Perspectives on third-party risk management
Some topics bear repeating and third-party risk management (TPRM) is one such topic. As I wrote in my column last year, third-party risks continue to be one of a bank’s greatest risks. Properly addressing these risks as a part of your overall business strategy is challenging.
I’m fortunate to be a part of a working group formed by several bank trade associations whose mission is to formally respond to the proposed interagency guidance on third-party relationships: Risk Management, as written by Board of Governors of the Federal Reserve System, FDIC and the OCC. To use a line from our request to extend the comment period, “When finalized, the Proposed Guidance has the potential to impact the use and management of third parties, including as it relates to the development and deployment of technology-focused products and services. This could have a significant influence on the digital transformation of banks, particularly for small and midsize banks, and on the future of the banking system as a whole.”
Historically, bank leaders have been told that they need to address these vendor risks by having a vendor management program or they need to do a risk assessment on their vendors — or both. Even the security frameworks such as NIST or FFIEC (CAT) are very generic in their guidance.
According to the FFIEC examination handbook: “Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”
So as the tablets are being written into stone, there is some hope that our thoughts and concerns addressed by the working group on behalf of our banking community will at least be heard. Additionally, the Texas Bankers ISAO (www.texasbankers.com/TBISAO) is tackling this issue head on. We have a great group of bankers as our Advisory Council and we’re on a mission to find solutions that our entire TBA community can benefit from.
This month I have asked a banker and a vendor to give us their perspectives on TPRM to help emphasize its importance. Our banker perspective is from Jon Villanti, SVP Director of Information Security at Allegiance Bank. Jon sits on our Texas Bankers ISAO advisory council. He will shed some light on the challenges TPRM brings along with guidance to follow from a bank perspective. Our vendor perspective is from Steve Sanders, chief information security officer at CSI. Steve provides some guidance on vendor due diligence. CSI is a Trusted Advisor to the Texas Bankers ISAO.
Supply chain compromise – some guidance for banks
Unbeknownst to most, in 2019 a highly advanced nation-state adversary sought out a new attack vector to hack government agencies, the defense industrial base and large technology providers. Many banks became accidental victims to this advanced attack. Threat models across the industry were turned upside down when FireEye’s Threat Research Blog on SolarWinds was released. The goal of this article is to get defenders to think and, more importantly, to act. In our profession knowledge is a given, but you will not succeed in information security if you don’t act upon what you know.
What Do We Know?
Supply chain and third party compromises have been evolving since the targeted attack of RSA’s SecurID two-factor authentication product in 2011. This type of compromise came to the national stage in 2020 when the SolarWinds compromise became widely known. Trusted third party software running inside private networks using valid credentials with high levels of privilege was compromised, performing internal reconnaissance and beaconing out to a command-and-control infrastructure to receive additional hacking instructions.
What Do We Do?
Most importantly, keep patching your software! Some pundits suggest the SolarWinds issue could have been avoided by not patching — while technically true, imagine the risk you’d be accepting if you ceased all patching efforts.
Next, assume breach. Harden your environment to limit adversarial damage after initial compromise. Put a solution in place to create unique local administrator passwords on every endpoint and tune host-based firewalls to limit lateral movement.
Think about the type of logging you need to support a breach investigation and set a log retention period that is longer than your mean time to detect a breach. In the case of SolarWinds, investigations began nine months after the initial exploit occurred.
Review the coverage of your security tools — you have all the tools, but are they properly deployed on all hosts and configured according to vendor best practices? Sync up with your vendors and conduct a quarterly review of your security tools to guarantee full coverage and optimization.
Fully understand the data retention policies of the tools you’re running. Many cloud-driven Endpoint Detection and Response (EDR) platforms retain data for 7 days unless there’s a detection. In the SolarWinds example, the malware remained inactive for 12 days after installation, leaving defenders without quality EDR data to leverage during their investigations. You can overcome this limitation with centralized logging — SIEMs are a popular solution in this area.
Log DNS traffic and look for recency, frequency and length of queries and responses — this will save the day when it comes to spotting command-and-control activity and attempts to export data using the DNS protocol. Examine the processes behind DNS requests and network connections. Are the requests expected and logical, are they aligned to implementation details provided by your vendor?
