Third-party vendors are often the weak link in the cybersecurity fence. From the HVAC company with unfettered access that caused the infamous Target breach to the sound editing company that caused Netflix show Orange is the New Black to be leaked, vendors can cause a lot of damage. A 2013 study by digital security company Trustwave found that third parties were responsible for 63 percent of breaches.
FIs often think of vendors as trusted partners that give them the resources to accomplish things they couldn’t do on their own. While this can be true, that trust can’t be built on faith alone. FIs must take action to limit third-party risk, particularly when a vendor has access to the FI’s customer data or systems. Regulators have a lot to say on the topic (Fed, FDIC, OCC, NCUA), but it essentially boils down to three key steps:
- Due diligence. A thorough due diligence process have two benefits. First, it gives your FI the opportunity to ensure that your vendor has strict cybersecurity and data security policies, procedures, and controls as well as a solid reputation. Second, it shows regulators that you carefully vetted the vendor.
- Negotiating controls in the contract. Your FI can’t understand and mitigate its risk exposure if it doesn’t have insight into the vendor’s security practices. A carefully negotiated contract can give you this information. Notice of breach clauses let your FI know how quickly it will learn of security incidents like breaches and attempted breaches. You also need the right to audit, giving you access to a vendor’s internal processes, including the vendor’s cyber resilience, patching and updates procedures, and testing results and reports. Ensure there are policies to protect customer data and limit its usage. Design the contract so it can evolve with regulatory and technological changes instead of benchmarking it to a standard or rule that can become outdated.
- Oversight. Maximize the value of your controls by using them to monitor and mitigate risk. Audits and reports do little good if you don’t carefully review them to see if the vendor is living up to its expectations and keeping data and systems safe.
The WannaCry Ransomware that infected more than 300,000 machines across the world earlier this month is yet another reminder of the importance of strong cybersecurity, including software patches and updates.
While machines running updated versions of Microsoft were protected from the bug, those that didn’t automatically update software or, worse yet, operated Windows XP, a legacy product Microsoft stopped supporting two years ago, were in danger. The attack encrypted the user’s data and demanded a ransom payment to get the information back.
The good news is that few institutions in the U.S. were affected, but this may not be the case for every cyberattack. That’s why financial institutions (FIs) need to be sure to have strong cybersecurity in place—and they must be certain their vendors do the same—so that systems and customer data remain secure. Ncyber is an online version of the FFIEC Cybersecurity Assessment Tool that can help your FI get a handle on cyber risks.
Don’t wait until the next worldwide bug hits to assess the risks posed by your third-party vendors. We may have been lucky this go around, but the next attack could be more sophisticated.