The regulatory landscape seems to be continuously bringing down the hammer with new, seemingly restrictive legislation. We have come to a point where a change in mindset is required, where a robust risk management strategy becomes the strength of the organization and not a requirement.
Third-party risk management for financial institutions is the latest trend to hit the risk management ecosystem, let’s discuss.
What is Third-Party Risk Management?
Third-party risk management, also known as vendor or supplier risk management, comprises part of the organization’s overall risk management strategy. It is tailored to suit the organization’s cybersecurity needs by requiring suppliers to adhere to a good cybersecurity practice if they wish to engage in business.
Regardless of industry, the frameworks or models ask that a certain cybersecurity standard is met to ensure that sensitive information is protected along the Information and Communication Technology (ICT) supply chain. One such framework is the NIST 800-161, in this article we will be looking at the broader application of TPRM for financial institutions, which are not all strictly technical.
Third-Party Risk Management for Financial Institutions
Third-party risk management for financial institutions differs slightly from other industries in that they primarily deal with Personally Identifiable Information (PII). Although other industries may deal with PII, TPRM for them is a way to protect business-sensitive information.
In a data breach report given by Verizon, 71 percent of data breach cases were financially driven where only 21 percent were the result of espionage (this is applicable only in cases where the motive is known).
Given that financial institutions deal with large data sets of PII and are directly related to an individual’s finance, it can be very lucrative for bad actors to get hold of such information. With the reasons given above third-party risk management for financial institutions becomes especially important.
“A chain is no stronger than its weakest link” – Thomas Reid
In a highly connected business environment, which is now the present reality for many financial institutions, the organization’s cyber resilience is healthy only if every node is.
Key Areas of Third-Party Risk Management For Financial Institutions
In the next section, we will examine some of the key areas of third-party risk management for financial institutions. Some of the areas are loosely based on existing frameworks, namely, the NIST 800-161, and others are derived from industry research.
Technological Implementation
This area of TPRM is applicable to all industries. It will build the backbone of the overall risk management strategy. It involves the security controls and implementation of the controls to the entire ecosystem’s information systems so that it will include that of the vendors or suppliers.
There are a couple of frameworks already in existence that deal directly with the security controls of the information systems, and the two we will briefly analyze are the Center for Internet Security Critical Security Controls (CIS CSC) and the NIST 800-161.
The technological aspect of TPRM arises from the implementation of the security controls, depending on the framework a majority of the controls relate directly to the technical aspect of the information system, while some of the more hard-hitting ones are in relation to the security policies of the organization (ex. staff awareness training and coding standards).
In a survey given by EY, financial institutions find technological integration to be the most challenging aspect of the TPRM strategy. This is where security controls can be a great blessing, depending on which framework the organization chooses to adhere to, it acts as an anchor point for all organizations involved in the supply chain.
This means any checks and balances that examine technological security can be referred to by a single framework. Get in contact with RSI Security for advice on frameworks and security control implementation.
Schedule a Free Consultation
Third-Party Population
This area of TPRM regards the extent of the third-party network and how many of them fall under the organization’s risk management strategy. The trends have shown that organizations have reduced their third-party networks by 58 percent over the past six years.
Having a reduced third-party inventory can drastically reduce the cyber risks, simply by having fewer suppliers and vendors there are fewer vulnerabilities to exploit.
When examining the third-party inventory, it is best to include all third-parties where applicable and assesses them from low to high risk. For example, a vendor of office supplies might not deal with business-sensitive information or PII and, therefore, would be considered a low risk third-party, but it should still be included within the TPRM strategy.
This way, it is possible to see where changes need to be made from implementing and auditing security controls to changing company policy.
Extended Network (Fourth-Party)
A subcategory of the third-party population is the fourth-party network, in other words, the suppliers of your supplier. The systems become more complex as you go on, and accounting for that risk is very difficult, if not impossible.
This is something to note; the best your organization can do is engender a sense of trust with the suppliers so that they may implement cybersecurity best practices with their suppliers or vendors.
Beyond Compliance
Lawmakers are beginning to respond to the increasingly complex cyber landscape by creating regulations that require organizations to protect information systems in the interest of national security. Many of these regulations and frameworks released in the latter part of the decade have also included third-party risk management requirements.
Although regulations have certainly helped reduce the chance of cyberattacks hitting particular industries, the number of cyberattacks continue to rise despite the fact. This is primarily due to the increased sophistication in cybercriminals and bad actors. They will often circumnavigate the requirements laid out by regulation or frameworks by merely applying some creativity, after all, they can just read up on the security requirements of the law or framework.
This has creative implications on the organization, requiring industry to be one step ahead (or more) of the attackers. Essentially, organizations must employ strategies that go beyond the regulation requirements, looking toward cutting-edge defense technology or policies, implementing risk strategies that are “living documents” and not a static checklist. Organizations must remain dynamic and agile in the changing cyber landscape.
This area is especially important for financial institutions, as a lot of the data protection and cybersecurity requirements arise from government regulation.
