How Whistic Helps Financial Services Organizations with Third Party Risk Management

June 26, 2018

When it comes to managing finances — whether your firm is a bank, credit union, broker-dealer, investment adviser, investment company, asset management firm, or any other type of B2C or B2B business — managing risk and being proactive with security safeguards is not an option, it’s a requirement. As an InfoSec executive, you are responsible not only for keeping data safe, but also maximizing your employees’ time so they’re focused on growing your services business and gaining trust from prospective customers while also keeping the trust of current clients.

The Office of the Comptroller of the Currency (OCC) is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. A well-known OCC Bulletin regarding Risk Management states that, “Organizations must identify risks from third-party access, impose minimum cybersecurity practices for vendors, and perform due diligence in evaluating vendors.” In order to combat this, the OCC advices that banks should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.

As your financial services firm works with third party vendors, you’re putting important data in the hands of another organization that may not have the same safeguards that you’ve diligently put into place. That means assessing your vendors and performing vendor security reviews, as the OCC alludes to, as a way to determine their security posture is incredibly important to ensure no data is compromised and to give your clients peace of mind — a rarity in today’s world of constant cybersecurity hack news. Whistic’s vendor assessment platform assists any bank, credit union, broker-dealer, investment adviser, investment company, or asset management firm in protecting against vendor risk by identifying, assessing, and tracking vendors through their lifecycle. Here’s a glimpse into how it works:

  • Identify: Your InfoSec and Compliance team can make more informed risk decisions by using a custom Whistic intake form or API integration to gather vendor information from internal stakeholders before a purchase is made. Use the platform on an ongoing basis to identify risks that arise at contract renewal or throughout the lifecycle of your vendor relationship — or turn on an integration via Whistic to continuously monitor your third party vendor relationships.
  • Assess: Your financial services organization can discover potential cybersecurity threats before they have the chance to compromise your data and employees, and you can compare third parties against a set of predefined criteria by reviewing industry-standard or custom vendor questionnaires, documentation and metadata on an ongoing basis. Leverage a robust review workflow or opt for a more streamlined approach. With either choice, you can be up and running with Whistic in weeks, not months.
  • Track: Whistic allows you to centralize your vendor security information into a single source of truth so your InfoSec team can say goodbye to the painstaking manual, back-and-forth vendor assessment routine and adopt a dynamic, automated process. Store third-party vendor documentation, assessment details, past issues, contract information, contacts and any other custom data you’d like to track in an intuitive and easy to use interface. Report on all of this information through a robust custom reporting suite designed to help you unlock insights previously trapped in spreadsheets.

How Financial Services Can Benefit From a Whistic Security Profile

One unique cornerstone feature of the Whistic platform is the Security Profile, which is especially helpful for financial services organizations that are highly regulated and compliance-driven. The Security Profile is not just a storage unit for security and compliance documentation, but a living, breathing record of your company’s security and compliance posture that you can use to respond to inbound security reviews from your customers or prospects. With Whistic’s vendor assessment platform, you can now conduct security reviews (traditional vendor risk management) and respond to security reviews in the same platform. This wholistic approach to both sides of the vendor risk assessment is setting a new standard for how third party vendor assessments will be completed in the future.

The SEC and Vendor Risk Management for Financial Services

Thanks to the influx of cybersecurity breaches in recent years, the SEC is more tuned in to financial services than ever before — and you can bet that they’ll only increase their scrutiny. A major focus area is how companies execute vendor risk management programs. In a recent article, the SEC shares how its staff sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.

Whistic is specifically built for InfoSec teams that are looking to improve their third party vendor assessment program’s security effectiveness, efficiency, and scope. Our vendor assessment platform enhances productivity and unlocks insights that are traditionally trapped in static security questionnaires, all while eliminating the manual admin tasks that are normally associated with vendor assessments. At the end of the day, this allows your team to free up time to focus on protecting your financial services organization from security threats.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.

Request a Live Demo with a Whistic Product Specialist


Why Third Party Security is Critically Important

information security cybersecurity vendor risk management third party risk financial services

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.