The threat of third-party vendors to banking is real!
CPA Umeme Steve
Internal Audit Manager | Head of Internal Audit | Compliance Manager | Risk Management Specialist | Board Member | Financial and Operations Auditor | CISA | CFIP | CPAK
From social media apps to exercise tracking and online shopping, today consumers are producing data at an unprecedented rate. Today’s businesses world is under pressure to ensure the safety of data and maintain customer trust – which means businesses in the financial services sector have a particularly tricky task to navigate.
Alongside customer expectations of appropriate data security, financial organizations have their desires to remain innovative and competitive. In many cases, this involves bringing in third parties and becoming a part of shared banking systems – exposing them to an even broader threat perimeter than ever before. sadly, organizations aren’t equipped to deal with the risks facing them!
Third-party vendors: risks and rewards
Once upon a time, protecting data and maintaining security in financial services was very much a case of handling the direct relationship between the business and its customers – and of course, blocking malicious attacks. Nowadays, to deliver the most cutting-edge services and experiences, financial institutions find themselves working with third-party vendors to extend their capabilities, ranging from the providers of real-time payment integration software. to professional services vendors.
At the same time, initiatives like Open Banking which is enhanced by the uptake of mobile banking solutions, are actively opening up the conversation around collaboration, providing the framework and the driver for more integrated services across the board.
There’s no escaping the fact that the risk of breaches – whether accidental or resulting from a malicious attack – increases significantly with every new party introduced to the security ecosystem.
Whose fault is it?
Several high-profile cases have illustrated the dangers inherent in this new world of collaboration.
In recent times, it is not uncommon to hear cases of data breaches, accounts compromised, with details including names, customer IDs, email addresses and more being stolen, alongside credit card numbers.
Dangers from third-party vendors are not to be underestimated. Particularly because even when a breach is caused by a third-party vendor, this distinction is very rarely made in the minds of customers (or the press).
So, while nobody would dispute that enhanced collaboration can drive product innovation and therefore improve the customer experience, the flipside is greater risk – and more difficulty establishing exactly where the burden of responsibility lies.
Security is for life, not just for Christmas
If they’re going to protect their customers, their systems, and their reputations, financial institutions need to act. But despite the pressing nature of this issue, few are fully equipped to deal with the changing nature of risk.
It’s standard to conduct a threat risk and vulnerability analysis of a vendor upon entering into a new third-party agreement, at which point both sides will agree on the specific security requirements needed. While this approach is commonplace, it’s also flawed – because it only reflects the vendor’s risk level at that specific moment in time.
Security requirements can often be much more fluid than they may seem at first. Maintaining processes is just as important as implementing them. Unfortunately, few financial institutions have the internal resource, skills, or budget to assess this on a regular or even semi-regular basis.
Complicating matters further, it’s difficult to develop a standardized approach to risk analysis. When you consider the full range of third-party vendors that financial institutions work with, the issues at play – and thus the risks they pose are hugely varied. For example, a professional services vendor presents a very different threat than a piece of integrated software. As a result, it’s historically been difficult to implement a straightforward testing mechanism that can efficiently and regularly account for the full scope of potential risks.
Investing in risk management
If financial institutions are going to successfully manage third-party risk, they have to put more robust processes in place. This could include contractually obligating vendors to security and privacy practices, as well as regular review of policies, procedures and certifications.
On the bright side, as the risk has grown, some technologies have developed to help businesses internally manage their risk continually. Doing this requires a well-rounded, integrated approach that covers many bases – including firewalls and ongoing threat intelligence.
While this heightened level of management will likely be time and resource-intensive, it’s certainly possible – and should be a priority. Because whether it’s protecting customers’ personal information or their savings, banks and other financial institutions have to maintain rigorous security standards.
If they don’t, it’s not just their customers’ data at risk – it’s their business’ reputation on the line, too.