Vendor cyber breaches are shockingly common. A study released by the Ponemon Institute in November revealed that 59 percent of respondents in the U.S. and U.K. report that a third party caused a data breach.
That includes the 42 percent of organizations that experienced a vendor-related data breach in the past 12 months. Another 22 percent didn’t even know if they’d been exposed by a third-party data breach.
Consider these recent examples:
Corporations Services Company (CSC). Routine security monitoring detected unauthorized access to CSC’s network and systems in April 2018. The company, which serves over 3,000 financial institutions, said that a database with client information containing at least 5,600 individual’s names, Social Security numbers or credit/debit card information was stolen. The company has since added controls like two-factor authentication, more firewalls and longer employee passwords.
Scottrade Bank. More than 20,000 customers’ sensitive information was exposed when third-party vendor Genpact “uploaded a data set to one of its cloud servers that did not have all security protocols in place.” It was discovered by an outside researcher.
InTouch Credit Union. A third-party data analytics service was a victim of a ransomware attack. Member Social Security number and account information was exposed. As a result, the institution changed accounts and cards for all affected accounts and provided data monitoring for thousands of members.
No matter how strong a financial institution’s own cyber defenses are, it’s really only as strong as its weakest vendor.
Ongoing Vendor Monitoring: What to Look for
Ongoing monitoring of your vendors’ cybersecurity programs is critically important. This includes:
- Ongoing monitoring of your vendors’ cybersecurity controls to detect vulnerabilities before there is an issue and take action if an issue is uncovered
- Assessing your vendors’ ability to effectively identify and resolve incidents
- Comprehensive documentation of activity regarding your vendors’ cybersecurity program
- A system for recording incidents and resolutions regarding your vendors’ cybersecurity issues so you can document due diligence for regulators, seek remediation if a vendor has violated its service level agreement and uncover patterns
- Ensuring a vendor’s cyber risk aligns with your institution’s appetite for cyber risk
Don’t assume your vendor is protecting your sensitive data. Make sure you are taking proactive steps to ensure vendors are up-to-date on the latest threats and addressing cybersecurity thoroughly.