Vendor Risk Management

Financial Services Cybersecurity: Third- & Fourth-Party Best Practices

Bryana Dacri | September 13, 2017

The financial services industry is known for its mature cybersecurity programs. There are many drivers for this, one being the increasingly strict regulatory environment. For example, the Office of the Comptroller of the Currency (OCC) indicated in early 2017 that financial service companies should be prepared for examiners to evaluate third-party cybersecurity. 

Beyond complying with additional regulations, financial service companies are also motivated by the amount of financial data that could be impacted. If customer or employee financial records are compromised by a third-party breach, it could result in material loss and major disruptions that could slow or halt business.

The upside is that these pressures have led to the fine-tuning of best practices when it comes to cybersecurity in financial services. Below, we’ve outlined five of those best practices, and why you should consider implementing them if you haven’t already.

Financial Services In Cybersecurity: Analyzing Third- & Fourth-Party Best Practices

1. Collaborating with vendors.

12 Cybersecurity Metrics


Many financial service companies work closely with their critical vendors to ensure those vendors are employing top security practices. While this is certainly a benefit to vendors, it ultimately protects the first party organization’s data, because if the breached vendor has access to the first party’s data, it could result in catastrophic losses. If you want to be proactive about cybersecurity, improving vendor collaboration is a great place to start.

2.  Creating a fourth-party risk program.


Have you considered the risk associated with your vendors’ subcontractors, or “fourth parties”? If not, you should look into this immediately. Consider this: If 8 out of 10 of your critical vendors uses a particular subcontractor and that subcontractor is breached, will your services be impacted? The answer is likely yes. Simply having a program for fourth-party monitoring is an important step to take when it comes to cybersecurity in financial services.

3. Using continuous monitoring technology.


Relying solely on a vendor risk assessment template to evaluate the security posture of a third party poses a challenge for many organizations. Why? Because templates like questionnaires and assessments aren’t scalable. Beyond that, they can’t be easily verified. By employing the use of continuous monitoring software, you’ll be able to trust your vendors, but also verify their cybersecurity postures.

“Yes” or “no” questions won’t help you better understand your vendors’ cybersecurity postures (or your own)—but actionable metrics will.


For example, with BitSight Security Ratings you’ll immediately know if a third- or fourth-party experiences a cybersecurity issue, allowing you to address the issue rapidly. Additionally, you could gain a higher level of insight into your vendors’ cybersecurity practices and choose to only send questionnaires or assessments to vendors with a low security rating, saving you time and resources in the long run.

4. Emphasizing the importance of third- and fourth-party cybersecurity to the board.


It’s important to have a way to aggregate data on the security posture of your third and fourth parties to report to the board or to external stakeholders like regulators. Using Security Ratings to pull together a comprehensive report on all your third parties is the best way to do this. You can walk through which vendors have improved their security, which have not, and how you plan to address any current vendor-related cybersecurity concerns.

5. Considering how third- or fourth-party cybersecurity impacts cyber insurance.


Today, third-party security is becoming increasingly relevant for cyber insurers as part of the underwriting process. As insurers look to gather more and more data on the security posture of organizations, they will soon be asking applicants for details on their third- and fourth-party risk programs.

Additional reading:

Monitoring your own cybersecurity practices is, by itself, a complex task; it can be downright daunting to also monitor your third or fourth parties. But adhering to the best practices outlined above is a great start. Additionally, check out this free ebook on 12 critical cybersecurity metrics you and your vendors should be watching. It outlines the most critical cybersecurity metrics, and detailed explanations of how to monitor them.

Download Guide: 12

Suggested Posts

5 Examples Of Sensitive Data Hackers Look For

This piece was originally published by BitSight in April of 2017. This updated version includes current information about BitSight, our security rating and third-party monitoring software, and the cybersecurity space.

As a security...

READ MORE »

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...

READ MORE »

FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...

READ MORE »

Subscribe to get security news and updates in your inbox.