The financial services industry is known for its mature cybersecurity programs. There are many drivers for this, one being the increasingly strict regulatory environment. For example, the Office ofthe Comptroller of the Currency (OCC) indicated in early 2017that financial service companies should be prepared for examiners to evaluate third-party cybersecurity.
Beyond complying with additional regulations, financial service companies are also motivated by the amount of financial data that could be impacted. If customer or employee financial records are compromised by a third-party breach, it could result in material loss and major disruptions that could slow or halt business.
The upside is that these pressures have led to the fine-tuning of best practices when it comes to cybersecurity in financial services. Below, we’ve outlined five of those best practices, and why you should consider implementing them if you haven’t already.
Financial Services In Cybersecurity: Analyzing Third- & Fourth-Party Best Practices
1. Collaborating with vendors.
Many financial service companies work closely with their critical vendors to ensure those vendors are employing top security practices. While this is certainly a benefit to vendors, it ultimately protects the first party organization’s data, because if the breached vendor has access to the first party’s data, it could result in catastrophic losses. If you want to be proactive about cybersecurity, improving vendor collaboration is a great place to start.
2. Creating a fourth-party risk program.
Have you considered the risk associated with your vendors’ subcontractors, or “fourth parties”? If not, you should look into this immediately. Consider this: If 8 out of 10 of your critical vendors uses a particular subcontractor and that subcontractor is breached, will your services be impacted? The answer is likely yes. Simply having a program forfourth-party monitoringis an important step to take when it comes to cybersecurity in financial services.
3. Using continuous monitoring technology.
Relying solely on avendor risk assessment templateto evaluate the security posture of a third party poses a challenge for many organizations. Why? Because templates like questionnaires and assessments aren’t scalable. Beyond that, they can’t be easily verified. By employing the use of continuous monitoring software, you’ll be able totrustyour vendors, but alsoverifytheir cybersecurity postures.
For example, withBitSight Security Ratingsyou’ll immediately know if a third- or fourth-party experiences a cybersecurity issue, allowing you to address the issue rapidly. Additionally, you could gain a higher level of insight into your vendors’ cybersecurity practices and choose to only send questionnaires or assessments to vendors with a low security rating, saving you time and resources in the long run.
4. Emphasizing the importance of third- and fourth-party cybersecurity to the board.
It’s important to have a way to aggregate data on the security posture of your third and fourth parties to report to the board or to external stakeholders like regulators. UsingSecurity Ratingsto pull together a comprehensive report on all your third parties is the best way to do this. You can walk through which vendors have improved their security, which have not, and how you plan to address any current vendor-related cybersecurity concerns.
5. Considering how third- or fourth-party cybersecurity impacts cyber insurance.
Today, third-party security is becoming increasingly relevant for cyber insurers as part of the underwriting process. As insurers look to gather more and more data on the security posture of organizations, they will soon be asking applicants for details on their third- and fourth-party risk programs.
Monitoring your own cybersecurity practices is, by itself, a complex task; it can be downright daunting to also monitor your third or fourth parties. But adhering to the best practices outlined above is a great start. Additionally, check out this free ebook on12 critical cybersecurity metrics you and your vendors should be watching. It outlines the most critical cybersecurity metrics, and detailed explanations of how to monitor them.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...