Continuous Assessment
Evolving and advanced threats have rendered traditional risk assessment models as ineffective. Although business and financial institutions may still choose to employ a questionnaire system to assess the potential risk associated with the third-party, the cybersecurity landscape remains dynamic.
A “do once and drop” assessment just won’t cut it today. It is best to engage the entire information supply chain into one analysis method. Real-time tracking, or data-driven tracking, of events and risks, is soon to become the norm for many organizations’ risk management strategies.
Building Cyber Culture
As financial institutions are a traditional industry, this area of TPRM can be very challenging to overcome. Even though significant advancements have been made in payment processing, banking standards, fintech, etc. cybersecurity resilience remains to be an organizational issue.
The role of cybersecurity has migrated from strictly being an IT issue to being an organizational one. This has put stricter requirements on all facets of the organizations to play their part in the overall cybersecurity architecture.
As an example, there has been a growing need for all organizations, regardless of size, to train their staff in cybersecurity awareness. The techniques used in cybersecurity awareness training can significantly reduce any risk associated with human error; knowing is half the battle.
Beyond training, the organizations’ staff, management, and other relevant parties should begin to engender a security culture within the daily business activities.
Benefits of TPRM strategies
An effective third-party risk management strategy has benefits that go beyond mitigating risks that we will briefly discuss in the coming sections.
Cost Reducing
Risk management strategies, including third-party risk, can reduce the overheads of the organizations. Accounting for the likelihood of security events occurring keeps the organization one step ahead. Coupled with the areas discussed above, the organization has a better grasp of the security environment and can allocate the risk budget accordingly.
This not only saves on spending in the current period but also addresses future spending habits while at the same time remaining dynamic enough to account for changes in the threat landscape.
This can be especially beneficial when recommending budget allocation with management. There is nothing management loves to hear more than strategies that can help reduce costs or increase revenue, and if strategized correctly and effectively, TPRM can do both. Let’s discuss.
Benefiting Consumers and Building Customer Relations
One widely undervalued aspect of risk management, and business in general, is the benefit and services that it provides the customers. Companies often fail because they forget that a business’s running is primarily to benefit the customer and not only the shareholders, but a good business does both.
Fundamentally, a third-party is a customer-supplier relationship, and having an effective TPRM strategy has benefits for all parties involved. Third-parties notwithstanding, a TPRM strategy also has knock-on benefits for the end-users.
Risk management, in general, is rarely known to anyone outside the organization. In most situations, this is for the best. Without giving away the strategy, businesses can use this to their advantage by utilizing the customers’ marketing potential.
The general public is becoming more concerned and aware of data misuse; by allowing them to engage with the organization’s data management practices they can feel reassured that the handling of PII is done in a caring and effective manner.
This factor becomes more prominent when the organization deals with the customer’s money, as financial institutions do.
Recap and Key Takeaways
Regulation and the changing threat landscape has emphasized cybersecurity risk management. These factors have opened analysis into organizations’ third-party networks and exposed vulnerabilities associated with the mismanagement or ignorance companies hold on their extended supplier networks.
This is especially true for financial institutions, as they have global third-party networks that can easily extend into fourth-party networks.
Extrapolated from some prominent frameworks, namely the NIST 800-161 and research in third-party risk management for financial institutions in this article, we discussed some key areas of TPRM strategy that financial institutions should pay attention to., those being:
- Technological Implementation – EY survey identified most financial institutions are struggling to achieve security technology integration.
- Third-party population– What percentage of the third-party population is part of the TPRM strategy? And is the organization documenting a third-party inventory?
- Beyond Compliance– the organization should go beyond complying with a framework or regulation so that they stay a step ahead of attackers.
- Continuous assessment – traditional questionnaire models of third-parties assessment are becoming outdated and a living and dynamic evaluation of third-parties must be used.
- Building cyberculture – integrating safe practices within the organization’s everyday business activity promotes and builds a security culture, which should be integrated into the organization’s overall risk management strategy.
There are also added benefits of TPRM and risk management in general that organizations can tap into as quoted by Matt Moog of Ernst and Young:
“Effective TPRM reduces operating costs while laying the groundwork for deeper relationships with customers”.
This is especially true in a market where customers have growing concerns regarding data safety and data misuse. The organizations can leverage their ethical data practices to deepen relations with customers, which benefits the entire ecosystem.
How RSI Security Can Help
With a wealth of experience in cybersecurity, RSI Security knows the ins and outs of compliance, cybersecurity architecture implementation, and risk management strategies.
With all the key areas mentioned above, RSI Security can offer the right solution tailored to your industry and to your organization.
We understand that cybersecurity should not be the full-time responsibility of your organization, but regulators and the changing landscape have put massive pressure on all organizations to utilize best practice security methods to ensure that customers are protected.
We think you should do what you do best, and leave the security to us. Get in contact today and book your free consultation and let’s work together to strengthen your cyber resilience.