Third-party vendors are becoming increasingly vulnerable to cybersecurity threats. Target’s infamous breach, which was caused by an HVAC company with unfettered access, and the leak of Netflix’s show, Orange is the New Black, caused by a sound editing company, are just some examples of how vendors can cause significant damage. According to a study by digital security company Trustwave, third parties were responsible for 63 percent of breaches.
Although financial institutions (FIs) often think of vendors as trusted partners who provide them with the necessary resources to achieve their goals, trust cannot be built on faith alone. FIs need to take action to limit third-party risks, particularly when a vendor has access to the FI’s customer data or systems. Regulators, such as the Federal Reserve, the FDIC, OCC, and NCUA, have a lot to say on the subject, but it essentially boils down to three key steps.
First, due diligence is essential. A thorough due diligence process has two benefits. Firstly, it gives the FI the opportunity to ensure that the vendor has strict cybersecurity and data security policies, procedures, and controls, as well as a solid reputation. Secondly, it shows regulators that the FI carefully vetted the vendor.
The second step involves negotiating controls in the contract. The FI cannot understand and mitigate its risk exposure if it does not have insight into the vendor’s security practices. A carefully negotiated contract can provide this information. Notice of breach clauses lets the FI know how quickly it will learn of security incidents like breaches and attempted breaches. The FI also needs the right to audit, giving it access to a vendor’s internal processes, including the vendor’s cyber resilience, patching and updates procedures, and testing results and reports. The contract should include policies to protect customer data and limit its usage. Design the contract so it can evolve with regulatory and technological changes instead of benchmarking it to a standard or rule that can become outdated.
Finally, oversight is crucial. FIs need to maximize the value of their controls by using them to monitor and mitigate risk. Audits and reports do little good if they are not carefully reviewed to see if the vendor is living up to its expectations and keeping data and systems safe.
One notable example is the SolarWinds hack, which occurred in late 2020 and impacted numerous organizations, including several financial institutions. SolarWinds is a software vendor that provides network management tools. The attackers inserted a backdoor into a software update released by SolarWinds, allowing them to gain access to the networks of organizations that used the software.
Another recent example is the Kaseya ransomware attack that occurred in July 2021, which impacted several Managed Service Providers (MSPs) that used Kaseya’s VSA software to manage their clients’ IT systems. The attackers exploited a vulnerability in the software to deploy ransomware on the networks of several MSPs, which in turn impacted their clients, including financial institutions.
These attacks highlight the importance of software security and the need for organizations to regularly update and patch their software to mitigate the risk of cyber attacks. FIs need to be sure to have strong cybersecurity in place, and they must ensure their vendors do the same so that systems and customer data remain secure. Cyber security assessment tools can help FIs assess cyber risks. FIs cannot afford to wait for the next bug to hit before assessing the risks posed by third-party vendors. FIs must act proactively to mitigate risks and strengthen cybersecurity measures.