Managing Vendor Risk Through Effective Due Diligence in the Age of Pandemics: The COVID19 Impact
With the widespread effects of the novel Coronavirus (COVID-19) pandemic continuing to be felt across the globe, it is readily apparent that the vast majority of businesses and financial institutions comprising the financial sector were unprepared to deal with the repercussions accompanying an extended quarantine and the unprecedented alterations made to the general way of life of citizens of the United States and beyond. From banking operations being forced to run remotely, changes being made to regulatory framework, improvisation in regards to compliance and reporting requirements, and mitigating emerging forms of risk and fraud, many new and difficult challenges have arisen over the past several months that have placed an additional strain on the everyday operations of compliance departments within international banking staples. If one theme has emerged throughout the pandemic however, it has been the growing need for accommodation, understanding, and openness to change on behalf of organizations small and large. Among the more pressing issues for banks in 2020 is the continued support of customers dealing with financial hardship during these difficult times, mitigating vendor and third-party risk factors, and ensuring proper protocols are in place to better absorb the effects of pandemics and other major events moving forward.
Early last month, the New York State Department of Financial Services (NYSDFS) issued an industry-wide letter of guidance related to the support of businesses negatively impacted by this disease. Large corporations and mom-and-pop’s alike have both felt the impact of major cuts to business activities secondary to the implementation of stay-home orders and travel restrictions cutting off avenues of major revenue for businesses catering to tourism and overseas customers. To assist in navigating these uncharted waters, the state of New York laid out several guidelines for New York-regulated banks, credit unions and licensed lenders to follow in order to assist businesses in staying on track and most importantly, open. The Department encouraged these entities to consider waiving overdraft fees, easing credit terms for new loans, waiving late fees for loan balances, and proactively reaching out to customers who have been negatively impacted by the COVID-19 crisis.
The NYSDFS also recommended other measures that could be taken, such as “offering payment accommodations, such as allowing loan borrowers to defer payments, extending the payment due dates or otherwise adjusting or altering terms of existing loans, which would avoid delinquencies and negative credit agency reporting.”2 While similar practices have been adopted across a variety of financial enterprises to aid individuals/consumers as the outbreak has progressed (specifically for credit card customers), this practice could be the saving grace for adversely affected businesses in terms of ultimately weathering the Coronavirus storm.
Risk and Planning for Future Crises
While there is undoubtedly much that can be, and has already been, learned from this situation, it is obvious that the establishment of a thorough contingency plan is necessary to outline how operations would continue in the face of similar situations or if a significant portion of a given company’s workforce is unable to operate. This includes determining which sectors and customers are most affected in order for an adequate amount of support to be offered to clients and the greater financial community, identifying which company personnel are able to perform their duties adequately from a remote location, and which roles can be terminated if remote work is unrealistic or simply no longer cost-effective. With that being said, another important factor company executives and board members must consider in pressing on through a pandemic is which vulnerabilities they are potentially opening their company up to if they decide remote operations are indeed a viable practice.
Cyber criminals prey on under-secured and unregulated societal trends to streamline their illicit efforts while staying one step ahead of law enforcement. With mass changes in accessibility to physical financial institutions currently ongoing, American citizens have been forced to manage the bulk of their finances online. While financial watchdogs have urged banks and credit unions to enhance their online security accordingly, cyber-criminals have jumped on this opportunity by increasing their fraudulent activities in an effort to pilfer confidential personal and financial information from unsuspecting customers. While the effects of working remotely have yet to truly be felt (or simply have not been reported out of fear of reputational loss), it is fair to infer that even novice fraudsters can easily exploit the use of non-secure, non-encrypted networks being used for work-related activities. In wake of COVID-19, cybercriminals have likely largely shifted their focus to exploiting applications such as those listed above that facilitate remote work and that may lead them to larger rewards. The reputational and financial damage that can be done to a company by allowing such activity to occur is severe, and as such the risk involved should not be taken lightly.
Mitigating Vendor Risk
To combat shortcomings in this regard, a proactive approach to mitigating risk should be adopted by financial institutions of all sizes. Vendor data encryption policies must be fully operational before a company can successfully transition to a remotely run operation. This uptick in security must extend to vendors as well. Even if an organization is on top of its cyber-security procedures, one can surmise that a vendor may not be employing the same rigorous protocols independently. In their recent article “5 Vendor Risk Management (VRM) Considerations During the COVID-19 Pandemic”, Security Scorecard expands on this idea, noting that in order to mitigate vendor risk as part of a company’s threat/risk management initiatives, it is critical to “ensure that you know all of the applications used by your vendors, including:
- Email services used
- Direct messaging/Chat applications used
- and, Video conferencing services used”1
The article also highlights communication with vendors as being paramount in this regard, with very specific questions that banks must ask as part of their due diligence in order to maintain the strength of their respective risk management programs being identified. These include, but should not be limited to:
- What level of encryption do you have in place and what are your protocols for email transmissions?
- Do you utilize encryption for any other methods of communication or transferring of information?
- If you do not have encryption protocols in place for these services, are you planning to do so going forward? In what capacity?1
From the standpoint of a financial institution, proper evaluation of vendors should be viewed as an integral part of their risk-monitoring strategy. A solid vendor monitoring process should always include considerations such as vendor response time to queries, how often vendors apply security patches and updates, fourth-party vendor security, and documentation capabilities.1
Finally, companies must review their service level agreements (SLAs) with their most high-priority vendors. Vendors who have access to the most critical information must be held accountable through cybersecurity liability that is retained in the event of a third-party security breach.1 When reviewing SLA’s, the reviewer must determine whether they include such things as application security, remote employee work policies, levels of authentication and network access, continual network monitoring, and monitoring of all network-connected devices.1 When it comes to vendors, the same level of analysis and care should be given to their continual monitoring as they would be to the everyday operational practices of the bank itself.
