4 Security Questions You Should Ask Your Data Provider

4 Security Questions You Should Ask Your Data Provider

With most employees in the country still working from home, lenders have an even greater a responsibility to ensure the security of consumer data throughout their entire supply chain, including information supplied by data vendors.

While we'd never hand the keys to our car to a stranger at the gas station, lenders too should not give away unfettered system access to vendors without a tremendous amount of attention to information security. For that reason, data protection is one of the aspects that lending organizations should prioritize when selecting a data provider. 

The advent of cloud-based security solutions forces lenders to consider investing in a reliable vendor because of the exceptional value and proven security. However, a significant challenge that lending organizations face when seeking a reliable data provider is performing due diligence, including reviewing the security of the data provider. 

During the due diligence, there are four crucial questions you need to ask potential data services providers to ensure that your data is safe. Look out for these questions (and answers) for better clarification from your data provider before opting for their services. 

  1. How Do You Ensure My Data Is Safe?

This one is a gimme but whichever way you look at it, one of the primary reasons for preferring one data provider over the other is their ability to convince you that the information you purchase from them is safe and secure as it's transmitted to you. Guarding against every kind of attack in any network using a single tool is impossible, but a vendor can get close. 

So the data provider you opt for should deploy multiple layers of defense for protection purposes using security service providers, internal systems, and protection through Tier 1 cloud platforms. Some of the examples of the layers of defense that are necessary include:

  • Data encryption
     Data encryption transforms data into a scrambled code that can be translated only with a secret key or code. Only those people with the key can unscramble the code and read the data. Currently, encryption is one of the most popular and effective data security methods used by organizations.  
  • Physical defense
    Data providers should ensure on-premises physical access to the devices where the data is stored is secure. An example is a fortified walled building that includes on-site security. A regular review of such control and documentation is also essential. 
  • Activity Monitoring
    Competent data providers continuously monitor their networks for suspicious activity to identify malware and any potential hacking activities. In the event of a threat, you should receive a warning automatically, and after that, the provider should take steps to protect data and the integrity of the platform as well. 
  • Code Standards
     Good code is the foundation of reliable security. The software development lifecycle of any system should include security standards that govern every aspect of such a tool. Reviewing the code standards of your data provider may not be an option. However, the data provider can provide an overview of their process and procedures related to code standards. 
  • Third-Party Code Scanning
     Trustworthy data providers rely on third-party firms for scanning code in a bid to identify opportunities for improving security while looking for the vulnerabilities. This hired scanning is often referred to as "ethical hacking." There are multiple levels of scanning, and performing this exercise routinely may be more effective than annual scans.  
  1. Do You Have Any Third-Party Security Certifications?

You cannot take a data services provider merely for their word. Providers can say that they have top-notch security, but it's the certifications that actually prove it. Below are the three big security certifications that your data provider should have and update every year:

SOC 2 

Third-party certifications can help you judge the security architecture and processes that a specific data provider uses, and the most important one, in this case, is the SOC 2 certification. If you store customer data in the cloud, SOC 2 will prove an ideal tool for you because it applies to nearly every cloud or "software as a service" company. 

Beyond the technical audit bit, SOC 2 requires users to establish and follow stringent information security policies and procedures that focus on the availability, confidentiality, processing, security, and integrity of client data. SOC 2 certification seeks to ensure that your company's information security measures are in line with the current unique parameters of cloud requirements. 

Since the demand for cloud data storage services is on the rise in various industries, you should make SOC 2 compliance part of the requirements that your data provider should fulfill. 


Customer credit card data must be secure.  Payment Card Industry (PCI) compliance is a set of standards developed to ensure uniform safe storage of credit card data across all industries.  

In the event of a data breach, a lack of PCI compliance could result in steep fines as well as other financial and reputational risks. Since credit card payments are critically important in today's digital world and in the mortgage industry, you should make PCI compliance a staple for your data provider. 


Experian Independent Third-Party Assessment (EI3PA) is the annual security assessment required when third parties access, transmit, store or process credit reports and other regulated data from Experian. Independent auditors review a company's information security systems, policies, and procedures to ensure they meet that EI3PA stringent guidelines and requirements. Since credit data is an essential aspect of lending, requiring EI3PA certification should not be a big ask for your data provider. 

  1. How Can I Be Certain That My Data Will Not Be Accessible to Others?

Imagine you are in a family of 4 and you have to share a single computer. Would the whole family share a single login and password, allowing everyone's email, calendar, files, and photos to be comingled together with everyone else's?

Most likely not. A better option is to create four separate logins for each person, where each member has their own "instance" of the computer. This setup creates a partition on the hard drive for each of the family members. The separate accounts do not share data.

Data separation is an aspect you cannot afford to overlook when considering data services for your business. Before engaging any data provider, you should seek to know whether they will mix your information with data from other entities, the database structure they adopt for every customer, and if other people can access your company details. Avoid the commingling of data at all costs. The system architecture that a specific data provider uses should ensure the separation of customer data.   

  1. What Measures Do You Have in Place to Prevent Hacking and Stealing of Data?

Although hacking is the primary concern of banks, mortgage companies, and lenders when considering a data solution, such fears can also be as a result of some common misunderstandings. You can guard against internal data breaches by emphasizing proper user management and password security policies. 

Data breaches can also come from within, and the system that the data provider avails should prevent as many attacks as possible. A reputable provider should also engage internal personnel and external consultants to run frequent penetration testing. Running penetration tests helps in identifying the paths that attackers use to access client systems through the internet. 

Find out how frequently a particular data provider runs penetration tests and the methodologies they use before contracting their services. 


Lending organizations cannot afford to cut corners or compromise when vetting data providers, especially in today's work environment. Use the four questions above to make sure that you're partnering with the right provider for your business!

For more information on Informative Research's security practices, feel free to reach out.