Third-Party Vendor Risk Management for Financial Institutions

The nature of financial services necessitates global connections and vast third-party ecosystems, with connections to millions of users and devices. This makes financial services firms a favorite target for cyber criminals, accounting for a full 10% of global breaches in 2018.

Even in the midst of increased cybersecurity regulations, attackers are finding creative ways to dodge defenses, and financial services firms need to stay one step ahead. Every financial services third-party risk management (TPRM) program needs to have the following elements:

A Way to Continuously Monitor Third-Party Risk

In the past, many organizations relied on questionnaires for gathering information about their third-party vendors and partners. While a cyber security risk assessment questionnaire can still be one helpful component of a multi-faceted TPRM program, they only represent a point-in-time snapshot of a vendor’s cybersecurity and are not comprehensive enough for effective third-party risk monitoring on their own.

Especially in such a high-risk landscape, financial services firms need to continuously monitor third-party security performance. This is made possible by tools like security ratings.

Security ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. They’re updated daily to reflect near-real-time risk changes, so firms can make faster, more informed decisions.

Policies That Go Beyond Regulatory Compliance

In response to increasingly complex cyber attacks, lawmakers are putting more regulatory pressure on the finance industry, passing measures such as recent NYDFS regulations and the California Consumer Privacy Act (CCPA).

Hundreds of cybersecurity-related bills and resolutions have been introduced across the United States in 2019, many of them covering third-party risk management. Experts predict that these types of laws will continue to pass throughout the U.S. and worldwide, increasing liability for financial firms everywhere.

However, cyber attackers continuously adapt to new security measures, so bare-minimum compliance is not enough to mitigate risk. Rather than waiting for new regulations to force change, firms should be proactive by improving their TPRM strategies as often as possible.

An Organization-Wide Approach to TPRM

Cybersecurity is not solely an IT issue. Business units within financial institutions need to work together to build an effective cybersecurity program, and this is especially true when it comes to third-party vendor risk management.

For example, TPRM needs to be considered when deciding whether a vendor is a good fit, so procurement departments need to have a clear understanding of acceptable risk thresholds for their organizations. Additionally, senior management and Board members need to be kept up to date on TPRM developments.

By keeping all lines of business involved in mitigating third-party risk, firms can establish an organization-wide cybersecurity culture.


Cybersecurity regulations are on the rise, but that doesn’t mean the financial services industry is safe from third-party risk. In a complex and constantly evolving cyber risk landscape, firms need to allocate more time and resources for third-party risk management in order to protect themselves against catastrophic breaches.

When utilized together, continuous third party monitoring, a proactive approach to cybersecurity policy, and organization-wide participation in TPRM form a solid foundation for third-party risk management.

The New Essentials of Financial Services Third-Party Risk Management is here. Read our whitepaper today!