Commerce Department Enhances Restrictions on Exports to China, Others
On April 27th, the United States Department of Commerce announced new export restrictions aimed at preventing their opposition from acquiring potent technologies developed in the U.S., specifically those that could be utilized in the development of powerful weaponry and surveillance technology. Highlighting China, Russia, and Venezuela as the key principalities for which these new measures will predominantly apply, the U.S. government hopes to limit the exploitation of the civilian supply chain for military gain. Among the more notable rule changes are the expansion of Military End Use/User (MEU) Controls which expand licensure requirements for U.S. companies selling goods to companies based in China that support the military, regardless of whether or not these products are intended for civilian use. According to the Commerce press release, the MEU expansion will also reportedly cover “items such as semiconductor equipment, sensors, and other technologies sought for military end use or by military end-users in these countries.”4 In addition, the rule changes will also bring about a removal of License Exception for Civil End Users (CIV) in countries that pose national security concerns to the United States; essentially disallowing the export of certain U.S.-controlled technologies without the appropriate licensure.
The rule changes have also called for enhanced due diligence and more consistent reviewing/evaluation of end users (primarily in China) in receipt of exports and re-exports of U.S. items moving forward. With the theft of U.S. intellectual property (IP) and artificial intelligence by China becoming a growing problem in recent years, along with tensions continuing to run high between the two world powers amid the coronavirus pandemic and the subsequent deterioration of the global economy, these new regulations come at a an important time for the American government. Capping off his department’s announcement, Commerce Secretary Wilbur Ross stated, “Certain entities in China, Russia, and Venezuela have sought to circumvent America’s export controls, and undermine American interests in general, and so we will remain vigilant to ensure U.S. technology does not get into the wrong hands.”4
Israeli Bank To Pay Nearly $1 Billion In U.S. Tax Evasion Case
Bank Hapoalim B.M., Israel’s largest bank, recently agreed to pay the U.S. Treasury, the Federal Reserve and the New York State Department of Financial Services (NYSDFS) a total of $875 million to resolve a United States tax evasion case taking place for over a decade dating back to the early 2000’s. Reuters, citing a statement released by the U.S. Department of Justice (DOJ), writes that the Bank and its Swiss subsidiary “admitted to failing to prevent and ‘actively assisting’ U.S. customers in setting up more than 5,500 secret accounts”3, accounts that were used to shelter over $7.6 billion in assets in an effort to evade taxes by defrauding the United States.
The settlement marks the second largest recovery by the DOJ since it began its investigations into tax evasion efforts led by offshore financial institutions in 2008. In a separate agreement announced last week, the bank also agreed to “pay the U.S. government $30 million for its role in the FIFA money laundering conspiracy.”3
Anti-Bribery Coalition Warns of Increased Cases Amid Pandemic
The Organization for Economic Cooperation and Development’s (OECD) anti-corruption wing recently issued a warning to countries across the globe to expect a potential increase in bribery cases and other illicit activities as the coronavirus saga continues to unfold. Citing a statement issued last week by the OECD’s Working Group on Bribery in International Business Transactions, Wall Street Journal writer Mengqi Sun writes that “the economic fallout and human suffering from the pandemic can create conditions ‘ripe for corruption’ and that bribery and corruption could undermine how countries respond to the crisis.”5 This concept holds especially true across the healthcare sector, where there is a widespread scarcity of supplies being utilized by healthcare professionals in hospitals and treatment centers, as well as by the general public for protection against the disease and for the easing of symptoms. The anti-corruption body believes that this dearth may lead to an uptick in bribery of foreign public officials by developers and distributors of said healthcare products in order to win exclusive access to their respective markets. The working group also offered a more grim perspective, noting that corruption could also “divert resources, such as medicine and medical equipment, from their intended purposes and result in unequal and harmful access to them.”5
Acknowledging the difficulties of the times, the group has urged companies to maintain transparency and ensure all anti-bribery/corruption safeguards are adequately followed, while also staying on top of the detection and reporting of potential misconduct to the proper authorities.
- Bansal, Sachin. 5 Vendor Risk Management Considerations During the COVID-19 Pandemic. SecurityScorecard, 13 Mar. 2020.
- Emami, Shirin. “Industry Letter – March 10, 2020: Guidance to New York State Regulated Banks, Credit Unions and Licensed Lenders Regarding Support for Businesses Impacted by the Novel Coronavirus.” Department of Financial Services, New York State, 10 Mar. 2020.
- Prentice, Chris. “Israel’s Largest Bank to Pay Nearly $875 Million over U.S. Tax Evasion Conspiracy -DOJ.” Reuters, Thomson Reuters, 30 Apr. 2020.
- Ross, Wilbur. “Commerce Tightens Restrictions on Technology Exports to Combat Chinese, Russian and Venezuelan Military Circumvention Efforts.”S. Department of Commerce, 27 Apr. 2020.
- Sun, Mengqi. “Antibribery Group Warns of Bribery Risks During Coronavirus Pandemic.” The Wall Street Journal, Dow Jones & Company, 28 Apr. 2020.