Financial Services Cybersecurity: Third- & Fourth-Party Best Practices

Bryana Dacri | September 13, 2017 | tag: Vendor Risk Management

The financial services industry is known for its mature cybersecurity programs. There are many drivers for this, one being the increasingly strict regulatory environment. For example, the Office of the Comptroller of the Currency (OCC) indicated in early 2017 that financial service companies should be prepared for examiners to evaluate third-party cybersecurity. 

Beyond complying with additional regulations, financial service companies are also motivated by the amount of financial data that could be impacted. If customer or employee financial records are compromised by a third-party breach, it could result in material loss and major disruptions that could slow or halt business.

The upside is that these pressures have led to the fine-tuning of best practices when it comes to cybersecurity in financial services. Below, we’ve outlined five of those best practices, and why you should consider implementing them if you haven’t already.

Financial Services In Cybersecurity: Analyzing Third- & Fourth-Party Best Practices

1. Collaborating with vendors.

12 Cybersecurity Metrics

Many financial service companies work closely with their critical vendors to ensure those vendors are employing top security practices. While this is certainly a benefit to vendors, it ultimately protects the first party organization’s data, because if the breached vendor has access to the first party’s data, it could result in catastrophic losses. If you want to be proactive about cybersecurity, improving vendor collaboration is a great place to start.

2.  Creating a fourth-party risk program.

Have you considered the risk associated with your vendors’ subcontractors, or “fourth parties”? If not, you should look into this immediately. Consider this: If 8 out of 10 of your critical vendors uses a particular subcontractor and that subcontractor is breached, will your services be impacted? The answer is likely yes. Simply having a program for fourth-party monitoring is an important step to take when it comes to cybersecurity in financial services.

3. Using continuous monitoring technology.

Relying solely on a vendor risk assessment template to evaluate the security posture of a third party poses a challenge for many organizations. Why? Because templates like questionnaires and assessments aren’t scalable. Beyond that, they can’t be easily verified. By employing the use of continuous monitoring software, you’ll be able to trust your vendors, but also verify their cybersecurity postures.

“Yes” or “no” questions won’t help you better understand your vendors’ cybersecurity postures (or your own)—but actionable metrics will.

For example, with BitSight Security Ratings you’ll immediately know if a third- or fourth-party experiences a cybersecurity issue, allowing you to address the issue rapidly. Additionally, you could gain a higher level of insight into your vendors’ cybersecurity practices and choose to only send questionnaires or assessments to vendors with a low security rating, saving you time and resources in the long run.

4. Emphasizing the importance of third- and fourth-party cybersecurity to the board.

It’s important to have a way to aggregate data on the security posture of your third and fourth parties to report to the board or to external stakeholders like regulators. Using Security Ratings to pull together a comprehensive report on all your third parties is the best way to do this. You can walk through which vendors have improved their security, which have not, and how you plan to address any current vendor-related cybersecurity concerns.

5. Considering how third- or fourth-party cybersecurity impacts cyber insurance.

Today, third-party security is becoming increasingly relevant for cyber insurers as part of the underwriting process. As insurers look to gather more and more data on the security posture of organizations, they will soon be asking applicants for details on their third- and fourth-party risk programs.

Additional reading:

Monitoring your own cybersecurity practices is, by itself, a complex task; it can be downright daunting to also monitor your third or fourth parties. But adhering to the best practices outlined above is a great start. Additionally, check out this free ebook on 12 critical cybersecurity metrics you and your vendors should be watching. It outlines the most critical cybersecurity metrics, and detailed explanations of how to monitor them.

Download Guide: 12

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.