Third Party Vendor Risk Management In The Banking Industry
The financial services industry today forms an important backbone of the world economy. The Banking sector in particular is identified as one of the Critical Infrastructure Sectors by the U.S. Department of Homeland Security which believes that the sector is so vital to the United States that “its incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof”.
The Banking sector is, by the nature of its business, a highly interconnected sector as well. Greater interconnectivity introduces greater cybersecurity risks given that (a) there are too many things to secure and monitor, and (b) the interconnected entities are likely connected to additional entities which could also be the source of cybersecurity risk.
Add to this the fact that third party vendors are an accepted reality today. To their credit, these vendors have indeed come up with innovative, game-changing solutions for the Banking industry. As a result, they play a very important role in the efficient and profitable functioning of several banks and financial institutions.
However, this increased reliance on third party vendors has also meant added exposure to cybersecurity risks and vulnerabilities. Regulators and regulatory authorities have grown increasingly concerned about third party vendor risk management practices, especially in the Banking industry.
It’s important to remember that signing a contract with a third party vendor doesn’t mean that responsibility and accountability has been outsourced to the third party as well.
In fact, based on experience, we can tell you that third party vendors often have disappointingly low standards when it comes to cybersecurity and information protection.
While there have been several data breaches over the years where the third party vendor was clearly at fault, more recent ones have shown that these still happen and will continue to –
- In April 2017, Scottrade Bank acknowledged a data breach that exposed the personal information of 20,000 of its customers because a third party vendor uploaded a file to a server without adequate cybersecurity protections.
- In July 2017, Italian bank UniCredit had their accounts hacked through one of their third party vendors that led to the exposure of 400,000 customer loan accounts.
Third party vendors can often pose some serious cybersecurity risks to outsourcing banks. Let’s take a look at some of them –
- Financial/Reputational Damage
The aftermath is going to be exactly the same as a direct hacker attack on the bank. While the financial damages can be significant from regulatory penalties to lawsuits from customers, the stains on your brand and reputation will be hard to clean.
Banks house customer money and that requires a customer’s trust. Losing that trust can deliver a telling blow to a bank’s very business model.
- Regulatory Problems
Banks also bear the responsibility of legal and regulatory compliance to protect consumer data and privacy. A data breach is often taken as a clear indication that the bank was likely negligent and failed in its regulatory obligations.
This obviously results in regulatory fines and penalties that can end up being debilitating. Add to that the costs involved with digital forensic investigations and cybersecurity remediation in the aftermath of the breach and we’re talking about a significant added financial burden here.
- Operational Disruptions
If the data breach involved a hacker, you have one more monkey on your back. In such situations, you can never be sure about what the hackers have been able to access or how far into your network they were able to penetrate.Hackers, by default, often like to leave behind backdoors so that they can come back in later without being challenged by your cybersecurity protections. This can cause great harm to your overall operations. The situation is akin to knowing that there is an enemy already on the inside but not knowing when, where, or how hard s/he will strike.
Regulatory bodies such as Office of the Comptroller of the Currency (OCC) have already made it clear that banks are responsible for managing risks associated with all of their third party vendors. Many institutions often underestimate third party vendor risks and under-invest in related cybersecurity protections, the investment being not just money but also time. And then there are others who do realize the importance of good third party vendor risk management but fail to develop a robust approach towards it.
Managing The Risks
With a proper process in place and the adequate investment of time, effort, and money it’s definitely possible to adequately manage third party vendor risks.
- Third Party Vendor Management Program
Develop and maintain a comprehensive third party vendor management program. It will go a long way in pleasing the regulators, but will also form a strong foundation for managing third party vendor cybersecurity risks.
Appoint key personnel with specific roles and responsibilities to manage vendors and associated cybersecurity risks. Allocate clear reporting chains and accountability. Ensure that important areas such as classifying and optimizing vendor portfolios, formalizing an appropriate plan for onboard vendors, managing transitions to support changes, and terminating relationships with vendors are in place.
Also ensure that contracts, vendor performance and vendor relationships are managed well and closely monitored. Continuously improve the third party vendor management program by reviewing it on an ongoing basis.
- Regulatory Requirements
Ensure that you address laws, regulations, and critical standards (such as GLBA, BSA, FACTA, PCI, NIST, and guidance from the FFIEC) applicable for financial institutions. Regulators will expect that your third party vendor risk management processes are in line with the level of risk and complexity of your institution’s third party relationships.
Also ensure that you evaluate your third parties and require them to have a regulatory compliance program in place to determine if they comply with applicable laws and regulations and whether the cybersecurity posture and protection profile of the vendor aligns with that of the bank.
- Third Party Vendor Risk Assessment
Perform a formal third party vendor risk assessment on a periodic basis or whenever there is a significant change in either your technical infrastructure or third party vendor composition. Annually review all the vendors you do business with.
For high risk vendors make sure that you have commensurate cybersecurity controls in place. An internal or third party assessor should review these controls and test them for their effectiveness on a periodic basis.
- Due Diligence
Due diligence should be performed on all the significant third party vendors serving your institution. One of the main things to consider when performing due diligence is to review the vendor’s financial stability and monitor it on an ongoing basis.
The goal is to keep validating and reinforcing that the vendor meets the standards and stability required to provide the service or product to your bank without causing any risk to your environment or continued operations.
- Monitor Continuously
Banks should continuously monitor third party vendors. Review contracts and agreements, appoint personnel to monitor the vendors, review SSAE18/SOC reports from the vendors and also test banks controls that are in place specifically to address vendor connections and information flows to see how robustly they are able to manage risks that could potentially arise from vendors.
Banks should periodically rank third-party vendor relationships in accordance with their risk profile to determine which vendors require closer monitoring.
Lastly, it is a good idea to have your third party vendors perform comprehensive security reviews of their technical infrastructures. Such reviews include deep-dive, configuration-level cybersecurity assessments that go to the nuts and bolts of every technical component that a vendor uses in its organization. Comprehensive security reviews, owing to their highly technical and deep focus, can provide a significant marker of cybersecurity health to you and enable confidence in your vendor’s cybersecurity posture.
Technological advancements have meant that there is a sea of data constantly moving in and out of organizations. Given the challenging nature of monitoring and control in such an environment, tools can act as powerful accelerators to increase the efficiency and accuracy of third party vendor management and also provide real-time data with analyses.
This will enable you to make more informed decisions and even provide predictive insights into trends, patterns and warning indicators.
- Fourth Party Risk
A fourth party is your third party’s third party and you need to focus on them too. You need to know about all the critical vendors your third party relies on.Verify how capable your third party vendors are in monitoring their critical vendors and also review your vendor’s policies and procedures in place pertaining to vendor management. Ensure that your contracts specify that the critical services that are performed by your bank’s vendors cannot be further outsourced.
Regulations impacting vendor management will continue to change and evolve for financial institutions as they should, because they need constant attention. Third party vendor management should not be a reactive response to changes in technology and regulations.
Rather, it should be a proactive approach towards making a better and standardized life cycle of vendor relationships. Board members and management must become more agile and adaptive in their approach towards third party vendor selection and management.
At the end of the day, what you want is to make sure that your vendors are taking cybersecurity as seriously as you do.
- Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook InfoBase, available at http://ithandbook.ffiec.gov/it-booklets.aspx
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights