Executing the business plan’s technology-related items can be a challenge. Few credit unions have all of the resources in-house to accomplish the broad ranging objectives from things like enhancing member online services, automating internal operational process, marketing initiatives through web and social media platforms, to cybersecurity and compliance.
Given all these special project focuses, it’s very common for credit unions to outsource all or portions of the daily monitoring, management, and support of their infrastructure to a third party. Benefits to a partnership include extending support coverage, adding subject matter expertise, and blending what’s already being done with complementary services to fill gaps.
Finding the right technology partner is key, however making that determination in a crowded marketplace can be difficult. Here are some questions to ask potential vendors to make sure you find the right fit:
Cover the vendor due diligence basics
What is the financial health of the vendor business? Does the vendor provide audited financials? Do they have peer (credit union) references? Does the vendor have a SOC (System and Organization Controls) report or other equivalent independent assessment of their controls?
Can the vendor help you navigate the decision-making process following a risk-based, security-first approach?
Is the vendor familiar with FFIEC standards, the Gramm-Leach-Bliley Act, and industry best practices? As financial institutions, credit unions are subject to regulatory requirements, many of which directly intersect with technology deployment and management.
Do the vendor’s hiring practices have the same level of vetting that credit union hiring does?
Do employees at the vendor company follow the same practices as credit union staff? Do employees there get criminal and financial background checks? How are they trained and supervised? Does the vendor perform all services in-house, or do they also outsource some or all of the services to another party? What is the ratio of full-time employees to temp or contract team members and how do their levels of access differ? Do you offshore work/services outside of the US?
How is the work the vendor communicate work performed for the credit union?
Following the theme above, vendors with access to the network should be required to track and report their access to credit union resources, including details of who, when, where, and why.
Does the vendor have the tools and framework in place to accomplish this? Either way, it will need to be done in order to provide oversight, so if the credit union is responsible for that solution, it may add considerable cost, responsibility, and complexity to the credit union’s existing IT burden.
Who has access to credit union data?
Credit unions take ultimate responsibility for safeguarding their member information, however in many cases, vendors performing work, especially ongoing administrative/management level work, will require privileged access to your systems, networks, and data.
For hosting and offsite data backup services, how is data stored and safeguarded? What controls has the vendor implemented at their hosting facility to ensure proper levels of security? Is all data encrypted in transit and at rest? Who maintains the keys for data encryption? Who has access to onsite and hosted credit union data?
How does your support work?
Credit union member service is one of the key differentiators from other financial services businesses. When services go down or things stop working, there needs to be a clear path to recovery.
Does the vendor provide a service level agreement or up-time guarantee? What are expected response times in various support scenarios? Does the vendor offer after hours or weekend support? How does the support offered balance out with the what the credit union is already providing?
How will you be able to respond to an emergency situation?
Incident response has been a growing focus at credit unions as they increase their reliance on technology and specifically internet-based offerings for members. The ability to detect and respond to a cybersecurity incident has been a growing area of focus for IT teams. The earlier an incident can be detected, the earlier remediation can start, which will limit the amount of damage/exposure.
What obligation would the vendor have to respond to an incident with the credit union’s services or data? Does the vendor log and monitor procedures that ensure preservation of evidence? Are staff trained on incident detection and response?
How does the vendor invest in staff and partnerships?
By outsourcing technology management, the credit union is transferring some of the responsibility for daily monitoring and management to a vendor. Technology changes rapidly; new solutions, threats, and considerations emerge on a daily basis. What is the vendor’s strategy around evaluating, deploying, and managing the tools it uses to manage your network?
Does the vendor routinely review its solutions and practices to ensure they’re providing needed features and are free of security vulnerabilities? What is the vendor’s approach to staff development, including employee training and certification? What subject matter experts does the vendor have that the credit union can leverage?
How will you help the credit union plan for the future?
A credit union’s annual planning processes help set the table for future success. Will the vendor engage in annual planning as well as the creation of a technology plan and budget? Will the vendor help the credit union with lifecycle planning? How about recommendations for emerging services and technologies? Will the credit union be able to avoid unplanned expenses?
Consider asking these questions the next time you’re picking a technology partner–they might be the difference between a long and fruitful relationship or one fraught with headaches.