It seems like everyday brings a new story about a data breach caused by a financial institution’s third-party provider.
A statement-printing vendor data breach exposes the personal data of 100,000 credit union members. A bank’s mortgage division finds out its insurance monitoring vendor exposed an unknown number of borrowers’ Social Security numbers and mortgage account numbers. The stories of recent security breaches are endless.
While every third-party provider data breach is a major headache for financial institutions and consumers, each breach brings slightly different challenges and different lessons learned.
Let’s look at three recent breaches.
In a story that sounds eerily similar to the Accellion breach in 2021, a California bank reported a data breach in February 2023 after hackers exploited a weakness in its third-party file transfer service. Nearly 140,000 consumer names and Social Security numbers were exposed. While the vendor discovered the issue January 29, the vendor didn’t notify the bank until February 3 – after a well-known security blogger highlighted the system flaw, TechCrunch reports.
What we can learn from this breach: This breach reminds us of two key lessons.
Regulatory agencies have been setting expectations for notification of breaches. In February 2023, the National Credit Union Administration (NCUA) approved its final rule requiring credit unions to notify the NCUA of a data breach within 72 hours of discovering an incident that exposes sensitive member information or could materially harm the credit union. Federal banking regulators released a similar rule in 2021 requiring banks to report breaches to their regulator within 36 hours.
The challenge with third-party provider breaches is that financial institutions depend on their vendors to promptly notify them of potential incidents. When vendors aren’t as proactive as they should be with their notification, it can put their financial institution partners at risk.
One way to help mitigate this risk is with negative news monitoring. When a financial institution’s vendor management program includes negative news monitoring, it can give an FI a heads up on a problem even before a vendor notices it – giving them a head start to address the problem and resolve it as quickly as possible. In this case, negative news alerts could have called attention to the blog discussing the vendor’s security issue. In an ideal world you’d never find out about a third-party data breach from a news article (or a customer or member) before your vendor tells you, but in the real world, negative news alerts are essential.
Another valuable control is the third-party vendor agreement. Financial institutions can’t assume vendors will tell them about a problem – they need to require it as a provision of their vendor agreement. Specifics are key. The agreement should include a definition of the term incident or breach and specify a timeline for response. This makes a vendor legally obligated to disclose a cyber incident.
Customer authentication service Okta, which serves the financial services industry, reported two third-party breaches in 2022.
What can we learn from this breach: Fourth-party risk is a part of third-party risk management.
Are two third-party vendor breaches in a few months bad luck or a sign of a deficiency in a vendor’s third-party vendor oversight program? When a vendor experiences multiple third-party breaches, it’s a good idea to reassess that vendor’s vendor management program. Are there strong controls in place? Is your institution comfortable with the program? Is the vendor taking steps to strengthen oversight and reduce cyber risk?
These are important questions to ask because it’s likely your examiner will be asking them too.
Read also: 3 Tips for Avoiding an Equifax-Style Breach
In June 2022 Diligent Corporation, which provides governance software to the financial services industry and others, reported a May 2022 data breach impacting a little over 1,000 people. In February the company revised its count of by 5,000% to almost 50,000 consumers, according to DataBreaches.net.
The breach stemmed from one of Diligent’s subsidiaries. Diligent wrote in an update, “Diligent recently learned the precise scope of the unauthorized third party’s access, when the third party posted a set of files that it had acquired on an external site. That access appears to have included access to personal data we did not initially believe was accessed.”
What can we learn from this breach: Vendor follow up and breach investigation can’t be underestimated. It’s not enough for a vendor to say it will investigate the cause of a breach. They also need the resources to fully understand the root cause as well as the depth and breadth of the breach so that impacted institutions can inform regulators and consumers.
Consumers trust financial institutions to protect their data. A data breach is bad enough without having to come back and say that you’ve made a mistake and misjudged the size of the breach.
As part of your vendor due diligence, make sure your vendor has a plan for investigating data breaches, tracing both the cause and the size.
Financial institutions and their third-party providers are attractive targets for cyber criminals. Study after study confirms that the financial services industry is one of the most popular targets for hackers, and that the cost of financial institution data breaches continues to rise.
Vendor management is a critical element of data security. With so many third-party providers requiring access to non-public personal information (NPII) and other sensitive data, due diligence can’t be a one-and-done activity. Financial institutions need to regularly assess the data security practices of their third-party providers while proactively cybermonitoring vendors to identify security weaknesses and news of potential issues.
Make sure your vendor management program is built for proactive vendor cybersecurity oversight. Get in touch with our team to learn more about how our vendor management software and services can help.
Want a closer look at managing vendor cyber risk?
Download our free whitepaper
Not One & Done: Making the Case for Continuous Monitoring for Third-Party Cyber Risk