Get the IT Audit Remediation Plan