Cadence Bancorporation is a regional bank holding company headquartered in Houston, TX with 1,200 associates and $11 billion in assets as of March 31st, 2018. Through its affiliates, Cadence operates 65 locations in Alabama, Florida, Mississippi, Tennessee, and Texas. The firm provides corporations, middle-market companies, small businesses, and consumers with a full range of banking and financial solutions. Services range from commercial and business banking to wealth management to credit cards and much more. Clients have access to cutting-edge online and mobile solutions, interactive teller machines, and ATMs. Cadence Bank, N.A. is a subsidiary of Cadence Bancorporation.
Cadence Bancorporation relies on third-party vendors to amplify its reach and extend its capabilities. At the same time, these relationships could expose the bank to risk. The Bank Director’s 2017 Technology Survey found that 44 percent of respondents believe their bank would be vulnerable if one of the bank’s vendors experienced a cyber attack or data breach.
As a result, Cadence Bank has committed to performing due diligence–even when such diligence has consumed time and resources–to assess whether prospective vendors have adequate controls in place to mitigate any cybersecurity risks. The bank has worked continuously to improve its vetting processes. The arrival of a new CIO brought a new perspective and opportunities to enhance their cybersecurity maturity.
Explained Laura Buckley, SVP, Director of Technology Risk & Compliance, “Previously, we performed due diligence by having vendors fill out a Shared Information Group (SIG) questionnaire and by looking at any documentation they had in place--e.g. Service Operations Control (SOC) reports, ISO certifications, and PCI attestations as they applied to the service. But this procedure only provided documentation for a point-in-time and could be subjective. SecurityScorecard gives us a more objective and dynamic evaluation. We can now review vendors continuously, and present results and key risk indicators to Senior Management and our IT Risk Management Committee monthly.”
The urgency of optimizing the effectiveness of the bank’s due diligence process was further heightened in the wake of recent news reports of breaches at a nearby bank. With executives and managers asking more and tougher questions about how vendors were being evaluated, SecurityScorecard armed Buckley’s team with the capabilities to evaluate and address these risks.
SecurityScorecard provides Cadence Bank with an extremely accurate rating of security risk. The SecurityScorecard platform uses trusted commercial and open source threat feeds as well as non-intrusive, proprietary data collection methods to quantitatively evaluate the cybersecurity posture of potential partners.
Melissa Hicks, Senior Technology Risk and Compliance Analyst for Cadence Bank, stated, “We use SecurityScorecard to review vendors during the procurement process as a part of our due diligence. The SecurityScorecard rating complements our review of SOC 2 reports, interviews, and other documentation.
The team finds that the SecurityScorecard reports are easy to understand. Said Hicks, “The Summary Report gives us a nice overview, while the rest of the report provides a breakdown of ten risk factors. The grading and the breakdowns are very helpful. we use SecurityScorecard evaluations to identify potential gaps in the company’s compliance with best-practice information security frameworks.”
The Technology Risk and Compliance team and the Cadence Security Operations Center (SOC) review their own Scorecard report on a monthly basis to maintain a healthy cyber-security posture.
In addition, the company uses SecurityScorecard reports to perform quarterly reviews of its top 40 critical vendors and for annual reviews for all significant vendors. Reports on existing vendors also show the history and trends for how the vendor fared over time. The bank can then follow up to determine what aspect of the vendor’s security controls have changed. For example, was there something new that caused their rating to degrade?
If a vendor’s grade is below their specified threshold, Cadence bank follows up, informing the vendor of any issues and giving them the opportunity to address them. As Hicks says, “While our primary focus is to protect ourselves, this is a team effort. Their success is ours as well. When vendors have been willing to work with us, we’ve seen their scores improve.”
The bank has put in place a solid process to ensure that prospective vendors address findings from the reports. Said Buckley, “Our Vendor Management department doesn’t allow a contract to be signed before due diligence has been completed. If a vendor doesn’t meet the predefined grade threshold set by Cadence bank, they are informed of which issues they need to address.”
Additionally, the Customer Success team provides value in helping vendors remediate issues quickly and smoothly. Said Buckley, “If a vendor has a question we can’t answer on a specific issue, we can easily get SecurityScorecard’s Customer Success team to jump on a call right away. That’s been extremely helpful, and it certainly puts the vendor at ease. We really appreciate that.”
By using SecurityScorecard, the Cadence Bank Technology Risk and Compliance team has been able to perform a much more thorough review of each vendor. “SecurityScorecard complements the information we already receive and review. It solidifies our score, making it that much more authoritative,” said Hicks. “We feel good about the end result when we pass that information to the Vendor Management team or upper management.”
SecurityScorecard also helps the bank improve vendor accountability. The team can look at alerts and see whether the vendor has indeed remediated issues that were found. Said Buckley, “If a score goes from a B to a C to a D, it’s a no brainer. It means the vendor hasn’t completed the necessary remediation effort. We can also look at SecurityScorecard ratings to see whether issues, such as patching cadence, are improving. I can report these findings to the Executive Management team with confidence.”