Sanil Nadkarni: 3 Ways to Optimize Your Vendor Risk Management Program

Sanil Nadkarni

Sanil Nadkarni is CISO & Vice President of Enterprise Security & Risk Governance with SLK Global America, Dallas, a business process management provider for the financial services industry. He has more than 14 years of core information security, fraud and risk management experience with leading Fortune 500 multinational companies. He can be reached at

Today’s financial institutions are faced with many challenges, chief among them reducing costs, improving efficiency and introducing innovation so they can be ahead of the curve. One path many prefer to take to meet these objectives is outsourcing, which has dramatically changed how businesses operate today. In fact, for most organizations, outsourcing is already a strategic initiative, and not just tactical. According to a General Services Administration report, 70 percent of companies surveyed will outsource more in the upcoming years.

As the number of service providers and vendors entering the mortgage space has grown, however, so too have new dangers. Because they manage enormous quantities of consumer data, today’s financial institutions face the growing risk of cybercrimes and malicious threats, many of which may be introduced externally from outsourcers. These threats are exacerbated by the fact that many organizations are dealing with increased margin pressure, which has led some companies and their vendors to take shortcuts when managing borrower data.

As a safety protocol, U.S. regulatory bodies have implemented new requirements to bring in tighter controls and better oversight in vendor management. According to Federal Reserve Supervision and Regulation Letter 13-19, every organization must have a risk-focused policy before outsourcing to third party vendors. Since then, however, many organizations have struggled to develop and implement sound, effective vendor risk management policies that ensure compliance with a growing number of regulations while protecting against the rising number of sophisticated cybercriminals targeting the mortgage industry.

Below are three important steps financial institutions must implement to make sure their vendor risk management program is both robust and user-friendly.

1. Better Oversight with Continuous Monitoring

Implementing a strong oversight policy is the first step to safeguarding an organization from any form of cyber threat. This includes setting up vendor relationship management teams and classifying vendors based on their risk levels. These risk levels are determined based on the extent of access that vendors have to sensitive data and the technology infrastructure within the client organization.

Vendor relationship management teams must periodically review all high-risk vendors as well. However, it’s important to remember that point-in-time audits are outdated as soon as they’re made, so they don’t take into account changes in security policies. A cyberattack may go unnoticed until the next assessment is carried out–or until the time the vendor notifies the organization, or until the next assessment. By that time, a cyber attacker may have already broken into the network.

We also recommend that organizations perform enterprise security assessments, vulnerability assessments and penetration testing and software vulnerability testing throughout the relationship with a third-party service provider. Plus, service providers should only be allowed to access the organization’s data through a protected, virtual network.

A recent PWC report found that 58 percent of companies in the financial industry that monitor third parties on an ad hoc basis experienced a third-party service disruption or data breach, compared to only 37 percent of respondents that regularly monitor third parties. Therefore, better oversight and continuous monitoring is key to a secure risk management process.

2. Partnering with a Qualified Expert

Hiring a qualified vendor risk management professional is pivotal to creating sound oversight policies. However, finding one that really works for your specific needs is like finding a needle in a haystack.

Organizations must scrutinize vendor risk management experts very carefully before deciding to partner with one. This analysis needs to consider the expert’s technologies, skillsets and length of time in the industry. When it comes to protecting data, only the most experienced providers can be counted on. The best providers have relevant certifications to show they maintain safe security environments, including ISO and GDPR certified for information security and BCP and SSAE 18 certified for controls, as just two examples. They also have employees who are highly trained, certified, and constantly tested with surprise checks, to ensure everyone in the company shares the same values when it comes to compliance and data integrity.

When chosen carefully, qualified third-party specialists can build robust vendor management frameworks and seamless workflows as part of an extended team of the organization. They are also able to strengthen the organization’s policies with best-in-class solutions and offer these services at a lower cost than the organization could build on its own. The key is to partner with experts who understand the organization’s business values and can manage the difficult and detailed tasks meticulously, allowing the organization’s core in-house team to focus more on strategic initiatives.

3. Contractual Agreement and Regulations

It’s imperative that all contracts, privacy agreements and security obligations with vendors are reviewed periodically. Organizations might also need to personally visit (or have a representative organization visit) the vendor’s offices to observe and inspect the effectiveness of the controls that have been agreed to. They should also review the legal requirements of their own jurisdiction along with those of the host country or state of their vendors that they have outsourced their business to, and track the changes in regulations.

It is clear is that compliance and regulations are here to stay, and the bar on them is being continuously raised. And yet, as more organizations outsource their business needs, many are choosing providers without conducting proper due diligence. In today’s market, there’s no shortage of small vendors and recent start-ups that focus their attention on time-based projects, many of which are untested and often never finished. Many are also woefully behind the curve when it comes to new consumer protection laws and the demand for stronger information security in our industry.

For these reasons, it is vitally important for organizations to select vendors very carefully and to adopt best practices in the area of vendor risk management. Once they do, they can enjoy a reasonable level of confidence that they will be able to manage risk optimally, stay safe and secure, and achieve their business objectives.

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at; or Michael Tucker, editorial manager, at