Baseline Nonbank Cybersecurity Exam Program

Question 13

How does the institution make sure it employs trustworthy third parties? Does the institution perform due diligence before entering into a contract? Is there an active vendor management program and/or methodology?

19

Question 14

Are contracts in place? Do vendor contracts require service providers to implement and maintain appropriate information security safeguards? Consider the confidentiality, availability, and integrity of information stored with the vendor. Does the vendor management program include specified contract deliverables, due dates, and service level agreements? Are vendors monitored on an ongoing basis? (not just at hire/selection)? Does it define each party's information security responsibilities under the contract?

20