Here’s a scenario that should haunt the dreams of every community financial institution executive: someone has breached your security system and leaked the information for hundreds, or even thousands of account holders.
If Facebook is any measure, a breach can happen to any company, regardless of size, or technological prowess. When news broke that Cambridge Analytica had accessed the information for millions of Facebook users without their consent, the public and Congress took notice.
The whole fiasco begs the question: if Facebook had performed thorough due diligence on Cambridge Analytica before it gave them access to their platform, would they have averted the entire scandal? Hard to say for sure. However, it’s definitely made everyone here at Kasasa thankful for the rigorous due diligence process that our third-party vendors must undergo.
In fact, we spoke with Diane Christensen, AAP, our Senior Finance Project Manager and point person for all things “due diligence,” to learn what questions she asks vendors before any paperwork is signed.
- Will the vendor have access to ANY non-public information — either Kasasa’s, our clients’, or consumers’? Under current regulations, even a personal email address classifies as “non-public information” that must be protected (business emails are exempt from this designation).
- Will the vendor have access to any of our code, or our system?
If they have access to the code, can they write a backdoor? Does that system give them access to our databases?
- If the company suddenly went out of business, could it cause us to suffer a reputational or financial loss?
If the answer to any of these three questions is “yes” then your next step should be to perform a thorough due diligence process. And eventually, the answer to one, or all, of these questions will be “yes.”
Some institutions have outsourced the due diligence process to yet another vendor, which can be a wise move considering the amount of time and expertise required to investigate multiple vendors successfully.
And according to Diane, smaller institutions rely on a dynamic that counter-intuitively puts them at higher risk: trusting to relationships at the cost of due diligence. For instance, the CEO may have a long-time working relationship with somebody at a local IT consulting firm, and he may approve a contract on the strength of that connection, without requiring due diligence.
The issue with this scenario isn’t a “lack of paranoia,” but a failure to adhere to the Russian proverb (popularized by Ronald Reagan): “Trust, but verify.”
By performing due diligence on a vendor you are not only seeking to eliminate unqualified partners but to give yourself the information and resources to plan contingencies and measure risk. Asking the right questions at the outset can save you a lot of headache on the backend. Just ask Mark Zuckerberg.