By: Mike Detrow, CISSP, Director of IT & IT Audit at Young & Associates
Due to the challenges of finding qualified employees to fill internal IT positions and the increased complexity of technology solutions, many community financial institutions have either outsourced the management of their information systems to a managed services provider (MSP), or they are considering this move.
But how do you know that you currently have, or you are choosing the right partner? In this article, we will discuss the qualities you should look for in an MSP to help you evaluate your current MSP and select the right partner if you want to outsource the management of your information systems.
Understanding Financial Institution Needs
First, it is important to understand that financial institutions are unique from other industries, and a local MSP that primarily works with manufacturing companies may not understand the security requirements of a financial institution. Financial institutions are highly regulated and undergo routine IT audits/assessments due to the significant amount of sensitive and personally identifiable information that they maintain, alongside the substantial financial assets under their protection.
Many MSPs may not be familiar with the regulatory and security requirements associated with banking and therefore may not be prepared to work with examiners/auditors or respond effectively to exam/audit recommendations.
The Drawbacks of National MSPs
A national MSP may not be appropriate for a small community financial institution either as you may end up being a little fish in a big pond and may not get the attention that you need. Financial institutions that we work with have already experienced this with some of the large core processing vendors where it is difficult to get good support as a small institution. Additionally, obtaining managed IT services from your core processing vendor may make converting to a different core processor more challenging.
The Value of Local and Regional MSPs
So, how do you find a good partner? Based on our experience working with numerous MSPs through the IT Audit process, we typically see that community financial institutions get the most value from working with local or regional MSPs that have existing experience working with numerous financial institutions.
These MSPs already understand the regulatory and security requirements that financial institutions face, and they have experience with the appropriate tools and configuration practices to secure the institution’s information systems.
5 Key Qualities of Good MSPs
Some of the good qualities that we see from these MSPs include:
- Proactively identifying and presenting new tools to enhance the institution’s information security posture
- Working as a partner by learning about the institution and customizing solutions to its unique needs
- Maintaining detailed and accurate documentation for the institution’s system configurations and ongoing monitoring
- Being responsive to initial and follow up exam/audit documentation requests
- Being responsive to exam/audit recommendations by implementing remediation measures in a timely manner
MSP Red Flags to Watch Out For
Some of the red flags that we see from other MSPs include:
- Providing security status reports that contain errors or are hard to understand
- Lack of detailed and accurate documentation for the institution’s system configurations and ongoing monitoring
- Failing to notify the institution prior to making changes that may compromise security or impact system availability
- Slow response to documentation requests for exams/audits or charging additional fees to provide this information
- Refusing to implement exam/audit recommendations due to lack of technical knowledge or in cases where the recommendations do not fit into the MSP’s “standard configuration”
Ensuring the Right Partnership
In closing, it is important to remember that as a financial institution, you are ultimately responsible for any problems that occur from selecting the wrong MSP, whether this decision leads to an insecure environment or just makes your job more difficult as the liaison between the institution and the MSP.
Just like any other vendor, you must continuously monitor your MSP to ensure that they are providing acceptable service levels for your institution and consider replacing the MSP if they are not meeting your expectations. While it may seem like a big task to replace your MSP, having the right partner will not only help to ensure that appropriate security controls are implemented, but it should also make your job easier as the liaison.
Your Trusted IT Consulting Partner
At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services are tailored to help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs.