Alvin Mills

Alvin Mills
VP of Information, Technology & Security

Third-party risk — Where do we start?

High risk knowA recent article in the Wall Street Journal — “Cyber Risks Force Banks to Rethink Vendor Relationships” — suggests that the usual means of assessing vendor risk are no longer appropriate. Vendor risk management has become a crucial area of cybersecurity as banks move operations to the cloud and asset managers hire third parties to manage their technology.

There was a time, not long ago, that banks were very reluctant to outsource any of their functions, especially technology functions. This was mainly fueled by the fear of the unknown.

Where is the cloud? It’s over there. Where is there? I don’t know. But as vendors provided more assurances/attestations (SOC2) for the services they provided, and bank leaders received more pressure to lower operational expenses, banks started outsourcing parts of their business.

Now it’s unusual to see a bank that isn’t outsourcing at least some of the business functions. But, for me, the fear has never gone away; in fact, I rank third-party risk as our highest risk. This thought is shared by many of my peers and the regulators are certainly aware of it as well. You can outsource business functions all day long, but you can never outsource accountability.

Historically, bank leaders have been told that they need to address these vendor risks by having a vendor management program, or they need to do a risk assessment on their vendors, or both. Even the security frameworks such as NIST or FFIEC (CAT) are very generic in their guidance.

According to the FFIEC examination handbook: “Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”

How do you eat the elephant? One bite at a time

  • What you don’t know you don’t know: Start by inventorying your third parties. I’m amazed at the number of businesses that claim, “I didn’t even know we were doing business with that company,” after a data breach. Get Information Technology staff involved to inventory your vendors. You want a clear understanding of how your data, especially your personal identifiable information (PII), flows in and out of your systems and network.
  • Prioritize partner risks: If you have direct network connections to a vendor, that vendor has access to your systems. Also, the information you send a vendor is personally identifiable. For these reasons, they are considered high-risk vendors. Start with them first.
  • Conduct your vendor vetting process before contracts are signed.
  • Assess contracts & agreements, assurance reports: Get the right people in the room to review these documents. Look at non-disclosure agreements. Following are good questions to ask: Does the vendor have cyber insurance? What is their data privacy policy? What is their business continuity plan? Do they have a disaster recovery plan? How financially stable are they?
  • Continuous monitor and review: Things change over time, especially in technology. Have network connections been modified? Have firewall rules been reviewed. Has the vendor had any personnel changes?

What the future holds

I’ve heard rumblings that now is the time to force vendors to comply with a set of cybersecurity and resilience standards, requiring certifications showing they comply in order to provide services. Sounds promising but who is going to issue the certifications? How can financial service providers be satisfied that the accreditation, or certification, means anything?