MegaNews November 2024 – Data Protection & Vendor Compliance

How Safe is Your Data with Your Loan Software Provider?

Cyber threats, data breaches, and privacy violations—oh my! It's crucial for your company to implement internal procedures to safeguard your data. However, have you thoroughly examined the procedures your vendors have in place?

Your loan management software provider plays a vital role in ensuring that your financial data remains secure and compliant. Here are several key inquiries your organization should make with your software provider to confirm that minimum data protection standards are being upheld.

Security & Reliability:

• Your provider's hosted solution must comply with industry standards. The hosting site should ensure full redundancies, meaning your loan data is securely backed up across multiple locations.
• Uptime – your provider should guarantee specific uptime levels for their service.
• Role-Based Security Levels – implementing role-based security models ensures that only authorized users have strict access to the system.
• Data Encryption – Secure Sockets Layer (SSL), commonly known as HTTPS, represents the industry standard for securing internet connections, safeguarding your financial data from hackers. All data exchanged with the website should be encrypted.

Security Audits:

• SOC 1 Type 2 Audit – This audit offers users greater assurance that the company's financial data is managed securely. It should be performed by an independent third-party auditor, who will provide a comprehensive overview of the company's systems and controls.
• Penetration Testing – Commonly referred to as a pen test, this security exercise mimics a cyberattack to uncover and exploit weaknesses within a system. It is essential for your provider to conduct at least one penetration test each year.

Authorized Access:

• Passwords – The US Department of Defense (DoD) recommends that passwords be a minimum of fifteen characters, composed of a random combination of uppercase and lowercase letters, numbers, and symbols, or a passphrase consisting of 4 to 7 random words.
• Support Procedures – What steps are implemented to verify the identity of individuals calling on behalf of your company to make or request software changes? Establishing a unique PIN or other forms of identification verification helps ensure that the caller is indeed who they claim to be.

Reference PDF: https://dodprocurementtoolbox.com/uploads/Cyber_DFARS_FA_Qs_rev_4_6_13_24_4702075bf4.pdf