As you are aware, the adoption date for the new CECL standard has been extended to January 2023 for private and smaller public institutions. As a result, many institutions are still deciding on how they will comply with the new standard. In many cases, institutions are seeking out the help of third-party vendors. As your institution starts to evaluate vendor provided models, what are the security implications and concerns that should be on your checklist?

The common answer is “It depends.”

For example, if you choose to build a model internally, then your current internal IT security controls and processes should be sufficient. However, if you choose to partner with a vendor for your CECL solution, there are key cybersecurity components that should be taken into consideration. Additionally, the adherence to applicable compliance and legal requirements for secure handling and processing of data (i.e. FFIEC, state/jurisdictional privacy laws) may play a part in vendor selection.

First, there is your data. What type, sensitivity and volume of data will your CECL partner need in order to meet the FASB guidelines? Your data should be viable to provide you with an accurate, meaningful, and supportable model. There are varying approaches to data requirements, and no one approach has been deemed more appropriate than another. ARCSys believes the more historical data an institution can provide, the more accurate and reliable predictive analytics and modeling will be. Reduced or limited historical data periods may increase your model’s volatility and ultimately impact your allowance.

But what about the type of data? Should you just hand over all of your customer/personally identifiable data? Of course not! Scrutinizing vendor data requirements should be a priority during your due diligence. Ask vendors to provide a required data set list detailing what data elements are needed and their purpose. Additionally, review the agreement/contract for data ownership and usage conditions, you want to make sure that your institution owns the data and can direct how it is used and by whom.

The second consideration when vetting a CECL partner is to understand how your data will be handled in transit and storage. When it comes to transmitting data, it’s important to select vendors that use proven encryption standards such as Transport Layer Security (TLS), Hyper Text Transfer Protocol Secure (HTTPS), of Secure File Transfer Protocol (SFTP). Engaging your IT security resources during your vendor selection process is critical to understanding any risks or vulnerabilities your data may be subject to.

If you are sending your data to a vendor for CECL calculations and processing, you should understand how it’s being protected.  If you haven’t provided any PII (Personal Identification Information) or sensitive information, you are already ahead of the game. Your vendor should have controls and security in place to protect whatever data your institution has provided.  For example, are 3rd party storage or file transfer vendors used to host and process your data? If so, what risks do they pose and are their cybersecurity practices operational? Another vital component of security is disaster recovery and business continuity, your vendor should have documented data recovery procedures and infrastructure in place in the event of a service interruption or any other disruptive event.

Familiarizing  yourself with their internal data controls and processes is also highly recommended. Vendors should be able to demonstrate strong and proven cybersecurity practices through documented policies and supporting procedures and annual risk and/or 3rd party audits such as a SOC 1 type II. Finally, ensure your internal IT security resources are assisting with the validation and vetting of any vendor during your due diligence process.

Giving yourself and your institution time to conduct responsible due diligence is imperative to ensure you select a solution provider that aligns with your organization’s cybersecurity needs and risk appetite. At ARCSys we address and mitigate these concerns, and our cybersecurity program is built on the best practices recommended in the FFIEC IT Guidebook as well other industry accepted cybersecurity frameworks such as NIST.

Schedule a demo or reach out to our sales team to learn more about our CECL solution.

Schedule a Demo

About the Author:

Victor Dean Rodil

Chief Operating Officer, ARCSys

Dean has extensive experience defining strategy, implementing new initiatives, and managing ongoing operations teams with a focus on software development, infrastructure, and risk management. Dean has 18+ years of experience in industry and his career has been focused on large-scale, enterprise IT organizations with a concentration on application development, operations, cybersecurity, and business intelligence. Recently, Dean has worked in strategic consulting primarily focused on mergers and acquisitions, technology diligence, and assessments. Prior to that Dean headed the IT group for a national insurance carrier. Dean enjoys being outdoors, mountain biking and is an avid tennis player. He also enjoys traveling and has visited over 40 states and 19 countries.