64% of the financial sector’s supply chain is unmonitored. That’s not a typo. Most financial firms don’t have visibility into two-thirds of their third-party ecosystem. And attackers know it.
Practitioner Insight: 4 Best Practices for Supply Chain Risk Resilience in Finance
Share:
Like any other global industry, financial services companies face tremendous challenges of scale and complexity when it comes to managing cyber risk across their digital supply chain.
The financial services supply chain is composed of more than 1.6M third-party relationships across the industry ecosystem. These range from the obvious hyperscale cloud relationships with the likes of AWS, Google, and Microsoft to niche relationships with highly specialized fintech vendors that nevertheless provide services crucial to the industry.
The good news is that financial services companies are ahead of any other sector in terms of third-party risk management practices. The bad news? A staggering 64% of the financial services digital supply chain remains unmonitored, according research from Bitsight TRACE. In fact, at the time of writing this, many financial organizations are assessing the impact of a cyber attack targeting a critical third-party vendor.
There’s no easy answer for improving those numbers, but I recently caught up with a longtime c-level security veteran to analyze how the best in the business are leveling up their supply chain cyber risk management practices.
Four financial sector best practices, from a veteran CSO
Roland Cloutier has an expansive career as a security leader in both the technology and the financial services industries, including a more than decade-long tenure as CSO at ADP.
Based on his experience at ADP and discussions with his peers across the financial services industry, the following four steps are the most fundamental to the industry improving its supply chain risk posture. According to Cloutier, the financial services companies that excel in managing risk across their digital supply chain are:
1. Using automation to drive supply chain mapping,
2. Leveraging CTI to contextualize supply chain risks,
3. Mapping business criticality to prioritize supply chain risks, and
4. Feeding supply chain visibility into security operations.
Let’s look at each step in further depth.
1. Use automation to drive supply chain mapping
“One of the things that is so difficult for us on the practitioner side is understanding every independent level of a business process that may or may not rely on a third-, fourth-, or fifth-party — from API connections to marketing and so on,” Cloutier says. “This points to a critical need for financials to be able to auto-discover the supply chain within our business.”
The foundation of sound supply chain cyber risk management is understanding the full supply chain and the digital ecosystem behind it, he explains. And the complexities of the modern digital supply chain, whether in financial services or any other industry, has made it nearly impossible to accurately map a supply chain manually.
“If you think of all the things that drive a digital supply chain of any given business process, the key to success is in how I examine each of these points and consume information in a way that helps me understand which business process is using what portion of that infrastructure, either for actual cloud instances, connecting for a data exchange, or relying on a third-party in the AI pipeline and so on.”
2. Leverage CTI to contextualize supply chain risks
Cyber threat intelligence (CTI) is an often underutilized tool in the pursuit of sound supply chain risk management.
“The ability to see deep inside of CTI data to understand not only how critical infrastructure providers defend against financial crime but also the broader context in which the threats operate is so important,” Cloutier says. “Yes, financial services is where all the money is and people want the money, but there’s also larger implications of the industry’s role in society.”
Oftentimes terrorists or nation-state actors target the industry because of their position in the underlying economic ecosystem of the countries in which the institutions or their service providers operate. CTI can help contextualize all of the different supply chain risk ripples that occur as threat actors adapt their tactics, techniques and procedures. “So having that perspective on the broader ecosystem of our business and the threats against them is crucial to help define, map, and understand edge cases that can impact our supply chain outside the core issue of financial crimes,” he says.
3. Map business criticality to prioritize supply chain relationships
“As important as it is to mesh a supply chain map with CTI to be able to tell what components are most threatened, even more important is understanding which parts of the supply chain are most critical business processes and, ultimately, the core missions of the business,” Cloutier says.
The most effective financial services companies not only map out their third-party and nth-party supply chain relationships, they also find ways to score those relationships for business criticality.
“Focus on mapping so that you can understand the impact to the business. So that you get to the issues faster with vendors or partners or technologies that are more critical, rather than just worrying about the KEVs and the CVEs,” he says. “This assures that the business pipeline is resilient.”
4. Feed supply chain visibility into operations
The next big step in effectively reducing digital supply chain risks is taking that contextualized relationship mapping and using that to establish continuous monitoring that can be effectively operationalized, Cloutier says.
“Being able to actively and quickly get to those supply chain risk issues is where we need to be focused as an industry,” he says. “The big question is, how do you get supply chain information over to ops? How do you automate this in a way we haven’t before?”
In Bitsight’s recent State of Cyber Risk and Exposure study, only about 33% of companies across all industries reported that they continuously monitor all of their third- party relationships for risk. Even in the financial industry this remains a sticking point.
As Cloutier explains, effectively tracking the ebb and flow of supply chain risks in dynamic financial ecosystems is the core technical challenge that the industry has to address to get this right.
“I’m not a nerd, but I play one on TV,” says Cloutier, “And as a risk leader I know there has to be a technology component to this. Validating performance and showing that linkage to the business end-to-end is still very problematic for many organizations.”
Ultimately, the goal is to not only identify the biggest supply chain risks, but also to affect change in how the most impactful vendors and partners handle their security postures, he adds.
“At the end of the day there needs to be more technology and services to accomplish what we need at speed — which is to see who the biggest problems are in our ecosystem fastest and make change recommendations,” he says. “Then we can apply that kind of pressure that we uniquely have as financial organizations to solve for those.”
