Navigating Third-Party Cybersecurity Risk in Financial Services

26 November 2020

By Justin Gibbs –


Every day, financial services organisations face the threat of potentially disruptive, costly and devastating cyberattacks. As cyberattacks continue to grow in frequency and sophistication, the financial sector is disproportionately affected. According to the IBM X-Force Threat Intelligence Index, the finance and insurance sector has been the most attacked industry for three years in a row, with financial services accounting for nearly 20% of all total cyberattacks.

With vast data ecosystems, financial services organisations face the tricky challenge of not only protecting data within the confines of their organisation, but also as it travels to third-party providers and beyond. As financial firms share information with service providers and other contractors to improve customer experience, they become vulnerable to outside cybersecurity risks. The banking sector, by its very nature, is highly interconnected. This increases cybersecurity risk as there are more vectors to monitor and every connected entity is likely connected to yet another entity, further exposing your firm. This may force your firm to respond to incidents that are outside of your control or originate from other sources.

A TechCrunch case study of a breach of mortgage and loan documents suggests that third parties must act as custodians of original or proprietary information. While the intentions of these vendors is benevolent, and some security measures are indeed in place, the increasing risk of cyberattacks against financial services firms means that it’s never been more important to know exactly what steps these parties take to protect your information throughout the supply chain, and once it leaves your hands.

Here, we look at what your organisation needs to know about third-party cybersecurity risks and the steps you can take to mitigate these real threats.

What is third-party cybersecurity risk? (And the third-party third party.)

Like all industries, banks, insurers and financial institutions must continually optimise their products and services to improve the customer experience. Often, this leads financial services firms to partner with FinTech’s and other subcontractors to deliver the best for customers, to remain competitive and to reduce overall costs. However, it is in the service of these goals that firms may lose visibility and control of data and information. In partnering with third parties, data is placed in the care of vendors and systems, and it’s managed in compliance with their own policies and processes.

It can get even more complicated, too. Many third parties have their own third parties, in turn, who add an additional level of risk. Often, this leaves financial services organisations even more vulnerable to risk, including those that the firm was not even aware were part of the supply chain.

For example, Sopra Steria Banking Software announced a partnership this year with Tink, a European open banking platform, to enhance the firm’s cloud-based digital banking solutions. The partnership opened Sopra Steria up to Tink’s banking solutions, including data aggregation, payment initiation and personal finance management technology. But Sopra also reported a cyberattack just last month. The virus was identified as a new version of the Ryuk ransomware, one that was “previously unknown to anti-virus software providers and security agencies” according to Sopra Steria. The attack was caught “after a few days” and was confirmed to be limited to parts of the firm’s IT infrastructure; but it put its customers data at risk, affected “all geographies” and will take weeks to return to business as normal. Although more is still being discovered about the nature of the Ryuk attack on Sopra Steria, it’s an all-too-real example of the risk of third-party platforms for financial services firms.

Keep the Pace: Navigate Third-Party Risk and Protect your Data

While there is certainly risk involved when financial services firms partner with third-party vendors, the right vendors and solutions can drive business development and improve customer experience. Third party vendors are a common part of the financial services marketplace; many have introduced game-changing solutions for the industry. Best-in-class vendor solutions play a role to drive not just the functionality of products and services, but also growth and profitability through improved service delivery, efficiency and reduced costs.

According to Deloitte, those organisations that hesitate to “expand their ecosystem” to third parties out of fear of risk will continue to be outpaced by competitors that, “boldly decide to seize the value of third-party relationships, confident in their ability to effectively identify and manage the accompanying risks.”

Financial services firms often report the greatest dependency on third parties. While the benefits of these third-party solutions are clear, the risks can remain murky. Given the threats (both known and unknown), managing these relationships has never been more important for financial services firms. As you implement these third-party solutions, your data, including sensitive financial information or PII, will change ownership at multiple points in the process as it moves through the vendor ecosystem.

The key to securely partnering with a third-party in any capacity is to appropriately assess, measure, monitor and control the associated risks. This level of review is done less than you might think. According to PwC’s Digital Trust Insights survey, only 42% of medium and large financial services institutions assess the security of third-party outsourcers.

So, how do you properly protect your data as it travels to and from third parties? We share a few best practices to keep in mind as you develop relationships with third parties.

  • Track and Tier your Vendors: As you assess the associated risk of a third-party solution, classifying these relationships by potential risk can provide a critical view and inform an effective cybersecurity strategy to prevent—and recover—from an attack. This should happen early in the process; vendor tiering is used to classify your vendors into categories of potential risk posed at the time of on-boarding. As a result, you can better manage vendor risk by establishing the appropriate frequency and assessment cycle through robust vendor tiering.
  • Portfolio Management: As you bring third-party tools into your firm, strive to replace legacy manual processes with “single pane of glass” solutions for tracking these products and services. Transition from spreadsheets and manual tracking to a single database of vendors, the products and services that each fulfils and the contact information for each provider. Implementing a more automated, self-service portal enables more effective, timely and secure communication between you and the third party.
  • Assess Risk Early with an Online Questionnaire: Early in the relationship, consider using a standard questionnaire to assess the specific risk of a potential vendor. These questionnaires can be completed by the vendor using an available online assessment. This can produce better survey responses and higher quality information for a more informed decision around third-party solutions.
  • Vendor Portal: Provide all third-party vendors with a self-service portal. This will consolidate communication and streamline collaboration with key vendors and stakeholders. This will also help improve overall efficiency at your organisation and give you better visibility into the status of things and provide you with a clear record of your communication and actions.
  • Issues and Remediation: As with portfolio management, seek opportunities to automate issue generation between you and the vendor. Design and test remediation plans and share this information with vendors for faster response and closure. You can also use built-in chat functionality to respond to and resolve vendor questions in real time.

Often, your firm will greatly benefit from one additional partnership: a trusted relationship between your financial services organisation and a security expert, such as KA2. Seek guidance from a partner who understands your industry and how to safely navigate and leverage third-party cybersecurity risk. For example, our Supply Chain Risk Assessment offers an accelerated programme that provides an in-depth assessment of potential security risk across third-party services. In tandem with you, we’ll review existing service agreements, terms and conditions to understand what if any security, compliance and data processing agreements are in place.

Through our Supply Chain Risk Assessment, you’ll benefit from:

  • A critical view: You’ll gain greater visibility into the status of assessments, issues and tasks across the entire vendor ecosystem.
  • Improved decision making: Quickly identify emerging risks using assessments and continuous monitoring with security ratings.
  • Enhanced performance: Experience improved collaboration with third parties via secure and automated processes. This adds consistency across the full vendor ecosystem, and helps you manage risk across your extended enterprise.
  • Stakeholder updates: As part of the Supply Chain Risk Assessment, we’ll aggregate vendor risk scores and integrate this information within a GRC portfolio to present a holistic view of risk to your organisation. This is powerful data to be shared with your technology and leadership team and other key stakeholders for organisational buy-in around critical security investment.

Ready to navigate your own third-party risk? Smart move. Please get in touch with us today to learn more about KA2’s Supply Chain Risk Assessment. You’re just one month out from improved vendor relationships, business performance and security.