Does Your Vendor Risk Management Comply with FFIEC Updates?

The FFIEC recently updated its landmark Information Security (IS) Booklet, which provides guidance for organizations’ Information Security Program and Risk Management processes. The update was intended to bring additional focus to IT risk management as well as update information security processes. One area of increased scrutiny is third party risk management.

Analyst firm Gartner predicts that by 2019, 50% of the external services and solution spend of global 2000 companies will be through less than 10 strategic vendors.* That’s putting a lot of risk in one basket, especially if you don’t know your vendors as well as you should.


This heavy reliance on third parties begs the question: How certain are you that your vendor risk management program is aligned with FFIEC guidance?


The FFIEC recommends that third-party contracts should do the following:

  • Include minimum control and reporting
  • Provide for the right to require changes to standards as external and internal environments change.
  • Specify that the institution or an independent auditor has access to the service provider to perform evaluations of the service provider’s performance against the Information Security Standards.


Risk is shared across organizations and their vendors with potentially damaging consequences, as the Yahoo and Target breaches have shown. In fact, the FFIEC states that, “outsourcing does not change the regulatory expectations for an effective information security program.


Learn more about how to get your vendor risk management program on the right track. Rsam is hosting a webinar, featuring Gartner analyst Christopher Ambrose on Wednesday, Oct 19 at 2:30PM ET. Webinar registration.


* Predicts 2016: IT Vendor Ecosystems Must be Re-evaluated Based on Agility, Collaboration and Risk, Published: 09 December 2015 ID: G00293390, Analyst(s): Christopher Ambrose Kris Doering Joanne Spencer Edward Weinstein