How banks can manage vendor cybersecurity risk
Vendors are a key link in your cybersecurity risk chain
INSIGHT ARTICLE |
All banks recognize the importance of cybersecurity. But effective cybersecurity must extend beyond the boundaries of your organization to include the various third parties that have access to your systems and data. Your cybersecurity is only as strong as that of the weakest link in that chain. Consider the number of vendors that might have access to your systems, including:
- Third-party information technology (IT) support
- Managed IT services -- e.g., network, firewall and intrusion detection monitoring vendors
- Cloud services -- e.g., software as a service (SAAS) or infrastructure as a service (IAAS) vendors
- Non-IT vendors with connections to your networks -- e.g., heating, ventilation, air conditioning (HVAC) or security contractors
Recent high-profile breaches make the risk clear. Target’s breach involved a managed HVAC provider. A third-party vendor inadvertently released personal employee data for thousands of Lowe’s employees. And, Zappos suffered a breach through a cloud-based IAAS provider.
The financial and reputational risks associated with a breach are not the only concern facing banks when managing vendor cybersecurity. Regulatory compliance now also includes third-party management. But what does an effective vendor management program look like?
The big picture
At a high level, vendor due diligence includes three key steps:
- Conduct a risk assessment for any new vendors with access to your systems or data
- Design an ongoing cybersecurity management program for each vendor based on that risk assessment
- Review each vendor’s cybersecurity on a regular schedule, the frequency of which is based on your risk assessment
A variety of factors influence the nature of the risk assessment that you should conduct on a new vendor. A primary concern is the nature of the data to which the vendor has access and what the vendor does with that data. Does the vendor simply store data? Process data? Output data? How confidential is the data they are handling? Based on the risks associated with that data and those activities, your cybersecurity program for the vendor should be reviewed on a set schedule—at least annually for high-risk vendors and no less frequently than every two years for the lowest-risk parties.
Vendor risk assessment
The first cybersecurity step in any vendor relationship should be a vendor risk assessment. Following are some key issues that assessment should include:
- Due diligence on the vendor’s business condition. Is the vendor financially stable? Are there any signs their condition is weakening? A company in poor financial condition may not devote sufficient resources to security issues. Has the vendor recently been acquired or made acquisitions? If so, have cybersecurity issues been adequately addressed during integration?
- Third-party cybersecurity review. Has the vendor had a third-party review of its cybersecurity practices? That review should include internal and external network vulnerability and penetration testing. Social engineering and application testing is also strongly recommended. The vendor should be willing to share the results of past and future tests with you.
- Business continuity plan. Does the vendor have an effective and up-to-date disaster recovery and business continuity plan in place? Not only can a disaster create cybersecurity issues, but if the vendor is not able to continue to provide service in the event of a disaster, you’ll be left scrambling to fill the gap.
- Right to audit. The bank should have the right to audit the vendor themselves in cases where verification of the vendors’ security measures is critical.
- Cybersecurity documentation. Does the vendor have effective, well-documented policies regarding cybersecurity? Their policies should address how they manage sensitive and proprietary information, data transmissions and other security concerns, so as to ensure breach notification, if needed.
- Vendor management. Just as your vendor relationships present cybersecurity risks, so do your vendors. Does the vendor have documented practices in place to manage their own vendor risks? Does the vendor use third parties for any particularly sensitive actives, such as IT security?
Get it in writing
Once you have completed the risk assessment, you also must ensure that your contract with the vendor clearly defines their cybersecurity obligations. This is a rapidly evolving area, so review contracts regularly to endure they stay up to date to address risks. Privacy and nondisclosure is a key issue. If privacy and nondisclosure concerns are not addressed in your contract language, execute a separate privacy and nondisclosure agreement. Your contract should also require that the vendor carry adequate cybersecurity or breach insurance coverage. As such, does the insurance coverage extend to your customers in the case of a breach?
Finally, you will need to consider the level of reporting your bank may be required to present on any given vendor relationship. Depending on the level and nature of risk involved in a vendor relationship, a Service Organization Control (SOC) Report may be required. Review vendor relationships with your internal and external auditors to ensure reporting obligations are met.
Remember, your cybersecurity effort is only as strong as its weakest link. Your vendors are a key part of that chain. By ensuring that vendors are properly vetted upfront, that their cybersecurity practices are reviewed on a regular schedule and that their obligations are appropriately documented, your bank can more effectively control your risks.