In the context of cybersecurity, third-party risk is the potential for an organization to suffer data breaches or other harm as a result of its relationships with vendors, suppliers, and other businesses.
Although the financial sector does not operate on the same principles as consumer-facing companies, it doesn’t make it immune to third-party risk. And with the rapid emergence of new players in the fintech space, the sector’s exposure to cybersecurity issues is only likely to increase.
In order to mitigate the risks posed by third parties, financial institutions need to take a proactive approach to their relationships – one that covers everything from end-to-end encryption to conducting vendor risk assessments.
Below, we will discuss some of the key considerations for financial institutions when it comes to cybersecurity challenges.
Third Parties in the Financial Sector
Before we get into the specifics of third-party risk in the financial sector, it is worth taking a step back to explain the role of third parties in the financial sector.
You can put the roles into two broad categories: those that provide services to financial institutions and those that sell products or offer services to consumers on behalf of financial institutions.
The first category consists mostly of service providers, such as technology firms, consulting firms, and accounting firms.
These businesses typically have long-standing relationships with financial entities and provide them with a range of services, from back-office support to more strategic functions; there are even more and more Blockchain use cases in the financial sector.
The second category, more relevant to the discussion of third-party risk, encompasses businesses that offer products or services to consumers on behalf of banking entities.
Take online title loans, for instance. While such a business operates independently of banks, it often cooperates with them on the back end – for example, by using the bank’s infrastructure to originate loans or process payments.
From a third-party risk perspective, the main difference lies in these businesses’ access to sensitive data. Outsourced service workers only have access to a relevant part of sensitive data. In contrast, business partners that offer products or services to consumers have access to the entire dataset – usually limited to their own customers.
Third-Party Risk Challenges
In order to set and implement security standards for third-party relationships, it is important first to understand the challenges associated with third-party risk.
Although those are not necessarily new developments in cyberspace, the way they manifest in the financial sector may require a different approach.
Vendor Risk Management
In short, vendor risk management (VRM) is the process of assessing, monitoring, and managing the risks associated with third-party relationships. It is concerned with everything from the initial vendor selection to monitoring vendors’ security posture.
Such an approach allows financial institutions to address risks before they materialize rather than react to them after the fact.
Implementing an effective accountability system is essential to make sure that everyone – from the board of directors to individual employees – understands their role in managing third-party risk.
Personal Data Protection
Considering the amount of personal data that financial institutions hold, it is not surprising that privacy and data protection are key concerns when it comes to third-party risk.
The EU’s General Data Protection Regulation (GDPR) – which came into effect in 2018 – specifically addresses the issue of transparency around the use of personal data by controllers and processors.
The US has yet to enact similar legislation, but there is a growing movement towards greater regulation of the use of personal data.
In particular, California’s Consumer Privacy Act (CCPA) gives Californians similar rights to those enshrined in the GDPR. And given that California is home to many of the world’s largest tech companies, it is likely that other states will follow suit.
It is one thing for the financial sector to comply with regulations like the Bank Secrecy Act (BSA) and the Gramm-Leach-Bliley Act (GLBA), but it is another thing entirely to make sure that its third-party service providers comply with relevant constructs – especially in the cyber domain.
Global internet security still needs to be regulated the same way as other industries, such as banking or healthcare, and current standards often deviate between countries. For companies that operate globally, this can create a compliance nightmare.
Financial institutions need to have clear and concise policies that outline their expectations for third-party service providers to mitigate the risks associated with regulatory uncertainty.
This will prevent unnecessary law enforcement action and help protect the financial institution’s reputation.
End-to-End Cybersecurity Governance
Having a comprehensive cybersecurity system in place is no longer optional for any legal body present on the internet – and the financial sector should always aim for the highest levels of cybersecurity hygiene.
Even if a particular third party is not handling sensitive data, their groups may still be vulnerable to attack – which could jeopardize the security of the entire ecosystem.
The biggest challenge in enforcing end-to-end cybersecurity governance is often getting third parties to buy into the idea. A surprisingly large portion of financial sector workers barely follows any security measures, let alone best practices.
For in-house staff, cybersecurity protocols can be enforced through a mix of education, training, and reprimands. But when it comes to third parties, financial institutions typically have less control.
In such cases, the best option is usually to establish clear guidelines and expectations upfront – and to work only with those service providers willing to comply.
The main principle of third-party risk management is simple: if you don’t control it, you can’t secure it. In the context of cybersecurity, financial institutions must take a proactive approach to their relationships with vendors and other service providers.
This includes everything from conducting vendor risk assessments to implementing end-to-end encryption.
Only by taking such measures can financial institutions hope to mitigate the cybersecurity risks associated with third parties – and protect both themselves and their customers from harm.