Limiting Third-Party RisksWhy Contracts Must Address More Than Security Compliance
Security risk mitigation surrounding outsourced remote-deposit capture and mobile payments will be top of mind in the coming year, says Dunn, who serves as the chief technology officer of this $1.9 billion bank based in Massachusetts.
"It's about making sure that we are doing all the due diligence that we can possibly do," he says during this interview with Information Security Media Group.
Third-party relationships are becoming more complex, especially as more functions are outsourced to cloud providers, Dunn says.
The potential to expose card data and other personally identifiable information about customers, as well as the bank's intellectual property, has increased because of the cloud, he says. This is why banking institutions need to ensure they are performing adequate due diligence upfront, Dunn adds.
"Our core system's provider is a hosted environment, so that's a private cloud," he says. "But the challenge there is visibility."
HarborOne has taken steps to ensure it's addressing visibility challenges during the project planning process, which includes detailed risk assessments, Dunn says.
The bank established an operational risk committee that meets quarterly to share information with all of the institution's business units, Dunn explains. The group keeps those units updated about where due diligence stands, he says.
And due diligence includes more than just ensuring that third parties are meeting minimal security obligations, Dunn adds. "We have also have improved our process ... where contracts are concerned," he says. For example, contracts must address ongoing risk assessments as well as disaster recovery and business continuity, Dunn says.
During this interview, Dunn also discusses:
- HarborOne's debit portfolio migration to EMV, also known as the EuroPay, MasterCard, Visa standard;
- Why ongoing customer education about security risks is so critical, and an area with which most banking institutions continue to struggle; and
- Why security concerns surrounding wireless connectivity are getting renewed attention.
In addition to serving as HarborOne's chief technology officer, Dunn also serves as senior vice president, overseeing the bank's strategic direction and initiatives that leverage technological investments and provide operational efficiencies. He recently led efforts to migrate HarborOne to the Microsoft platform for authentication, collaboration, and messaging; conversion of the institution's core system; and implementation of a direct branch image capture system.