Vendor risk management is an ongoing process—one that begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. This blog series on the Top 10 risks will help you more effectively address how third-party vendor risk throughout every department in your financial institution.
#3 Cybersecurity Risk
In a world of increasingly sophisticated cyber threats, it’s essential that vendors are able to prevent, detect and respond to cyberattacks. Cybersecurity risk is about having tools, policies and procedures to identify and mitigate internal and external cyber threats and vulnerabilities.
Some people might argue that cyber risk is already covered by operational, transaction, strategic, compliance and country risk—and in many ways it is. But the growing number of hacks, attacks and other threats make it clear more effort is needed.
It’s a message that comes from the top, beginning with President Barack Obama’s Executive Order–Promoting Private Sector Cybersecurity Information Sharing in 2015. Later that year the FFIEC released its Cybersecurity Assessment Tool to help banks and credit unions evaluate potential cybersecurity risks and understand inherent risk and cybersecurity maturity. Now the Fed, OCC, and FDIC have released an advanced notice of proposed rule-making for enhanced cyber risk management standards.
Rather than lump cyber risk in with other categories, it’s important for banks and credit unions to directly address this risk with their critical vendors, using the NIST Cybersecurity Framework.
Here are the areas where FIs should be focusing their cybersecurity due diligence:
- Identify high-risk activities. A vendor poses a greater cyber risk—and requires increased management oversight—when it meets any of these conditions:
- Housing confidential data in a cloud-based system
- Housing or outsourcing confidential data offshore
- Outsourcing sensitive activities and/or a number of critical operations
- Using web-based services to conduct business transactions with customers
- Permitting access of confidential data to third-party providers
- Controls from the top. The vendor’s board or a committee should oversee cybersecurity controls, monitoring, protocols and risk assessment.
- Protect systems. Both physical access and systems controls should be logged and monitored. Email and customer data should be secure.
- Incident response. Third-party vendors must have an incidence response policy.
- Internal controls. Vendors must implement controls to prevent or mitigate the severity of a cybersecurity attack.
- Business continuity. Vendors must implement and test their business continuity program.
- Human resources. Access controls should be role-based and granted based upon job function. Personnel should be screened before hiring and employees should undergo data safety training.
- Data security. There should be protocols and multi-factor authentication during data transmissions and storage and protocols for securely destroying data.
- Cloud risk. Vendors that rely on a cloud-based system require additional scrutiny.
With this assessment complete, it will be easy to answer regulators’ increasing questions on the topic—and ensure your institution is doing everything it should to mitigate risks.