Develop a robust vendor management program that moves beyond the SOC report and vanilla questionnaires — especially for your most critical vendors. Your process may satisfy regulators, but will it uncover the true risks a given vendor poses to your bank? We know business email compromise (BEC) is out of control, but do you know what email platform your vendors use? If their email is internet accessible without multi-factor authentication they’re at increased risk for BEC and your bank may start receiving weaponized emails from a trusted vendor.
Most importantly, think like an attacker and operationalize your knowledge of their playbooks. You know where your most sensitive data lives — what will an attacker need to do after initial compromise to get to your crown jewels? Understanding your network, users and devices allows for a deeper understanding of what to look for in your SIEM and how to create high fidelity alerts with low rates of false positives.
Aim for perfection and achieve excellence along the way — it’s a recipe for true security and one that keeps executives, auditors and examiners happy.
Rather than using cookie cutter lists of hundreds of questions, only ask those that are relevant to your due diligence procedures.
5 Tips for risk-based vendor due diligence
The third-party risk management guidelines issued by the OCC and the FFIEC over six years ago are still causing ripples in the financial services community. Whether vendor management is an outsourced service or still performed internally, it’s time to rethink and mature your vendor management programs with these five tips:
1. A due diligence template (to get started)
Due diligence should be performed on all vendors, but not to the same degree. Start by using these four key steps for risk-based vendor due diligence:
Pull the most recent list of all your vendors.
Classify them into the following “risk-based” categories: general vendors, confidential/sensitive data vendors and strategic vendors.
Perform the appropriate level of due diligence as described below for those risk categories.
Repeat the due diligence as appropriate.
2. Start simple with general vendor due diligence
Any time you contract with an outside vendor, investigate the following factors:
Business Impact Analysis: Ask yourself what happens to your bank if something happens to this vendor, i.e., they go out of business or lose a key subcontractor.
Business Type and Status: Determine if the vendor is a legal entity and of what type: corporation, LLC or sole proprietorship.
Insurance: Confirm the vendor has general liability insurance and if any specialty insurance is needed.
Contract: Develop a written, enforceable agreement.
Service Level Agreements: Ensure that both parties have agreed on how performance will be measured.
Relationship Owner: Identify the employee who will own this relationship and monitor performance.
Confidentiality Statements: This typically occurs when proprietary information will be shared with the vendor, i.e., details about an upcoming product launch shared with a graphic designer or freelance writer.
This level of due diligence is sufficient for vendors in the general category which likely makes up most of your vendor list.
3. Confidential/sensitive data vendor due diligence
Vendors that have access to your confidential or sensitive data should be placed in the confidential/sensitive data category. In addition to completing the tasks for general vendors, you must conduct enough additional due diligence on these vendors to ascertain whether they are able to protect your data to the level required by the Gramm-Leach Bliley Act, including:
Specific contract language
Business continuity and disaster recovery
Employee background checks
Vendor’s own due diligence
4. Strategic vendor due diligence
The strategic category usually consists of the fewest number of vendors. However, these vendors require the most due diligence. In addition to the confidential/sensitive data and general information collected above, you should collect the following:
Ownership of the company
Continuous relationship monitoring
Legal and compliance issues
Mergers or acquisitions
Corporate image, news and social media
Alternative vendor on deck
5. Don’t boil the ocean
A common mistake in vendor management is unsustainability. This often comes from a misunderstanding about what is expected, resulting in unrealistic expectations that ultimately reduce the effectiveness of a program. Understand the “why” behind every document requested and every question asked. Rather than using cookie cutter lists of hundreds of questions, only ask those that are relevant to your due diligence procedures.
Comprehensive vendor management is achievable
While time consuming, it’s in your institution’s best interest to ensure that general vendors are appropriately vetted, that confidential/sensitive data vendors can protect your sensitive data and that strategic vendors can perform their critical functions. Otherwise, the penalty could come in the form of both lost business and compliance violations — a double whammy for any institution.