Developing a vendor questionnaire regarding cybersecurity can be complex. The market is noisy and oversaturated with abbreviations such as SOC, MFA, and AUP, which can be confusing when every vendor claims their solution is the best. Ensuring success in selecting the right vendor can be simplified by asking the right questions and using a format that is easily digestible, even if you do not have a dedicated cybersecurity team.

As the Chief Product and Technology Officer of a growing FinTech, I am often called on to speak to our cybersecurity policies and practices.  Understandably, cybersecurity is a critical part of a community bank’s infrastructure, both internally and with vendors.  These questions often fall in three main areas:

Photo of Mohan Rao, Chief Technology Officer at StreetShares Platform

Mohan Rao is the Chief of Tech at StreetShares Platform.

View a live demo for the latest in business lending or updates on Atlas products.

Have you successfully completed a SOC 2 assessment?

SOC 2 is a third party review of a service provider’s data security policies, as well as their adherence to these plans. It can be considered a “seal of approval” that a provider is safeguarding data properly. SOC 2 is designed to be applicable to all software-as-a-service vendors, as well as any entity storing a customer’s data. If a vendor is SOC 2 compliant, it means their organization maintains a high level of information security to protect their clients. All software vendors should be evaluated for SOC 2 compliance. Community bankers should  ensure that all  data processed through  third party service providers is secure.

How are your penetration tests (“pen tests”) managed? Is it by an independent third-party vendor and how frequently are they performed?

Pen tests allow vendors to identify vulnerabilities within the system that can be potentially exploited via cyber-attack. To maintain accuracy and unbiased results, pen tests should be conducted by an independent third-party vendor. As a vendor ourselves, we conduct pen tests annually and also before every major product launch. You can ask for a summary of your vendor’s pen test to have a better understanding of the potential vulnerabilities within the vendor’s infrastructure, understand other outstanding issues, and the timeline for resolution.  This will ensure that you understand the risks regarding the safety of your customer’s data.

What other preventative measures are in place?

There are at least three more important preventative security measures to look out for. First, whether the vendor uses Multi-Factor Authentication (MFA), which requires users to provide two or more credentials to log-in (such as a code sent to your email or phone).  Second, another crucial preventative measure is employee training and awareness. A strong vendor should conduct training on relevant topics, from regulatory compliance, to phishing and social engineering. This allows every employee to be aware of potential cyber threats and to maintain a secure organization. Third, you should ensure that your vendor has clear internal processes for employee access to data, such as onboarding/offboarding and background checks.

Mohan Rao is the Chief Product and Technology Officer at StreetShares, a digital business banking solution provider. StreetShares’ Atlas Platform rapidly enables community banks with complete business product solutions from sales to closing. The Atlas Platform levels the playing field for community bankers to compete with the largest banks and financial technology firms. For more information, please email atlas@streetshares.com.

Join The Atlas Small Business Lending Deep Dive

Where top loan officers find research, analysis and the best strategies for building high-performing small business loan portfolios.

3 Key Vendor Cybersecurity Questions Bankers Should Be Asking

Developing a vendor questionnaire regarding cybersecurity can be complex. The market is noisy and oversaturated with abbreviations such as SOC, MFA, and AUP, which can be confusing when every vendor claims their solution is the best. Ensuring success in selecting the right vendor can be simplified by asking the right questions and using a format that is easily digestible, even if you do not have a dedicated cybersecurity team.

Read More »

4 Important Vendor Compliance Questions You Should Be Asking

Banking is arguably the most regulated industry in the U.S. with an alphabet soup of regulations: GLB, FCRA, ECOA, BSA, AML, OFAC, CAN-SPAM, UDAAP, and many more. You
can recognize all of these acronyms, but can your software vendor? With these four important questions, you can quickly identify a vendor that treats compliance as seriously as you do.

Read More »

Paycheck Protection Program Analytics

The Paycheck Protection Program (PPP) is a $813.5B business loan program established by the United States federal government in 2020 through the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The CARES Act was designed to help certain businesses, self-employed workers, sole proprietors, certain nonprofit organizations, and tribal businesses continue paying their workers.

Read More »

Leverage our experience to build the right small business portfolio strategy. Stay up-to-date on the most important trends community lenders should be paying attention to.