Risk Management

Third-Party Vendor Risk Management for Financial Institutions

Kim Johnson | October 22, 2019

The nature of financial services necessitates global connections and vast third-party ecosystems, with connections to millions of users and devices. This makes financial services firms a favorite target for cyber criminals, accounting for a full 10% of global breaches in 2018. 

Even in the midst of increased cybersecurity regulations, attackers are finding creative ways to dodge defenses, and financial services firms need to stay one step ahead. Every financial services third-party risk management (TPRM) program needs to have the following elements:

A Way to Continuously Monitor Third-Party Risk

In the past, many organizations relied on questionnaires for gathering information about their third-party vendors and partners. While questionnaires can still be one helpful component of a multi-faceted TPRM program, they only represent a point-in-time snapshot of a vendor’s cybersecurity and are not comprehensive enough for effective third-party risk monitoring on their own.

Especially in such a high-risk landscape, financial services firms need to continuously monitor third-party security performance. This is made possible by tools like security ratings

Security ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. They’re updated daily to reflect near-real-time risk changes, so firms can make faster, more informed decisions.

Policies That Go Beyond Regulatory Compliance

In response to increasingly complex cyber attacks, lawmakers are putting more regulatory pressure on the finance industry, passing measures such as recent NYDFS regulations and the California Consumer Privacy Act (CCPA)

Hundreds of cybersecurity-related bills and resolutions have been introduced across the United States in 2019, many of them covering third-party risk management. Experts predict that these types of laws will continue to pass throughout the U.S. and worldwide, increasing liability for financial firms everywhere.

However, cyber attackers continuously adapt to new security measures, so bare-minimum compliance is not enough to mitigate risk. Rather than waiting for new regulations to force change, firms should be proactive by improving their TPRM strategies as often as possible.

An Organization-Wide Approach to TPRM

Cybersecurity is not solely an IT issue. Business units within financial institutions need to work together to build an effective cybersecurity program, and this is especially true when it comes to third-party vendor risk management. 

For example, TPRM needs to be considered when deciding whether a vendor is a good fit, so procurement departments need to have a clear understanding of acceptable risk thresholds for their organizations. Additionally, senior management and Board members need to be kept up to date on TPRM developments.

By keeping all lines of business involved in mitigating third-party risk, firms can establish an organization-wide cybersecurity culture.

Conclusion

Cybersecurity regulations are on the rise, but that doesn’t mean the financial services industry is safe from third-party risk. In a complex and constantly evolving cyber risk landscape, firms need to allocate more time and resources for third-party risk management in order to protect themselves against catastrophic breaches. 

When utilized together, continuous third-party monitoring, a proactive approach to cybersecurity policy, and organization-wide participation in TPRM form a solid foundation for third-party risk management. 

The New Essentials of Financial Services Third-Party Risk Management is here. Read our whitepaper today!

Suggested Posts

3 Ways to Avoid the Top Causes of Data Breaches

As the number and costs of cyber-attacks and data breaches continue to rise, more money is being thrown at the problem. IDC projects that by 2022, organizations will spend $133.8 billion to protect their IT infrastructures against...

READ MORE »

Third-Party Vendor Risk Management for Financial Institutions

The nature of financial services necessitates global connections and vast third-party ecosystems, with connections to millions of users and devices. This makes financial services firms a favorite target for cyber criminals, accounting for...

READ MORE »

Is Your Risk Management Program Ready for the New European Banking Authority’s Guidelines?

In June 2018, the European Banking Authority (EBA) put forth guidelines on outsourcing arrangements that highlighted the importance of risk management within financial organizations. The notice of these guidelines was announced in June...

READ MORE »
ctab-img-1@2x

CISOs have a tough job.

How can they gain buy-in to improve security program effectiveness?

Read The Guide

Subscribe to get security news and updates in your inbox.