Financial Services Cybersecurity: Third- & Fourth-Party Best Practices

Financial Services Cybersecurity: Third- & Fourth-Party Best Practices

The financial services industry is known for its mature cybersecurity programs. There are many drivers for this, one being the increasingly strict regulatory environment. For example, the Office of the Comptroller of the Currency (OCC) indicated in early 2017 that financial service companies should be prepared for examiners to evaluate third-party cybersecurity.

Beyond complying with additional regulations, financial service companies are also motivated by the amount of financial data that could be impacted. If customer or employee financial records are compromised by a third-party breach, it could result in material loss and major disruptions that could slow or halt business.

The upside is that these pressures have led to the fine-tuning of best practices when it comes to cybersecurity in financial services. Below, we’ve outlined five of those best practices, and why you should consider implementing them if you haven’t already.

Financial Services In Cybersecurity: Analyzing Third- & Fourth-Party Best Practices

1. Collaborating with vendors.

Many financial service companies work closely with their critical vendors to ensure those vendors are employing top security practices. While this is certainly a benefit to vendors, it ultimately protects the first party organization’s data, because if the breached vendor has access to the first party’s data, it could result in catastrophic losses. If you want to be proactive about cybersecurity, improving vendor collaboration is a great place to start.

2. Creating a fourth-party risk program.

Have you considered the risk associated with your vendors’ subcontractors, or “fourth parties”? If not, you should look into this immediately. Consider this: If 8 out of 10 of your critical vendors uses a particular subcontractor and that subcontractor is breached, will your services be impacted? The answer is likely yes. Simply having a program for fourth-party monitoring is an important step to take when it comes to cybersecurity in financial services.

3. Using continuous monitoring technology.

Relying solely on a vendor risk assessment template to evaluate the security posture of a third party poses a challenge for many organizations. Why? Because templates like questionnaires and assessments aren’t scalable. Beyond that, they can’t be easily verified. By employing the use of continuous monitoring software, you’ll be able to trust your vendors, but also verify their cybersecurity postures.

For example, with Bitsight Security Ratings you’ll immediately know if a third- or fourth-party experiences a cybersecurity issue, allowing you to address the issue rapidly. Additionally, you could gain a higher level of insight into your vendors’ cybersecurity practices and choose to only send questionnaires or assessments to vendors with a low security rating, saving you time and resources in the long run.

4. Emphasizing the importance of third- and fourth-party cybersecurity to the board.

It’s important to have a way to aggregate data on the security posture of your third and fourth parties to report to the board or to external stakeholders like regulators. Using Security Ratings to pull together a comprehensive report on all your third parties is the best way to do this. You can walk through which vendors have improved their security, which have not, and how you plan to address any current vendor-related cybersecurity concerns.

5. Considering how third- or fourth-party cybersecurity impacts cyber insurance.

Today, third-party security is becoming increasingly relevant for cyber insurers as part of the underwriting process. As insurers look to gather more and more data on the security posture of organizations, they will soon be asking applicants for details on their third- and fourth-party risk programs.

Additional reading:

Monitoring your own cybersecurity practices is, by itself, a complex task; it can be downright daunting to also monitor your third or fourth parties. But adhering to the best practices outlined above is a great start. Additionally, check out this free ebook on 12 critical cybersecurity metrics you and your vendors should be watching. It outlines the most critical cybersecurity metrics, and detailed explanations of how to monitor them.


Can you differentiate between your actual and perceived security? These metrics can give you a hand.