Financial institutions with extended networks of strategic partners need to manage the risks that come along with navigating multiple IT environments simultaneously. Impactful third party risk management finds and neutralizes these threats, vulnerabilities, and compliance risks.
How effective is your third party risk management? Schedule a consultation to find out.
How Financial Institutions Should Manage Vendor Risks
Third party risk management (TPRM) is a pillar of overall institutional risk management, and financial institutions face unique challenges to both. The sensitivity of data processed, and the volume and diversity of third parties, make managing threats to shared systems paramount.
Effective TPRM for financial institutions ultimately comes down to three areas of concern:
- Continuously monitoring for and addressing threats across third party assets
- Identifying vulnerabilities across third party systems and prioritizing mitigation
- Accounting for regulatory needs shared by your organization and third parties
Beyond following best practices in each area, most financial institutions find the most success in managing third party risk by working with a quality managed security services provider (MSSP).
Monitoring for and Addressing Third Party Threats
Effective vendor risk management for financial institutions starts and ends with understanding the threats posed to third party assets and taking steps to minimize them as they materialize.
In a cybersecurity context, threats are vectors of attack or other potential incidents that could compromise your systems. Most IT and cyberdefense schemes account for threats to assets owned or operated by the organization, such as workstations and network infrastructure. But third parties’ devices and accounts can also come under attack; you need to protect them, too.
The most dangerous threats to third party assets are those posed by cybercriminals. Threat actors can target your networks third parties are connected to with malicious code. They may render third parties’ systems unusable through distributed denial of service (DDoS) attacks. Or they may send targeted phishing and other social engineering scams to third parties, posing as an administrator from your team. Any of these attacks could lead to financial data being leaked.
Best Practice: Managed Detection and Response (MDR)
One of the most impactful ways to scan for and address threats is an active approach called detection and response. When facilitated externally through an MSSP, the program is often called managed detection and response (MDR). It is especially useful for TPRM because, as third parties, MSSPs are uniquely positioned to detect threats that internal staff might miss.
Effective MDR deployment focused on third-party risks includes:
- Third party threat detection through continuous threat hunting across in-scope assets
- Root cause analysis (RCA) to determine which third-party assets are targets and why
- Immediate incident response, quarantining and neutralizing any threat vectors
- Continuity and compliance, including managing regulatory needs (see below)
MDR is an active approach to both threat and vulnerability management that treats identified threats as serious incidents in and of themselves—before they have a chance to cause harm.
Identifying and Prioritizing Third Party Vulnerabilities
Organizations should also be monitoring for vulnerabilities across third party assets in the same ways—if not more robustly—that they scan for weaknesses in their own software and hardware.
Vulnerabilities are absences, malfunctions, and other weaknesses in cyberdefense architecture that could be exploited, leading to data compromise. In financial institutions, these could amount to missing protections, out-of-date systems, or user errors that lead to attacks or accidental data loss. Critically, these can be third party devices or personnel over which you have little control.
Another way to think about vulnerabilities is as opportunities for threats to manifest. Your vendors and other strategic partners may be targeted specifically because of their tertiary relationship to organizational systems. Often, organizations have less governing power over third parties than they do over internal staff. Things like not having assurance of individuals’ security awareness or lacking visibility into their devices constitute insidious vulnerabilities.
Best Practice: External and Internal Penetration Testing
One approach to cyberdefense leverages offense—or the methods used by attackers—to understand and eliminate weaknesses. Penetration testing simulates attacks on your system, including third party assets, to determine which weaknesses are most apt for exploitation.
Both conventional kinds of penetration tests can be leveraged for TPRM purposes:
- External pen testing – These tests begin from a point of little to no knowledge of your systems and gauge how and where attackers can infiltrate them. In a TPRM context, they can illustrate which third party network connections are insufficiently protected.
- Internal pen testing – These tests begin from a point of knowledge about your systems; they can illustrate what an attack from or leveraging a third party could look like. They also provide insights into what attackers could do once “inside” your shared network.
Additionally, your organization can work together with third parties to run hybrid tests that include both external and internal elements. Or you can focus on one side of the equation for organizational assets and another for external, depending on the specifics of your architecture.
Managing Third Party Compliance Implications
One of the top subjects at any third party vendor risk management for financial institutions conference is regulatory compliance. Compliance is not a traditional vulnerability or threat, instead, the risk comes from the possibility of a third party causing issues with organizational regulatory obligations. But more often than not, this is also closely related to other risk factors.
Managing third party compliance risks means ensuring that all in-scope assets across your and your partners’ IT landscapes meet the needs of industry, governmental, and other regulations.
Some of the most obvious challenges here come from ensuring that your vendors and suppliers meet applicable American Institute of Certified Public Accountants (AICPA) SOC 1 or SOC 2 requirements. When preparing for an audit, you’re responsible for third party systems meeting trust service principles and providing the same level of security assurance as your systems.
But there are other considerations as well; for example, industries you’re tangentially connected to may still involve a compliance burden. If your third party partners are covered entities under the Health Insurance Portability and Accountability Act (HIPAA), you’re required to meet HIPAA compliance standards as a Business Associate—and vice-versa if you’re the covered entity.
Best Practice: Omnibus Compliance Implementation
Given how complicated compliance risk management in banks can be, especially with third parties in various locations and industries, many organizations seek out solutions that unify controls and minimize overlap. One of the best is the HITRUST Alliance’s CSF framework, which allows for financial organizations and their third parties to “assess once, report many.”
Originally developed for the healthcare service industry, HITRUST is now recommended for organizations across every industry. The frameworks noted above (HIPAA, SOC) are covered, along with several other widely applicable regulations. If you or your third parties are subject to the Payment Card Industry Data Security Standards (PCI DSS), the European Union’s General Data Protection Regulation (GDPR), or other frameworks, you’ll be able to implement a single control or relatively small bundle of controls that map across similar requirements in each one.
HITRUST is fast becoming a gold standard across industry lines. Aside from facilitating your own third party regulatory risk management process, it can help you be an asset to your third parties with respect to their own compliance needs. It’s a win-win for all parties involved.
Rethink Your Third Party Risk Management Today
Financial institutions looking to optimize their cybersecurity risk management need to account for threats and vulnerabilities across third party hardware, software, and users. There are also compliance risks to consider. The best way to manage all these risk factors is with support.
RSI Security has helped countless financial institutions mitigate risks within their and their partners’ interweaved IT infrastructures. We believe the right way is the only way to keep your organization and the third parties you work with safe, and we’re committed to helping you do it.
To learn more about RSI Security’s third party vendor risk management for financial institutions, or get started on a robust, efficient plan that meets your third party needs, contact us today!