Regulations

Amid Regulatory Scrutiny, Financial Institutions Must Monitor Third-Party Cyber Risk

Cybersecurity ranks among the top concerns for banks, insurers, and other financial institutions, which can represent prime targets for cyber-attackers and be vulnerable to potential disruptions because of their often-complex technology systems and the valuable financial assets and rich customer data they can hold. As awareness of cyber risks has grown, many financial institutions have developed robust internal capabilities to deter cyber-attacks and prevent technology interruptions. But perhaps equally important — for both organization and regulators — are your vendors’ cyber risk management practices.

Probing Third-Party Cyber Risk

Since the financial crisis of the late 2000s, the Federal Reserve, Securities and Exchange Commission, Office of the Comptroller of the Currency, and other regulators have heavily scrutinized the risk management practices of financial institutions. One of their biggest areas of focus has been technology risk.

Recently, both the industry and regulators have honed in on the risks presented by vendors. Many large financial institutions have developed vendor management offices with the express mission of policing and overseeing their companies’ slate of suppliers and other third parties they work with. While regulators seem to appreciate this approach to risk management, they have not let up. Instead, they are now probing deeper, looking at second- and third-tier vendors — the ones that financial institutions’ vendors rely on themselves.

For financial institutions, those vendors represent potential cyber risk vulnerabilities that could cost millions. Vendors that hold or process data could become victims of hacking attacks themselves or provide an entryway for attacks on financial institutions’ corporate networks. Technology interruptions at vendors can also disrupt financial institutions’ operations.

Examining Your Value Chain

Just as companies that produce or sell physical products often regularly audit their supply chains to assess vulnerabilities to natural hazards and other physical risks, financial institutions should assess their value chains, seeking to gain insight into the cyber risk mitigation practices of their first-, second-, and third-tier suppliers.

Your organization may already have this insight. If not, you should:

  • Assess existing third-party management processes and data needs, identifying all supplier and third-party relationships and scrutinizing contractual language related to data security.
  • Develop a risk management framework that includes exposure to each supplier and the risk of breach or business interruption and recommended actions.
  • Continuously monitor your vendor network’s security posture, identifying those companies that present risks to be more closely examined.
  • Establish a protocol for action that allows you to systematize management of your third-party risk.

It’s also important to quantify your cyber risk, including third-party exposures. A scenario-based analysis of your cyber risk can help you estimate the likelihood and potential severity of a cyber event involving a vendor — something of great interest to financial regulators. Scenario modeling can also help you identify and evaluate potential risk mitigation and insurance options.

You might already have an effective cybersecurity program in place within your organization, but that might not be the case with your vendors — or the vendors they rely on. Take these steps to better understand and manage your third-party cyber risk.