26 November 2020
By Justin Gibbs – justin.gibbs@ka2.io
Every day, financial services organisations face the threat of potentially disruptive, costly and devastating cyberattacks. As cyberattacks continue to grow in frequency and sophistication, the financial sector is disproportionately affected. According to the IBM X-Force Threat Intelligence Index, the finance and insurance sector has been the most attacked industry for three years in a row, with financial services accounting for nearly 20% of all total cyberattacks.
With vast data ecosystems, financial services organisations face the tricky challenge of not only protecting data within the confines of their organisation, but also as it travels to third-party providers and beyond. As financial firms share information with service providers and other contractors to improve customer experience, they become vulnerable to outside cybersecurity risks. The banking sector, by its very nature, is highly interconnected. This increases cybersecurity risk as there are more vectors to monitor and every connected entity is likely connected to yet another entity, further exposing your firm. This may force your firm to respond to incidents that are outside of your control or originate from other sources.
A TechCrunch case study of a breach of mortgage and loan documents suggests that third parties must act as custodians of original or proprietary information. While the intentions of these vendors is benevolent, and some security measures are indeed in place, the increasing risk of cyberattacks against financial services firms means that it’s never been more important to know exactly what steps these parties take to protect your information throughout the supply chain, and once it leaves your hands.
Here, we look at what your organisation needs to know about third-party cybersecurity risks and the steps you can take to mitigate these real threats.
What is third-party cybersecurity risk? (And the third-party third party.)
Like all industries, banks, insurers and financial institutions must continually optimise their products and services to improve the customer experience. Often, this leads financial services firms to partner with FinTech’s and other subcontractors to deliver the best for customers, to remain competitive and to reduce overall costs. However, it is in the service of these goals that firms may lose visibility and control of data and information. In partnering with third parties, data is placed in the care of vendors and systems, and it’s managed in compliance with their own policies and processes.
It can get even more complicated, too. Many third parties have their own third parties, in turn, who add an additional level of risk. Often, this leaves financial services organisations even more vulnerable to risk, including those that the firm was not even aware were part of the supply chain.
For example, Sopra Steria Banking Software announced a partnership this year with Tink, a European open banking platform, to enhance the firm’s cloud-based digital banking solutions. The partnership opened Sopra Steria up to Tink’s banking solutions, including data aggregation, payment initiation and personal finance management technology. But Sopra also reported a cyberattack just last month. The virus was identified as a new version of the Ryuk ransomware, one that was “previously unknown to anti-virus software providers and security agencies” according to Sopra Steria. The attack was caught “after a few days” and was confirmed to be limited to parts of the firm’s IT infrastructure; but it put its customers data at risk, affected “all geographies” and will take weeks to return to business as normal. Although more is still being discovered about the nature of the Ryuk attack on Sopra Steria, it’s an all-too-real example of the risk of third-party platforms for financial services firms.
Keep the Pace: Navigate Third-Party Risk and Protect your Data
While there is certainly risk involved when financial services firms partner with third-party vendors, the right vendors and solutions can drive business development and improve customer experience. Third party vendors are a common part of the financial services marketplace; many have introduced game-changing solutions for the industry. Best-in-class vendor solutions play a role to drive not just the functionality of products and services, but also growth and profitability through improved service delivery, efficiency and reduced costs.
According to Deloitte, those organisations that hesitate to “expand their ecosystem” to third parties out of fear of risk will continue to be outpaced by competitors that, “boldly decide to seize the value of third-party relationships, confident in their ability to effectively identify and manage the accompanying risks.”
Financial services firms often report the greatest dependency on third parties. While the benefits of these third-party solutions are clear, the risks can remain murky. Given the threats (both known and unknown), managing these relationships has never been more important for financial services firms. As you implement these third-party solutions, your data, including sensitive financial information or PII, will change ownership at multiple points in the process as it moves through the vendor ecosystem.
The key to securely partnering with a third-party in any capacity is to appropriately assess, measure, monitor and control the associated risks. This level of review is done less than you might think. According to PwC’s Digital Trust Insights survey, only 42% of medium and large financial services institutions assess the security of third-party outsourcers.
So, how do you properly protect your data as it travels to and from third parties? We share a few best practices to keep in mind as you develop relationships with third parties.
Often, your firm will greatly benefit from one additional partnership: a trusted relationship between your financial services organisation and a security expert, such as KA2. Seek guidance from a partner who understands your industry and how to safely navigate and leverage third-party cybersecurity risk. For example, our Supply Chain Risk Assessment offers an accelerated programme that provides an in-depth assessment of potential security risk across third-party services. In tandem with you, we’ll review existing service agreements, terms and conditions to understand what if any security, compliance and data processing agreements are in place.
Through our Supply Chain Risk Assessment, you’ll benefit from:
Ready to navigate your own third-party risk? Smart move. Please get in touch with us today to learn more about KA2’s Supply Chain Risk Assessment. You’re just one month out from improved vendor relationships, business performance and security.